I think I've encountered a bug of some sort. On a fresh install of my workstation I'm getting this SSL error after installing openssl-osx-ca:

$ php -r 'echo file_get_contents("https://repo.packagist.org/packages.json");'
PHP Warning:  file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in Command line code on line 1

Warning: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in Command line code on line 1
PHP Warning:  file_get_contents(): Failed to enable crypto in Command line code on line 1

Warning: file_get_contents(): Failed to enable crypto in Command line code on line 1
PHP Warning:  file_get_contents(https://repo.packagist.org/packages.json): failed to open stream: operation failed in Command line code on line 1

Warning: file_get_contents(https://repo.packagist.org/packages.json): failed to open stream: operation failed in Command line code on line 1

If I do the following:

$ brew services stop openssl-osx-ca
$ brew reinstall --force openssl

Then suddenly the issue dissapears:

$ php -r 'echo file_get_contents("https://repo.packagist.org/packages.json");'
{"packages":[],"notify":"https://packagist.org/downloads/%package%","notify-batch":"https://packagist.org/downloads/","providers-url":"/p/%package%$%hash%.json","metadata-url":"/p2/%package%.json","search":"https://packagist.org/search.json?q=%query%&type=%type%","provider-includes":{"p/provider-2013$%hash%.json":{"sha256":"c3af737c3e33db3b07aaa16de2115486b89fc157b2cfd16d7c1f6fb5bfa665c8"},"p/provider-2014$%hash%.json":{"sha256":"a3e7e0ca00904e1f184e7d320d164ee5e613e2ea1c4c000baf46be64254cc1bb"},"p/provider-2015$%hash%.json":{"sha256":"44394efe35097a2653d94210db54f268d0d5ccce6df7b15d848646a80dcdc3d6"},"p/provider-2016$%hash%.json":{"sha256":"521f4c36c2c476b5b42581a563e3b05137921b77af2af16fdc6909e75e4196c3"},"p/provider-2017$%hash%.json":{"sha256":"ff7d8654674abde91720363b6e9d692a0b32cd1dae085b8c4f483e4ffd936f62"},"p/provider-2018$%hash%.json":{"sha256":"4ceb2f0fd7648bce97861b68c8643a0be776f7491d9c6e1cafda263b64e88672"},"p/provider-2019$%hash%.json":{"sha256":"32e34761e653e68839aa3e4598f63787c18920e56c0698d1af08c8f59f344b17"},"p/provider-2019-04$%hash%.json":{"sha256":"3961b89dc43ef026d095c2392ab9e67e09d1ce27bd79a7f4ebfa63632cc664b2"},"p/provider-2019-07$%hash%.json":{"sha256":"27c4eb86af4a443113b1bd3184b54db38c5486fb376d49d104850880fd45ddd3"},"p/provider-2019-10$%hash%.json":{"sha256":"dfd5483fdc517b94065b6d78686e4e9c1a9fcdd135f346cf74cfdced08465c23"},"p/provider-archived$%hash%.json":{"sha256":"9532211868a5d20fe38633e55862be5a33d20e1e2ddddb4513dfba423e726ba2"},"p/provider-latest$%hash%.json":{"sha256":"51cb7a03acf698bf7c008c9e2cea0aeadbc53b64193eef83368fe06122b1ab04"}}}

But as soon as I re-enable openssl-osx-ca, the issue re-emerges.

On top of that, brew services list shows the openssl-osx-ca service as started, but with a yellow color. Apparently this actually means that the status is unknown, but I couldn't find any logs to investigate further.

Any ideas how I might resolve this issue?

when I ran sudo make install /opt/openssl-osx-ca, it ended up with copying all files for some reason. here is output:

$ sudo make install /opt/openssl-osx-ca
Password:
(crontab -l | grep -v openssl-osx-ca) | crontab -
crontab: no crontab for root
echo 

mkdir -p /opt/openssl-osx-ca
cp -r /* /opt/openssl-osx-ca/

Isn't this necessary only for the /usr/local/etc/openssl/certs directory?

The Makefile should run openssl-osx-ca after install.

Homebrew superenv stuff removes the brew program from the PATH during installs

Need to investigate superenv, fix formula and then re-add this.

I use GoAgentX as my proxy, and I can browse facebook, twitter, which using https. I installed this formula and run openssl-osx-ca manually. But pip and gem is still not working, curl is OK.

Using curl to access Facebook through GoAgent:

➜ ~ echo $http_proxy
http://localhost:7070
➜ ~ echo $https_proxy
http://localhost:7070
➜ ~ curl -I -v https://www.facebook.com/

• Adding handle: conn: 0x7fc9ca803a00

• Adding handle: send: 0

• Adding handle: recv: 0

• Curl_addHandleToPipeline: length: 1

• - Conn 0 (0x7fc9ca803a00) send_pipe: 1, recv_pipe: 0

• About to connect() to proxy localhost port 7070 (#0)

• Trying ::1...

• Trying 127.0.0.1...

• Connected to localhost (127.0.0.1) port 7070 (#0)

• Establish HTTP proxy tunnel to www.facebook.com:443

  CONNECT www.facebook.com:443 HTTP/1.1
  Host: www.facebook.com:443
  User-Agent: curl/7.30.0
  Proxy-Connection: Keep-Alive

  < HTTP/1.1 200 OK
  HTTP/1.1 200 OK
  <

• Proxy replied OK to CONNECT request

• TLS 1.0 connection using TLS_RSA_WITH_AES_128_CBC_SHA

• Server certificate: *.facebook.com

• Server certificate: GoAgent CA

  HEAD / HTTP/1.1
  User-Agent: curl/7.30.0
  Host: www.facebook.com
  Accept: /

  < HTTP/1.1 200
  HTTP/1.1 200
  < Content-Length: 12357
  Content-Length: 12357
  < X-Xss-Protection: 0
  X-Xss-Protection: 0
  < X-Content-Type-Options: nosniff
  X-Content-Type-Options: nosniff
  < Content-Encoding: gzip
  Content-Encoding: gzip
  < Set-Cookie: reg_fb_gate=https%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com
  Set-Cookie: reg_fb_gate=https%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com
  < Set-Cookie: reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com
  Set-Cookie: reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com
  < Set-Cookie: reg_ext_ref=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com
  Set-Cookie: reg_ext_ref=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com
  < Set-Cookie: datr=GItJUzBDhlG6Zurxn0W6SiTT; expires=Mon, 11-Apr-2016 18:51:04 GMT; path=/; domain=.facebook.com; httponly
  Set-Cookie: datr=GItJUzBDhlG6Zurxn0W6SiTT; expires=Mon, 11-Apr-2016 18:51:04 GMT; path=/; domain=.facebook.com; httponly
  < Expires: Sat, 01 Jan 2000 00:00:00 GMT
  Expires: Sat, 01 Jan 2000 00:00:00 GMT
  < X-Fb-Debug: 3ZL2IGtBP7SM4xvAp+5oneFXFRV3LwCTtRXhi0tRAjI=
  X-Fb-Debug: 3ZL2IGtBP7SM4xvAp+5oneFXFRV3LwCTtRXhi0tRAjI=
  < Connection: keep-alive
  Connection: keep-alive
  < Via: HTTP/1.1 GWA
  Via: HTTP/1.1 GWA
  < Pragma: no-cache
  Pragma: no-cache
  < Cache-Control: private, no-cache, no-store, must-revalidate
  Cache-Control: private, no-cache, no-store, must-revalidate
  < Date: Sat, 12 Apr 2014 18:51:04 GMT
  Date: Sat, 12 Apr 2014 18:51:04 GMT
  < P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
  P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
  < Content-Type: text/html; charset=utf-8
  Content-Type: text/html; charset=utf-8
  < X-Frame-Options: DENY
  X-Frame-Options: DENY

<

• Connection #0 to host localhost left intact

Pip error:

/usr/local/bin/pip3 run on Sun Apr 13 02:27:14 2014
Downloading/unpacking gevent
Getting page https://pypi.python.org/simple/gevent/
Could not fetch URL https://pypi.python.org/simple/gevent/: connection error: unknown error (_ssl.c:2719)
Will skip URL https://pypi.python.org/simple/gevent/ when looking for download links for gevent
Getting page https://pypi.python.org/simple/
Could not fetch URL https://pypi.python.org/simple/: connection error: unknown error (_ssl.c:2719)
Will skip URL https://pypi.python.org/simple/ when looking for download links for gevent
Cannot fetch index base URL https://pypi.python.org/simple/
URLs to search for versions for gevent:

• https://pypi.python.org/simple/gevent/
  Getting page https://pypi.python.org/simple/gevent/
  Could not fetch URL https://pypi.python.org/simple/gevent/: connection error: unknown error (_ssl.c:2719)
  Will skip URL https://pypi.python.org/simple/gevent/ when looking for download links for gevent
  Could not find any downloads that satisfy the requirement gevent
  Cleaning up...
  Removing temporary dir /private/var/folders/w9/wlvxx1hj7vj6m1rkxmjs99vh0000gn/T/pip_build_jagger...
  No distributions at all found for gevent
  Exception information:
  Traceback (most recent call last):
  File "/usr/local/lib/python3.4/site-packages/pip/basecommand.py", line 122, in main
  status = self.run(options, args)
  File "/usr/local/lib/python3.4/site-packages/pip/commands/install.py", line 278, in run
  requirement_set.prepare_files(finder, force_root_egg_info=self.bundle, bundle=self.bundle)
  File "/usr/local/lib/python3.4/site-packages/pip/req.py", line 1177, in prepare_files
  url = finder.find_requirement(req_to_install, upgrade=self.upgrade)
  File "/usr/local/lib/python3.4/site-packages/pip/index.py", line 277, in find_requirement
  raise DistributionNotFound('No distributions at all found for %s' % req)
  pip.exceptions.DistributionNotFound: No distributions at all found for gevent

Gem error:

ERROR: Could not find a valid gem 'redis' (>= 0), here is why:
Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://rubygems.org/latest_specs.4.8.gz)

When I have openssl-osx-ca installed from homebrew and enabled in Ventura with all current homebrew casks, /usr/local/etc/[email protected]/cert.pem and /usr/local/etc/openssl@3/cert.pem are empty. I'm pretty sure openssl-osx-ca is the culprit, though I can't figure out the root of the incompatibility.

https://github.com/raggi/openssl-osx-ca/blob/master/osx-ca-certs.rb appears to be a much cleaner implementation than what is used in homebrew: https://github.com/Homebrew/homebrew-core/blob/master/Formula/[email protected]#L120-L139 and https://github.com/Homebrew/homebrew-core/blob/master/Formula/gnutls.rb#L68-L91 respectively.

It would be good port across https://github.com/raggi/openssl-osx-ca/blob/master/osx-ca-certs.rb to homebrew if the license were compatible.

I was wondering if you would be opposed to accepting a patch that would export root certificates from the keychains to certs directory. This is needed for tools such as Vagrant to inject them into guest virtual machines.

It seems that the documentation does to state if the bundle regeneration happens every hour or only this is checked every hour for changes in order to build it when changes are made.

This is quite an important detail because regeneration should happen only when needed in order to avoid already documented bugs due to switch of cert files (not to mention performance issues).

Hi,
I need to maintain legacy rails 2.3 app on top ruby 1.8.7.
My dev environment is mac os x yosemite.
May I know what openssl-osx-ca version should I use for my case?
Thank you

The tool does not work with [email protected], for example. Instead, it should apply itslef to both openssl and openssl@* folders.

I am wondering if this can be used as an workaround for fixing various non native MacOS Python distributions which are affected by the SSL issues (using embedded http library or the optional requests one)

Sorry for adding this as a question but I think that documenting this would be of great help to others.

current openssl from homebrew searches /usr/local/etc/openssl/certs/ for hashed certs, not /usr/local/etc/openssl/

Brew installed gnutls also gets a cert.pem of the same general format, so it can be supported in the same way.

As reported in #23:

Heads up gnutls appears to be slightly more strict on what is considers to be a CA certificate.

Using the cert.pem generated by this script there are a few certs which cause a warning to be displayed by gnutls:

$ gnutls-cli google.com
|<1>| There was a non-CA certificate in the trusted list: CN=com.apple.systemdefault,O=System Identity.
|<1>| There was a non-CA certificate in the trusted list: CN=com.apple.kerberos.kdc,O=System Identity.
...
Processed 173 CA certificate(s).
Resolving 'google.com:443'...
Connecting to '2a00:1450:4009:80b::200e:443'...
- Certificate type: X.509

gnutls still functions correctly.

I just installed openssl-osx-ca via your Homebrew tap. When I run it on the command line, I get an error:

$ /usr/local/Cellar/openssl-osx-ca/1.0.3/bin/openssl-osx-ca /usr/local/bin/brew
mktemp: too few X's in template ‘openssl-osx-ca’
mktemp failed

I have /usr/local/opt/coreutils/libexec/gnubin in my path in order to get the GNU versions of various utilities. Unfortunately, GNU mktemp isn't compatible with BSD mktemp.

This change fixed the problem:

--- /usr/local/bin/openssl-osx-ca.OLD   2014-04-10 08:38:59.000000000 -0400
+++ /usr/local/bin/openssl-osx-ca.NEW   2014-04-10 08:39:08.000000000 -0400
@@ -22,7 +22,7 @@

 [[ "${openssldir}" = "" ]] && echo "openssl directory not found" && exit 1

-tmpdir=$(mktemp -d -t openssl-osx-ca)
+tmpdir=$(/usr/bin/mktemp -d -t openssl-osx-ca)

 [[ "${tmpdir}" = "" ]] && echo "mktemp failed" && exit 1

I recently tried to start the service which I installed via Homebrew, and get this error:

$ brew services start raggi/ale/openssl-osx-ca
Bootstrap failed: 5: Input/output error
Error: Failure while executing; `/bin/launchctl bootstrap gui/501 /path/to/home/Library/LaunchAgents/homebrew.mxcl.openssl-osx-ca.plist` exited with 5.

All I could find via search was this possibly-related issue: Homebrew/brew#11289

I'm running Big Sur on an Intel-based MBP. Please let me know if I can help out with any further details.

What's possible with simple command line tools?

Given that these files won't change often, why not checksum them and only mv(1) if absolutely necessary?