After upgrading to Mac OS X 10.11.4, I start seeing reports that certificates are invalid

Question

I upgraded from Mac OS X 10.11.3 to 10.11.4 this week. After that, I found that, if I open some software e.g. Xcode simulator download page, or HMA client (a VPN Client), it reports some info: invalid certificates lie below:

"Could not download and install OS X 10.11.4 Documentation. The certificate for this server is invalid. You might be connecting to a server that is pretending to be “devimages.apple.com.edgekey.net” which could put your confidential information at risk."

Or:

"System.Net.WebException: Error: SendFailure (Error writing headers) ---> System.Net.WebException: Error writing headers ---> System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: Invalid certificate received from server. Error code: 0x5
  at Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.RemoteValidation (Mono.Security.Protocol.Tls.ClientContext context, AlertDescription description) [0x00000] in <filename unknown>:0 "

And in system log, I also see:

17467     error=Error Domain=kCFErrorDomainCFNetwork Code=-1202 "The certificate for this server is invalid. You might be connecting to a server        that is pretending to be “setup.icloud.com” which could put your confidential information at risk."                                               UserInfo={NSErrorFailingURLStringKey=https://setup.icloud.com/configurations/init, NSLocalizedRecoverySuggestion=Would you like to connect        to the server anyway?, _kCFNetworkCFStreamSSLErrorOriginalValue=-9807, kCFStreamPropertySSLPeerCertificates=(
17468         "<SecCertificate 0x7fdaba571060 [0x7fff7abb5440]>",                                                                                 
17469         "<SecCertificate 0x7fdaba551430 [0x7fff7abb5440]>"
17470     ), _kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrust 0x7fdaba412b20 [0x7fff7abb5440]>,                   NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “setup.           icloud.com” which could put your confidential information at risk., _kCFStreamErrorDomainKey=3, NSErrorFailingURLKey=https://setup.icloud.        com/configurations/init, _kCFStreamErrorCodeKey=-9807}, httpStatusCode=-1, responseHeaders=
17471     (null)

However, if I create a new admin account on the same machine, issues are gone. I am not sure what's broken and I can I fix it.

Please help me fix it! Thanks!

saidly I dont know which cert is invalid, it just said cert is invalid, all I csn see is posted in question — , Mar 26 '16 at 12:34
I m outside, I will try when I get home asap. btw, I tried open the website in Firefox, Firefox says cert is good — , Mar 26 '16 at 12:42
allright, but I remember chrome is fine too. I will double check — , Mar 26 '16 at 12:44
@SmokeDispenser I updated my question with the cmd you want me to run. Is this the problem? setup.icloud.com:443 reports the same error code and message — , Mar 26 '16 at 13:13
alright, so after the chat, it may be better to move this question to SU. — , Mar 26 '16 at 14:07
Have you looked in keychain to see if there's existing certs? — Hefewe1zen, Mar 27 '16 at 13:21
Have you tried keychain repair or creating a new keychain altogether? — Hefewe1zen, Mar 27 '16 at 14:31
tried create a new one and reset tI default, but no luck. how to repair? btw if I create a new admin account, issue gone, but I cannot move to the new account, too many stuff — Wingzero, Mar 27 '16 at 15:01
is it any different? reset to default and move, rename, seems same to me. I m outside and will update later — Wingzero, Mar 27 '16 at 15:17
@Hefewe1zen I just delete the whole key chain folder and let OS X build a new key chain folder, issues still the same. — Wingzero, Mar 28 '16 at 00:05
What if you try logging out of iCloud in Sys Prefs, and log back in? — Hefewe1zen, Mar 28 '16 at 15:51
@Hefewe1zen I fear I will not be able to login, not dare to try — Wingzero, Mar 28 '16 at 23:32

score 1 · Answer 1 · edited Mar 20 '17 at 10:17

So after filing a bug on Radar, Apple folks told me to check keychain - preferences - certificates tab.

Changing CRL setting from require if certificate indicates to Best attempt or off, the issues are gone.

So it seems like, some CA certs under 'System Root' expired.

So we got two options:

leave CRL as best attempt (not sure how much it will weaken the system security)
delete the expired system root certs by following security: SecKeychainItemDelete: UNIX[Operation not permitted] on OS X when trying to remove a system root expired cert.

After upgrading to Mac OS X 10.11.4, I start seeing reports that certificates are invalid

1 Answers1