App / curl still getting certificate expired error due to expired Let's Encrypt certificate

Solution 1:

OpenSSL on macOS does not use the system keychain (which makes sense as it's a cross platform library) but rather has its own .pem file containing its root certificates. Even though my systems have a newer version of OpenSSL installed using homebrew and/or MacPorts, the system-wide OpenSSL pem file located at /etc/ssl/cert.pem was out of date and did not include the ISRG Root X1 certificate.

The solution:

1. Rename /etc/ssl/cert.pem to something else. (I suggest /etc/ssl/cert.pem.org)

2. Download the latest cacert.pem from https://curl.se/docs/caextract.html

3. Rename it to cert.pem

4. Copy it to /etc/ssl/cert.pem

Now curl and any other app using OpenSSL can access websites signed using current Let's Encrypt certificates.

Alternatively, the MacPorts package curl-ca-bundle installs a pem file containing ISRG Root X1 to /opt/local/etc/openssl/cert.pem which can be used as well.

Other possible solutions:

• Manually add the ISRG Root X1 certificate to /etc/ssl/cert.pem

• Configure OpenSSL to use a different .pem file for its root certificates, such as /opt/local/etc/openssl/cert.pem