ichingboy

Q: Cannot setup Google/Yahoo account El Capitan/Corrupt Certificates

Dear smart people,

 

I have been locked out of my gmail account today. Here's an unfortunately long but exhaustive list of possible related actions and attempted fixes I've taken:

  1. Google account has been setup on my MacBook Pro Retina (mid 2012) for gmail->Apple Mail, and Google Cal->Apple Calendar. No problems before today.
    1. I use 2-step verification, and had a handful of application-specific passwords
  2. Downloaded Pokémon Go to my iPhone last night (sorry I ever did), and had a heck of a time setting it up on my phone using Google login.
    1. I deleted several old app-spec passwords that appeared to be unused, and tried to create one for Pokemon. That never worked, so I had to wait till I was home to peek at my password via Keychain on my Mac. I got Pokemon setup using 2-step verification (via SMS).
  3. I didn't check my gmail on Apple Main until this morning, where it said there was a network problem and told me I had to enter the password. That opened up System Preferences>Internet Accounts>my Google acct, but ended up giving me this message:
    Screen Shot 2016-07-13 at 3.49.49 PM.png
  4. Next, I went to the community, and found that people had been having issues with login certificates. Sounds like deleting problematic ones fixed it for most people. I had two suspicious ones that I deleted. The problem is, they keep coming back again and again and again after I attempt to delete them. Here's a picture of them:
    Screen Shot 2016-07-13 at 3.53.00 PM.png
    Screen Shot 2016-07-13 at 3.54.09 PM.png
  5. Attempted remedies
    1. Turned off 2-step verification on google account
    2. Deleted all related google account login password from Keychain Access.
    3. Deleted my account and certificates from my computer, and then tried to setup the account again. Same message from no. 3 above.
    4. Tried to delete certificates in safe mode. No luck.
    5. Reinstalled system software. No change.
    6. Logged into a different user on my machine, and I was able to get to the prompt screen to setup an account. That user didn't have ANY login certificates.
  6. Other considerations
    1. I have another google account that still works on my computer. It's a Google enterprise account through work. It's never had 2-step verification or application specific passwords, but it hasn't had any issues sending or receiving email today.
    2. I can still login to my personal google/gmail account via Safari. So, it seems the problem is verification via El Capitan's built in "Internet Accounts" management

Posted on Jul 13, 2016 3:19 PM

Close

Q: Cannot setup Google/Yahoo account El Capitan/Corrupt Certificates

  • All replies
  • Helpful answers

  • by ichingboy,

    ichingboy ichingboy Jul 13, 2016 3:21 PM in response to ichingboy
    Level 1 (4 points)
    Mac OS X
    Jul 13, 2016 3:21 PM in response to ichingboy

    Also the Equifax Certificate's trust is set to "Use System Defaults"

  • by dianeoforegon,

    dianeoforegon dianeoforegon Jul 13, 2016 5:06 PM in response to ichingboy
    Level 5 (5,417 points)
    Mac OS X
    Jul 13, 2016 5:06 PM in response to ichingboy

    For Equifax you might need to select "Trust" > Always Trust.

    trust.png

     

    Open Keychain Access in Applications/Utilities.

    Enter "veri" without quotes in the top search box.

    This will show all verisign certificates.

    Look for all with the red warning and delete.

    Restart

    Add your Google accounts. You will need the password to add.

     

    If you still have a problem....

    Turn ON Allow less secure apps.

    • Sign in to your Gmail account. Once signed in, in the upper right corner, choose the Google Apps button > My Account.
    • Choose Connected apps and sites. Set Allow less secure apps to ON. It's okay to allow Outlook access. Close the window.

     

    This link goes through the instructions for Outlook for Mac but the setup would be same Mail is less secure apps the problem.

  • by ichingboy,

    ichingboy ichingboy Jul 14, 2016 1:56 AM in response to dianeoforegon
    Level 1 (4 points)
    Mac OS X
    Jul 14, 2016 1:56 AM in response to dianeoforegon

    Thanks for the reply, dianeoforegon. I tried to trust the equifax certificate to no avail. Surprisingly, there are no VeriSign certificates in the Login/Certificates keychain. There are VeriSign certs is the System Roots keychain, but it won't allow me to delete those. Also tried the "less secure apps" thing and sorry to say that it didn't help either. That was a new one to me though ...

  • by appreciate,

    appreciate Jul 14, 2016 4:03 AM in response to ichingboy
    Level 4 (1,276 points)
    Mac OS X
    Jul 14, 2016 4:03 AM in response to ichingboy
  • by dianeoforegon,

    dianeoforegon dianeoforegon Jul 14, 2016 11:10 AM in response to ichingboy
    Level 5 (5,417 points)
    Mac OS X
    Jul 14, 2016 11:10 AM in response to ichingboy

    Troubleshooting is a process of elimination.

     

    Testing in a new User will quickly tell you if the problem is system wide or if it's your User's folder that contains the problem.

     

    CREATE A NEW USER

     

    Go to System Preferences --> Create a New User in Users & Groups.

    Switch to the New User by logging out/in or use Fast User Switching.

     

    You select not to sign in with your Apple ID if you are not testing an iCloud issue.

     

    Skip > Sign in > Continue

     

    Only default Apple apps will  be in the Dock in the new User. Go to Applications to open other apps you might want to test.

     

    Try adding your Google and Yahoo accounts?

    Do you still see the issue?

     

     

        If yes, then the problem is with your base files.

        If no, then the problem is in your User's folder.

  • by ichingboy,

    ichingboy ichingboy Jul 14, 2016 3:49 PM in response to dianeoforegon
    Level 1 (4 points)
    Mac OS X
    Jul 14, 2016 3:49 PM in response to dianeoforegon

    dianeoforegon, I did get to that point. (I attempted to describe that above in my list of "Attempted Remedies".) I had another user on my computer already, and it didn't have the same problem. So suffice to say, the issue is on the user side of things. I guess that's the good news. But still, I can't get those problematic certificates to delete–or more specifically, to STAY deleted. I delete them and they show up again.

     

    I'm guessing that the file containing the certificate is altogether corrupted, but I wouldn't know how to fix it. It's got to be one of the files in (User)/Library/Keychains folder, right?

  • by ichingboy,

    ichingboy ichingboy Jul 14, 2016 3:51 PM in response to appreciate
    Level 1 (4 points)
    Mac OS X
    Jul 14, 2016 3:51 PM in response to appreciate

    An apple article is there : OS X Yosemite: If your certificate isn’t being accepted

     

    This may contain the information I need but it's beyond my technical understanding ...

  • by dianeoforegon,Apple recommended

    dianeoforegon dianeoforegon Jul 16, 2016 11:10 PM in response to ichingboy
    Level 5 (5,417 points)
    Mac OS X
    Jul 16, 2016 11:10 PM in response to ichingboy

    You could create a new Keychain. Are you using Apple's iCloud Keychain?

    Do you have a list of all your passwords?

     

    See these links for help:

    Frequently asked questions about iCloud Keychain - Apple Support

     

    Resetting your keychain in Mac OS X - Apple Support

    Create a new login keychain

  • by ichingboy,

    ichingboy ichingboy Jul 16, 2016 11:04 PM in response to dianeoforegon
    Level 1 (4 points)
    Mac OS X
    Jul 16, 2016 11:04 PM in response to dianeoforegon

    The issue is a certificate, not a password. At least I believe it has to do with certificates. Google does use Equifax CA, and since that certificate is marked with a red x, I'm assuming that's the issue.

     

    I've got my password. I can login to google/gmail via a browser no problem. The issue is using Apple Mail and Apple Calendar. More specifically, setting it up via System Preferences>Internet Accounts.

  • by ichingboy,

    ichingboy ichingboy Jul 16, 2016 11:10 PM in response to ichingboy
    Level 1 (4 points)
    Mac OS X
    Jul 16, 2016 11:10 PM in response to ichingboy

    Hey, I think that did fix it. I can set up the account now, but now all my passwords are gone. Bummer. Oh well, I can deal with that. Thanks for your help!

  • by dianeoforegon,Helpful

    dianeoforegon dianeoforegon Jul 17, 2016 11:03 AM in response to ichingboy
    Level 5 (5,417 points)
    Mac OS X
    Jul 17, 2016 11:03 AM in response to ichingboy

    Glad the new keychain fixed your issue. Look into the password keepers like 1Password, LastPass, Dashlane, etc. These will keep a secure log of your passwords and allow you to easily enter in browsers using a secure password that is only used for that site. It's recommended that you never use the same password twice.

     

    FYI....

    There are certain items that must be in the Keychain app like email account passwords or you would have to enter every time your account connects. For sites where you log in with your browser, you can select to use the iCloud Keychain, but this only works in Safari and not other browsers.

     

    The iCloud Keychain is an ideal choice for certain tasks, but there’s no reason you can’t use it alongside a third-party tool like 1Password, LastPass, Dashlane, etc.

     

    This article talks about other password managers too.  FlippedBITS: 1Password Versus iCloud Keychain

     

    Note:  If the iCloud Keychain is disabled, the iCloud keychain is replaced with a “Local Items” keychain that has the same contents as the iCloud keychain. Any items added to the Local Items keychain will be pushed out to other devices when iCloud Keychain is re-enabled.

     

    You might find these FAQs helpful

     

    Frequently asked questions about iCloud Keychain - Apple Support