opensslcertificatelets-encryptmacos-catalinalibressl

OpenSSL error: certificate verify failed on Mac Catalina


I work on a macbook (Catalina 10.15.7) and develop a webapp on my local machine. I use the mailtrap.io email testing service to check outgoing emails. I haven't changed anything, but a few days ago the mailtrap service gives back the below error message:

ErrorException stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed Illuminate\Foundation\Bootstrap\HandleExceptions::handleError vendor/swiftmailer/swiftmailer/lib/classes/Swift/Transport/StreamBuffer.php:94

The same code and call works fine from the remote server, so it seems that the problem is related my local mac machine.

Macbook Catalina DST Root CA X3 expiry problem

After some googling it seems that this issue is related to the expiry of DST Root CA X3 certificate. I read about two possible solutions for the problem:

  1. Remove the expired certiface and install new ones.
  2. Update OpenSSL on my machine

Approach #1 I tried, but it did not help. I removed the DST Root CA X3 section from /etc/ssl/cert.pem file and removed all DST Root CA X3 instances using the Keychain Access app. Then I installed the ISRG Root X1 and ISRG Root X2 using the Keychain Access app setting them to always trust. Unfortunately I still get the same error message after rebooting.

Approach #2 The second approach would be update OpenSSL on my machine. The "openssl version" command tells me that I have LibreSSL 2.8.3 on my machine, so I assume this is what I need to update. Checking the libreSSL release notes it seems that there already a fix for this problem. I installed the latest LibreSSL (3.3.5) and added it to the PATH variable, but I still get the same error. It seems that whoever would need the higher version of LibreSSL, it does not use it.

So my question:can somebody explain to me, which component from the above chart should use the higher version LibreSSL with the fix to avoid the original problem with the mailtrap connection? Is it the OS, MAMP, Laravel, the SwiftMail component or my Webapp? Based on this, how do I tell that component that it should use the LibreSSL (or alternatively OpenSSL that I could also install) with the fix? Or is there a better solution to this problem?

Thanks, W.


Solution

  • Finally I figured out that it is my PHP installation that uses the expired certificate. From PHPInfo I could figure where the OpenSLL installation is used by PHP. I had to remove the expired DST Root CA X3 root certificate from the .pem file under this installation and now everything works correctly.