Warning: accessing obsolete X509Anchors?

Question

Level 1

15 points

Warning: accessing obsolete X509Anchors?

Recently upgraded Mac OS X Server 10.4.10 to 10.5.1 through the upgrade option from the install DVD. Tiger to Leopard transition worked more smoothly than previous upgrades.

I would like to know the root of these error messages though? Where should I start looking?
Every 30s these error messages appear in the system.log.

Dec 3 16:38:53: --- last message repeated 5 times ---
Dec 3 16:38:53 machine /Applications/Server/Server Admin.app/Contents/MacOS/Server Admin[240]: Warning: accessing obsolete X509Anchors.

In the /etc/certificates directory I find:
.defaultCertificateCreated
Default.crt
Default.crtkeyDefault.csr
Default.key
x509anchors.pem
+ my domain certs

In the /System/Library/Keychains directory I find:
SystemCACertificates.keychain
SystemRootCertificates.keychain
SystemTrustSettings.plist
X509Anchors
X509Certificates.obsoleted

In the Keychain Access.app I find X509Certificates empty, with a dotted, rounded corner square icon.
X509Anchors and System Roots are almost identical in there certificates except System Roots containing 12 more certificates.

I understand Leopard has changed its handling of certificates. Could someone please explain?

Any suggestions welcome.

Cheers 🙂

Message was edited by: WebServing

PowerMac G4 DP 1000, Mac OS X (10.5.1)

Posted on Dec 3, 2007 8:10 AM

Reply

Answer 1

hgd

Level 1

10 points

Dec 5, 2007 3:27 AM in response to WebServing

FWIW, I'm seeing the same message on an upgraded client system on which I run Server Admin.

Reply

Answer 2

jlundell

Level 1

4 points

Dec 5, 2007 12:24 PM in response to WebServing

I'm seeing the same message on a 10.5.1 non-server non-server-admin system.

Reply

Answer 3

WebServing Author

Level 1

15 points

Dec 9, 2007 6:48 AM in response to WebServing

FWIW same error messages pop up in the logs, when using Workgroup Manager and Keychain Access:

Dec 9 15:35:40 machine /Applications/Utilities/Keychain Access.app/Contents/MacOS/Keychain Access[34889]: Warning: accessing obsolete X509Anchors.

Dec 9 15:40:30 machine /Applications/Server/Workgroup Manager.app/Contents/MacOS/Workgroup Manager[35046]: Warning: accessing obsolete X509Anchors.

Anyone have a solution for this?

Cheers 🙂

Reply

Answer 4

garygg

Level 1

21 points

Dec 9, 2007 11:22 AM in response to WebServing

Hi. I'm getting the same error message on my machine and it's not a server. Just running plain old Leopard on my networked PowerMac here at the house. Googled the error message and wound up here in the Leopard Server thread. Didn't know if it would be of interest to you that the regular OS is generating this error as well.

Reply

Answer 5

Dec 18, 2007 1:41 PM in response to WebServing

I get the same message from Apple Mail after upgrade on 10.5.1 client system. The answer may be here http://www.entourage.mvps.org/faq_topic/leopard.html

"... As it turns out, the X509Anchors file, as of Leopard, has been made obsolete - but not entirely... It can (and is) still read from, but cannot be written to - at least not with any GUI interface like Apple Keychain or Microsoft Cert Manager.

As Entourage looks at this X509Anchors file for the Root Certificate and not in the new SystemCA/RootCertificates.keychain files, of course it's not going to find it! This also explains why people that upgraded rather than fresh installed did not encounter this age old problem again. "

Reply

Answer 6

WoodyM

Level 1

10 points

Mar 4, 2008 7:40 PM in response to WebServing

Hi,

This one stumped me quite a while as I saw the same problem on my 10.5.x client. After some searching, I found that /Library/Preferences/com.apple.security-common.plist contained references to X509Anchors and X509Certificates. That was the only place I could figure that Keychain Access was finding them.

By the way, I found the references using Terminal as follows:
$ sudo grep -i -r X509Anchors /Library/Preferences/*

The file was last changed in 2005 so on a hunch, I renamed it to com.apple.security-common.plist.bak, then logged out and back in. I renamed it in the Finder.

And VOILA, when I opened Keychain Access, the funny round boxes and duplicate copies of login.keychain were all gone from the list and I had no more entries in the Console about accessing obsolete keychain X509Anchors!

Now if I could just merge my old keychain (accountname.keychain) into my login.keychain, then all would be really good. 🙂

Just as an aside, when I upgraded to 10.5 from 10.4, my finder Sidebar under Places was messed up with duplicate entries and a Desktop icon that didn't work right. I also found that when I deleted ~/Library/Preferences/com.apple.sidebarlists.plist that the problems went away.

Reply

Answer 7

WebServing Author

Level 1

15 points

Mar 9, 2008 4:19 PM in response to WoodyM

Thank you.

This tweak seems to solve my problem 🙂
Been running it for a couple of hours without any noticable problems. Nothing notable in the logs.

Cheers. 🙂

Reply

Answer 8

macmark2

Level 1

130 points

Mar 11, 2008 2:29 PM in response to WoodyM

Thank you! That definitely solved the problem for me! How annoying!

BTW -- For reference what does the ".Bak" mean and why not just delete that particular plist instead?

Reply

Answer 9

WoodyM

Level 1

10 points

Mar 12, 2008 9:35 AM in response to macmark2

The .bak file extension is not necessary. I just renamed the file so it wouldn't be used to make sure I found the real problem. I could have moved the file to the desktop, but I didn't want to delete it immediately. Now that I know it was the problem I can delete it, as can you. Thanks!

Reply

Answer 10

Apr 23, 2008 5:25 AM in response to WoodyM

I've been having the same "Warning: accessing obsolete X509Anchors" come up in the system.log a lot too. However, I looked for /Library/Preferences/com.apple.security-common.plist and came up with nothing.

Any other ideas?

Reply

Answer 11

Apr 23, 2008 3:12 PM in response to Rob B. Campbell

in reference to what? I too was seeing this error but specifically for Entourage. Microsoft has a piece posted about it in the link posted above.

http://www.entourage.mvps.org/faq_topic/leopard.html

We had the issue with Entourage 08, it all of a sudden began trying to use X509Anchors for SSL with no explanation. We ended up having to remove the account from Entourage & re-add it & all worked fine. I think Entourage 08 still has a few bugs to iron out.

The issue is probably more correctly observed as an application issue rather than a system issue. Certain applications are trying to use outdated methods that no longer work in Leopard & in most of these situations deleting the correct preference file for that app seems to solve the issue.

Reply

Answer 12

nazgul

Level 2

189 points

Jun 26, 2008 2:50 PM in response to Hezekiah Barnes

I disagree.

Jun 26 17:47:46 139 Safari[295]: Warning: accessing obsolete X509Anchors.

That's not Entourage complaining, it's Safari.

Furthermore the empty entries in KeyChain which can't be deleted aren't an app issue.

It definitely looks to me like someone (at Apple) forgot to cleanup an old preference file.

Reply

Answer 13

fyr

Level 1

0 points

Jul 20, 2008 3:14 AM in response to David Fennell

I just switch complains from Entourage :
Jul 16 15:11:07 Helios /Applications/Microsoft Office 2008/Microsoft Entourage.app/Contents/MacOS/Microsoft Entourage[341]: Warning: accessing obsolete X509Anchors.

to Mail.app and Safari :
Jul 17 10:11:38 Helios /Applications/Safari.app/Contents/MacOS/Safari[9266]: Warning: accessing obsolete X509Anchors.

After this command :
Jul 16 22:06:45 Helios sudo[16144]: fyr : TTY=ttys000 ; PWD=/Users/fyr ; USER=root ; COMMAND=/usr/bin/certtool i root_certificate.cer v k=/System/Library/Keychains/X509Anchors

and use Keychain Access.app tools to add the /System/Library/Keychains/X509Anchors (that just add a X509Anchors in the Keychains like the same as System Roots) Remove this entry just switch back the warning 🙂

Reply