OpenSSL error: certificate verify failed on Mac Catalina
I work on a macbook (Catalina 10.15.7) and develop a webapp on my local machine. I use the mailtrap.io email testing service to check outgoing emails. I haven't changed anything, but a few days ago the mailtrap service gives back the below error message:
ErrorException stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed Illuminate\Foundation\Bootstrap\HandleExceptions::handleError vendor/swiftmailer/swiftmailer/lib/classes/Swift/Transport/StreamBuffer.php:94
The same code and call works fine from the remote server, so it seems that the problem is related my local mac machine.
After some googling it seems that this issue is related to the expiry of DST Root CA X3 certificate. I read about two possible solutions for the problem:
- Remove the expired certiface and install new ones.
- Update OpenSSL on my machine
Approach #1 I tried, but it did not help. I removed the DST Root CA X3 section from /etc/ssl/cert.pem file and removed all DST Root CA X3 instances using the Keychain Access app. Then I installed the ISRG Root X1 and ISRG Root X2 using the Keychain Access app setting them to always trust. Unfortunately I still get the same error message after rebooting.
Approach #2 The second approach would be update OpenSSL on my machine. The "openssl version" command tells me that I have LibreSSL 2.8.3 on my machine, so I assume this is what I need to update. Checking the libreSSL release notes it seems that there already a fix for this problem. I installed the latest LibreSSL (3.3.5) and added it to the PATH variable, but I still get the same error. It seems that whoever would need the higher version of LibreSSL, it does not use it.
So my question:can somebody explain to me, which component from the above chart should use the higher version LibreSSL with the fix to avoid the original problem with the mailtrap connection? Is it the OS, MAMP, Laravel, the SwiftMail component or my Webapp? Based on this, how do I tell that component that it should use the LibreSSL (or alternatively OpenSSL that I could also install) with the fix? Or is there a better solution to this problem?
Thanks, W.
Finally I figured out that it is my PHP installation that uses the expired certificate. From PHPInfo I could figure where the OpenSLL installation is used by PHP. I had to remove the expired DST Root CA X3 root certificate from the .pem file under this installation and now everything works correctly.
- D Programming: openssl rsa forward reference compiler error
- Comparing if *.csr and *.pem files match
- SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
- Any openssl command line to verify ECDSA prime256v1 certificate and private key match?
- Cargo lambda build does not find OpenSSL development headers
- How do I access OpenSSL using Node.js?
- Why ParseExact is not converting my variable to DateTime
- How do I fix HTTPS requests not working with 'android_openssl'?
- Openssl is not recognized as an internal or external command
- Unable to establish SSL connection, how do I fix my SSL cert?
- How to identify elliptic curve name from an Openssl certificate?
- TLS 1.2 set cipher list
- How to install OpenSSL from source on Windows 10/11?
- How do I fix "Certificate verify failed self signed certificate" when trying to connect to an API?
- Generate DER format public key from PEM format certificate and PEM format public key
- OpenSSL certificate incompatibility between versions 1.0.2 and 3.2.1
- How to get subject hash of a PEM certificate
- Converting pfx to pem using openssl
- The CA certificate does not have the basicConstraints extension as true
- openssl command hangs
- Converting DER public key to PEM and back
- Cannot link libcrypto statically w/ cmake
- GitLab LDAP Authentication Issues (SSL_connect, user auth)
- CMAC with Swift OpenSSL 3 fails at init
- How can I support SSL and non-SSL traffic on the same port using TIdHTTPServer and OpenSSL?
- Problem loading a serveer certificate in .p12 format with a AES-256-CBC
- How to list certificates, trusted by OpenSSL?
- Cannot install anything with brew, Error: Failed to download resource "git--html"
- TLS/SSL session resume on FTP transfer connection with OpenSSL
- Converting a private key to PKCS#8