3

Safari and Chrome report invalid certificates on certain HTTPS sites (for example GitHub and Bitbucket). Firefox strangely shows a green valid certificate.

I've created a new OS X user and everything is perfectly valid there. I though that maybe there was some invalid certificate in my login keychain. However, even after removing all certs from that keychain, it still reports as invalid.

The Entrust cert that only shows on my account is present in my login keychain. I removed it, which makes the DigiCert High Assurance EV Root CA the new top certificate in the list, but it is not the same cert as on the working account...

The problem also occurs when using curl or for example pushing with git.

Is there something I'm overlooking?

UPDATE
Everything works after copying the DigiCert High Assurance EV Root CA from the System Roots to the login keychain. But why is this necessary on my user account?

Certificate chain in Safari on my user account Certificate chain in Safari on my user account

Certificate chain in Safari on a new OS X account Certificate chain in Safari on a new OS X account

Rengers
  • 133

3 Answers3

5

It seems that somehow Chrome and Safari for that account are using an expired root certificate, even though a new one is already present in your System Roots.

However, by default Keychain Access does not show expired certificates: enable that using menu View, Show Expired Certificates, and then search for the name of the expired certificate, like "digicert high". Then delete any expired one. As all is fine in a new user account, the culprit must be in your Login Keychain.

(This doesn't explain why Firefox uses the correct one; I would expect all browsers to simply delegate the full validation to OS X, but apparently not.)

Arjan
  • 31,511
2

I had the same problem with my macbook pro and sourcetree app. I followed the instruction provided in the digicert blog (link provided below) to solve this issue.

https://blog.digicert.com/expired-intermediate-certificate/

Jay
  • 21
0

I'm not 100% sure about the solution.

But same thing happened to me when I set a back date on my PC. Suppose this is 2014. If you set 2013 or 2012 as your year, this problem may happen.

And in this situation, it's really tough to sign in Gmail, Facebook or Yahoo!

Check your date settings.

Thanks.

Marks PC Solution
  • 112