An open source app running on my macOS 10.13.6 and 10.14.6 system is failing to access a website via https that uses a Let's Encrypt certificate. If I use curl
to access the same site, it also gets an error about the certificate being expired.
Here's the output of curl -vv
with the hostname and IP address redacted:
* Rebuilt URL to: https://hostname/
* Trying x.x.x.x...
* TCP_NODELAY set
* Connected to hostname (x.x.x.x) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: certificate has expired
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default...
(rest of text not relevant and removed)
I've confirmed that the ISRG Root X1 certificate is installed in Keychain Access and is trusted.
Further, I can access the site using Safari or any other web browser. However, the app in question still fails, as does curl
.
What do I need to do to fix this? I can't just use insecure mode on curl
as the issue I'm trying to fix is the app that can't access the site. I'm not sure what library the app is using for https -- it may be libcurl, but I suspect it's failing for the same reason curl
is.
Small addendum: the open source app is using OpenSSL 1.1.1j.