HTTPS certificates invalid on Safari, Chrome on specific user account
Solution 1
It seems that somehow Chrome and Safari for that account are using an expired root certificate, even though a new one is already present in your System Roots.
However, by default Keychain Access does not show expired certificates: enable that using menu View, Show Expired Certificates, and then search for the name of the expired certificate, like "digicert high". Then delete any expired one. As all is fine in a new user account, the culprit must be in your Login Keychain.
(This doesn't explain why Firefox uses the correct one; I would expect all browsers to simply delegate the full validation to OS X, but apparently not.)
Solution 2
I had the same problem with my macbook pro and sourcetree app. I followed the instruction provided in the digicert blog (link provided below) to solve this issue.
https://blog.digicert.com/expired-intermediate-certificate/
Related videos on Youtube
03 : 21
02 : 24
04 : 47
03 : 40
02 : 50
Rengers
Updated on September 18, 2022Comments
-
Rengers over 1 year
Safari and Chrome report invalid certificates on certain HTTPS sites (for example GitHub and Bitbucket). Firefox strangely shows a green valid certificate.
I've created a new OS X user and everything is perfectly valid there. I though that maybe there was some invalid certificate in my login keychain. However, even after removing all certs from that keychain, it still reports as invalid.
The Entrust cert that only shows on my account is present in my login keychain. I removed it, which makes the DigiCert High Assurance EV Root CA the new top certificate in the list, but it is not the same cert as on the working account...
The problem also occurs when using curl or for example pushing with git.
Is there something I'm overlooking?
UPDATE
Everything works after copying the DigiCert High Assurance EV Root CA from the System Roots to the login keychain. But why is this necessary on my user account?Certificate chain in Safari on my user account
Certificate chain in Safari on a new OS X account
-
user1984103 almost 10 yearsIs the computer fully up to date with all software patches and updates on the latest version of OSX?
-
Rengers almost 10 yearsYep, installed all the updates. It feels like somehow Safari is using an old certificate or something.
-
Arjan almost 10 yearsWhen using the search box in Keychain Access to find "digicert high", do you get a single hit? (On my Mac, I only get the one that expires November 2013, and that's in the System Roots.) -
Rengers almost 10 yearsYes, I only get one certificate that expires 10 november 2031. This cert is in my System Roots. The weird this is: after I copy this to my login keychain (so that I have it twice), it actually works! But why doesn't it pick it up in the System Roots keychain...?
-
Arjan almost 10 yearsSee also: Why won't OS X trust GitHub's SSL certificate? (which might be a dupe; not sure yet).
-
Rengers almost 10 yearsI've come across that question. It looked like the same problem or at least related, but none of the answers have worked for me. The only thing I didn't do was reset my default keychain.
-
Arjan almost 10 years"after I copy this to my login keychain (so that I have it twice), it actually works! But why doesn't it pick it up in the System Roots keychain" -- prior to copying, it should also pick up the one from the System Roots, for otherwise it wouldn't have a chain at all. But apparently somewhere it can find the faulty one instead. So I assume that copying it into your Login Keychain just gives it higher precedence. But where is the faulty one hiding...!? Did you see the note about "Repair" in the answers to the other question?
-
Arjan almost 10 yearsI just noticed that my Keychain Access did not show any expired root certificates. Enabling that in menu View, Show Expired Certificates might show you another version when searching for "digicert high"? (No changes for me, for that search.)
-
Rengers almost 10 yearsAh man, thanks, that was it! There was an expired DigiCert certificate in my login keychain. Sometimes the solution is so easy, never even crossed my mind that expired certificates were hidden by default. If you post this as an answer, I will accept it.
-
-
Rengers almost 10 yearsHah, nice. The exact solution, only posted a day after my question 😄.
-
Arjan almost 10 yearsSomething to keep in mind: some say that using synchronization through iCloud might actually restore the expired certificate again.
-
schmielson almost 10 yearsOne final step: restart your browser after deleting any expired certs. @Arjan thanks for the tip!
-
Frosty Z over 2 yearsCould you please update the link? It is dead
