andy465

Q: "There was an error connecting to the Apple ID server" untrusted CRL issue

I started getting errors when logging into my Apple account on iTunes/App Store/iBooks etc, which I noticed today.

 

When attempting login, these would return the message "There was an error connecting to the Apple ID server"

Screen Shot 2016-04-24 at 22.04.43.png

 

Debugging this with Wireshark, I noticed that iTunes was disconnecting as soon as it saw the server SSL certificate.

 

I opened the domain url it was using (https://gsa.apple.com) in Safari to see whether it reported any certificate issues, and it confirmed that the intermediary certificate, though valid, couldn't be verified against it's CRL as it believes http://crl.apple.com/root.crl is an untrusted CRL.

Screen Shot 2016-04-24 at 22.08.45.png

 

Other OSX computers I've checked serve the same certificate, and validate the certificate successfully.

 

I've attempted to set the certificate to always trust, but it had no effect.

 

I've changed the Keychain Access -> Preferences -> Certificates -> Certificate Revocation List (CRL) to "Best attempt", which appears to fix the issue, however I'm not keen on this change as it might weaken my computer's security compared to "Require if certificate indicates"

 

Is there any way to restore OSX's trusted CRL list to fix this?

MacBook Pro with Retina display, OS X El Capitan (10.11.4)

Posted on Apr 24, 2016 2:12 PM

Close

Q: "There was an error connecting to the Apple ID server" untrusted CRL issue

  • All replies
  • Helpful answers

  • by andy465,

    andy465 andy465 Apr 24, 2016 2:24 PM in response to andy465
    Level 1 (6 points)
    iTunes
    Apr 24, 2016 2:24 PM in response to andy465

    Actually, I just found the other computer's Keychain Access -> Preferences -> Certificates -> Certificate Revocation List (CRL) is set to "Best attempt", and turning it to "Require if certificate indicates" causes the same issue, so I assume this is an issue with Apple's ID server certificates themselves.

     

    I believe I set the CRL settings to "Require if certificate indicates" a while back to try to improve security. So at one point up to recently, https://gsa.apple.com did work with those settings, and possibly they've changed the intermediate certificate, which has the untrusted CRL issue. That it's http://crl.apple.com/root.crl and not https seems suspect and might be the source of the untrustedness issue.

  • by Digi421,

    Digi421 Digi421 Aug 17, 2016 3:07 AM in response to andy465
    Level 1 (4 points)
    Aug 17, 2016 3:07 AM in response to andy465

    No, that's fine. Access to CRLs is HTTP, because if it was HTTPS, you'd need another CRL request to verify the certificate used to download the CRL and that would loop ad infinitum.

    The problem is that the certificate of the (root) CA that issued the certificate for gsa.apple.com isn't known and hence isn't trusted.