Sometimes when trying to clone a git repo off the internet, I run into this error:
SSL certificate problem: certificate has expired. On old versions of Mac OSX, your system's SSL cert may not update, so you should update it manually.
OpenSSL on macOS does not use the system keychain (which makes sense as it's a cross platform library) but rather has its own .pem file containing its root certificates. Even though my systems have a newer version of OpenSSL installed using homebrew and/or MacPorts, the system-wide OpenSSL pem file located at /etc/ssl/cert.pem was out of date and did not include the ISRG Root X1 certificate.
- Rename /etc/ssl/cert.pem to something else. (I suggest /etc/ssl/cert.pem.org)
- Download the latest cacert.pem from https://curl.se/docs/caextract.html
- Rename it to cert.pem
- Copy it to /etc/ssl/cert.pem
Now curl and any other app using OpenSSL can access websites signed using current Let's Encrypt certificates.
Alternatively, the MacPorts package curl-ca-bundle installs a .pem file containing ISRG Root X1 to /opt/local/etc/openssl/cert.pem which can be used as well.
Other possible solutions:
- Manually add the ISRG Root X1 certificate to /etc/ssl/cert.pem
- Configure OpenSSL to use a different .pem file for its root certificates, such as /opt/local/etc/openssl/cert.pem
Last modified: 202212070107