Jase the C
Level 2 (383 points)
Mac OS X

Q: Persistent invalid certificates problem

Suddenly, my web browsers are telling me that they can't verify the identity of a number of websites that I frequently use and that the certificates are invalid. I can't choose to continue past that alert, and I am unable to get the browsers to trust the sites. Also, on YouTube I am permanently in Restricted Mode and am unable to toggle that setting off.

 

I have looked at a number of posts relating to this issue, and while some of the technicalities are a little over my head, I've tried the solutions offered. I have checked to make sure Date and Time are correct. I've looked at Activity Monitor to see that a process called "ocspd" is running (affirmative). I have used Keychain Access's "Reset My Default Keychain" command and its "Delete Keychain 'login'" command (both references & files). I've also rubbed out in the Finder the Library's Keychains folder and Keychain files in the Library's Preferences folder. I guess that's about it. None of that has altered the situation a bit.

 

Is there anything else I should try? Can anyone offer an explanation of this problem, which arose seemingly spontaneously? I have a clone of my system from two and a half weeks ago that I am tempted to reinstall. I'm pretty sure that would roll me back to a state from before this problem started (I only noticed this problem a couple of days ago). But I'm more than willing to try other more specific fixes before I do that.

 

Thanks for any ideas!

iMac, OS X Yosemite (10.10), 2.4 GHZ Intel Core 2 Duo, 4 GB RAM

Posted on Sep 22, 2016 7:25 PM

by Jase the C,Solvedanswer
Jase the C Jase the C
Level 2 (383 points)
Mac OS X
A:

Success! When tech support (senior-advisor level) learned that reinstalling OS X made no difference, he talked to engineering. They said this was a very unusual sounding problem but advised him to talk with my ISP. And that is where the problem was. My ISP found a partial service outage on one of their repeaters that my account was connecting with, and after they repaired that outage, my certificate problems with certain websites and the issue with YouTube's Restricted Mode being stuck on "On" disappeared.

 

The tech advisor said that now that we know what the issue was, we could have spotted it by pinging the problematic websites. Evidently, we would have seen frequent unsuccessful pings. I definitely learned something about how narrow and specific ISP service issues could be. (I had rebooted my modem/router to no effect; the problem had to be addressed on the ISP side.)

 

I am definitely pleased with Apple's support on this problem.

Posted on Sep 24, 2016 12:22 PM

Close
Jase the C

Q: Persistent invalid certificates problem

  • All replies
  • Helpful answers

  • by Eric Root,

    Eric Root Eric Root Sep 22, 2016 7:55 PM in response to Jase the C
    Level 9 (72,223 points)
    iTunes
    Sep 22, 2016 7:55 PM in response to Jase the C

    Try going to Applications/Utilities/Keychain Access and delete the certificate for the website. This should cause a new one to be downloaded. Quit and reopen Safari to test.

     

    Safari certificate not recognized

     

    From Safari Help

     

    Change the trust settings of a certificate

     

    You can view or change a certificate’strust policies in Keychain Access.

     

    Open Keychain Access for me

     

    In the Category list, select a category.

    Select a certificate, then choose File > Get Info.

    Click the Trust disclosure triangle to display the trust policies for the certificate.

    To override the trust policies, choose new trust settings from the pop-up menus.

    Safari Certificate not recognized


     

    Certificate isn’t being accepted

  • by Jase the C,

    Jase the C Jase the C Sep 22, 2016 10:44 PM in response to Eric Root
    Level 2 (383 points)
    Mac OS X
    Sep 22, 2016 10:44 PM in response to Eric Root

    Thanks for replying, Eric. I didn't take much room to explain, but I have tried all those basic steps. When I delete a certificate, the same problem appears when I go back to the website and a fresh certificate is downloaded. Changing the trust settings for the certificate has no effect.

     

    Here is a shot of the certificate for one website. I see that the "Issued by" attribution only says "Invalid Certificate." Am I missing something, like a root certificate? (I'm only guessing at the process.) Is the answer in the Details section of the certificate window? If so, it's not obvious to me.

     

    Trust.png

  • by Jase the C,

    Jase the C Jase the C Sep 24, 2016 9:15 AM in response to Jase the C
    Level 2 (383 points)
    Mac OS X
    Sep 24, 2016 9:15 AM in response to Jase the C

    Other pertinent facts that I failed to mention: This problem is occurring on this Mac, my desktop computer, but not on my other Macs (a MacBook Air and a Mac Mini). And it is occurring on all user accounts on this Mac.

     

    I just spent two hours on the phone with level 2 Apple tech support, and they were unable to find a solution to my problem. They had said the particular issue I was having was not in their database anywhere. It's apparent that is an OS level security issue on this computer, but they were not able to isolate the cause.

     

    Right now, I am reinstalling El Capitan, which should make the problem go away. Will report the outcome here.

  • by Jase the C,

    Jase the C Jase the C Sep 24, 2016 10:59 AM in response to Jase the C
    Level 2 (383 points)
    Mac OS X
    Sep 24, 2016 10:59 AM in response to Jase the C

    Nope, no joy. Reinstalling OS X changed nothing. In fact, now I have a new problem. My internet account was inactive after reinstalling, and trying to reactive my account led to a "Connection Insecure," failed-to-verify-server-certificate road block. I tried creating the account from scratch on a new user account but ran into the same road block.

     

    So, it's off to technical support again, this time to dump system information to them to pass on to their engineering department for a look. On the plus side, I am pleased about how easy it was to get in touch with Apple tech support. I don't remember it always being this way.

  • by Jase the C,Solvedanswer

    Jase the C Jase the C Sep 24, 2016 12:22 PM in response to Jase the C
    Level 2 (383 points)
    Mac OS X
    Sep 24, 2016 12:22 PM in response to Jase the C

    Success! When tech support (senior-advisor level) learned that reinstalling OS X made no difference, he talked to engineering. They said this was a very unusual sounding problem but advised him to talk with my ISP. And that is where the problem was. My ISP found a partial service outage on one of their repeaters that my account was connecting with, and after they repaired that outage, my certificate problems with certain websites and the issue with YouTube's Restricted Mode being stuck on "On" disappeared.

     

    The tech advisor said that now that we know what the issue was, we could have spotted it by pinging the problematic websites. Evidently, we would have seen frequent unsuccessful pings. I definitely learned something about how narrow and specific ISP service issues could be. (I had rebooted my modem/router to no effect; the problem had to be addressed on the ISP side.)

     

    I am definitely pleased with Apple's support on this problem.