Odd SSL Problem caused by Old Open Keychain
... on Apple OS X
I had a really odd problem, with SSL (https://
) sites after having upgraded to Apple OS X El Capitan. Chrome would not load SSL-protected websites (Safari was fine for the same ones), and then I got a blank screen in the Flowdock Mac app. By chance, I figured out how to fix it, and thought I would share what happened.
Problem Manifestation
During and after the upgrade to Mac OS X El Capitan, I did all the typical things I do, like checking through all the settings to make sure nothing is out of order. One of those includes checking that Time is being automatically set from the local NTS time server, because a mis-set clock will often cause trouble related to encryption.
I was getting those “this site is untrusted” errors in Chrome, oddly enough on major sites from Microsoft or Apple, since they certainly can afford to update their SSL certificates. Then I noticed that the Flowdock Mac app would not display, just showing a grey, blank screen.
I looked at Console.app while following up with Flowdock support, and saw entries like:
10/6/15 5:42:03.505 PM Flowdock[3255]: Failed to connect (goToSettings) outlet from (AppDelegate) to (NSMenuItem): missing setter or instance variable
10/6/15 5:42:04.614 PM Flowdock[3255]: NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
… and …
10/6/15 5:44:02.839 PM Flowdock[3259]: Sparkle Error (continued): The certificate for this server is invalid. You might be connecting to a server that is pretending to be “s3.amazonaws.com” which could put your confidential information at risk.
… and …
10/6/15 5:55:39.447 PM Adobe Desktop Service[729]: CFNetwork SSLHandshake failed (-9807)
Researching a little, all of those errors have some relation to SSL and therefore security.
Resolving the Problem
Since certificate errors can come from the system clock not being set correctly, or as often from a certificate itself being expired, I checked for cert expiration indicators in the Keychain Access app, and confirmed that the system clock was set correctly in System Preferences, Date & Time.
A few general notes:
- In general, use the “set date and time automatically” in System Preferences, Date & Time, to automatically pull the date and time from the time server, if at all possible.
- You can use the Keychain Access app (in
/Applications/Utilities
) to set what certificates are trusted by default, to delete expired ones or to run “First Aid” on your keychain in case of corruption. - You can safely delete the cache files
crlcache.db
andocspcache.db
in/var/db/crls/
. These contain a cache of your accepted certificates, and they will be re-created after a system restart.
In the end, I noticed that I had an old keychain added, from a backup of an old system. I had done this to retrieve some stored information, but had forgotten to remove it. When I removed the old keychain, poof!, the problems went away. I understand that OS X may have got “confused” by having two keychains open, since one was created on a separate system, with a different time set.
This problem was so esoteric and rare, but it’s worth writing down, since the fix was not obvious. I hope the information helps someone, some day.