Unable to establish secure connection to idmsa.apple.com

Question

Level 1

17 points

Unable to establish secure connection to idmsa.apple.com

Here is my basic problem: I can no longer establish a secure connection to idmsa.apple.com with any app that uses ATS (App Transport Security) like Safari, nscurl, etc.

When trying to log in to any Apple site, like these communities, using Safari, it says “can’t establish a secure connection to the server”. However, using other browsers (Firefox) I can successfully log in to Apple sites but I presume Firefox is not using ATS like Safari.

I am running macOS 10.13.6 with all the latest updates. I thought maybe it was an issue with my account, but the problem persists in a freshly created account.

Trying to run nscurl using ATS diagnostics results in all failures (partial output below). At this point, idmsa.apple.com it is the only URL that fails for me.

================================================================================


Default ATS Secure Connection
---
ATS Default Connection
ATS Dictionary:
{
}
2020-03-23 20:00:33.554 nscurl[8037:2234736] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x7f88536319c0>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey=(
    "<cert(0x7f8853827000) s: idmsa.apple.com i: Apple IST CA 2 - G1>",
    "<cert(0x7f885381bc00) s: Apple IST CA 2 - G1 i: Baltimore CyberTrust Root>"
), NSUnderlyingError=0x7f8853411fe0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x7f88536319c0>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(
    "<cert(0x7f8853827000) s: idmsa.apple.com i: Apple IST CA 2 - G1>",
    "<cert(0x7f885381bc00) s: Apple IST CA 2 - G1 i: Baltimore CyberTrust Root>"
)}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://idmsa.apple.com/, NSErrorFailingURLStringKey=https://idmsa.apple.com/, NSErrorClientCertificateStateKey=0}
---


================================================================================

Any ideas what could be causing this?

Posted on Mar 24, 2020 4:05 PM

Reply

Answer 1

Best reply

tpat17 Author

Level 1

17 points

Mar 25, 2020 2:32 PM in response to tpat17

It ended up being the pinning rules found in /Library/Keychains/pinningrules.sqlite3

Comparing this sqlite3 db to a known good one revealed a bunch of missing root CA hashes for idmsa.apple.com. Not sure why these would have been missing (bad update?).

Regardless, I fixed it with the python script below. I would make a backup of the pinningrules.sqlite3 db first though.

#!/usr/bin/python

import plistlib
import sqlite3

conn = sqlite3.connect('/Library/Keychains/pinningrules.sqlite3')
conn.row_factory = sqlite3.Row
if conn:
	cursor = conn.cursor()
	cursor.execute("select policies from rules where policyName='IdMS' and domainSuffix='apple.com'")
	if cursor:
		row = cursor.fetchone()
		plist = plistlib.readPlistFromString(row['policies'])
		for p in plist:
			if 'AnchorSHA256' in p:
				p['AnchorSHA256'] = [
					plistlib.Data('\xff\x85j-%\x1d\xcd\x88\xd3fV\xf4P\x12g\x98\xcf\xab\xaa\xde@y\x9cr-\xe4\xd2\xb5\xdb6\xa7:'),
					plistlib.Data('\x16\xafW\xa9\xf6v\xb0\xab\x12`\x95\xaa^\xba\xde\xf2*\xb3\x11\x19\xd6D\xac\x95\xcdK\x93\xdb\xf3\xf2j\xeb'),
					plistlib.Data('1\xadfH\xf8\x10A8\xc78\xf3\x9e\xa42\x0139>:\x18\xcc\x02)n\xf9|*\xc9\xefg1\xd0'),
					plistlib.Data('^\xdbz\xc4;\x82\xa0j\x87a\xe8\xd7\xbeIy\xeb\xf2a\x1f}\xd7\x9b\xf9\x1c\x1ckVj!\x9e\xd7f'),
					plistlib.Data("\xcb<\xcb\xb7`1\xe5\xe0\x13\x8f\x8d\xd3\x9a#\xf9\xdeG\xff\xc3^C\xc1\x14L\xea'\xd4jZ\xb1\xcb_"),
					plistlib.Data("\xd7\xa7\xa0\xfb]~'1\xd7q\xe9HN\xbc\xde\xf7\x1d_\x0c>\n)Hx+\xc8>\xe0\xeai\x9e\xf4"),
					plistlib.Data('\x17\x93\x92z\x06\x14T\x97\x89\xad\xce/\x8f4\xf7\xf0\xb6m\x0f:\xe3\xa3\xb8M!\xec\x15\xdb\xbaO\xad\xc7'),
					plistlib.Data('\xe7\x93\xc9\xb0/\xd8\xaa\x13\xe2\x1c1"\x8a\xcc\xb0\x81\x19d;t\x9c\x89\x89d\xb1tmF\xc3\xd4\xcb\xd2')
				]
		cursor.execute("update rules set policies = ? where policyName='IdMS' and domainSuffix='apple.com'", [plistlib.writePlistToString(plist)])
		conn.commit()

Reply

Answer 2

May 25, 2020 9:18 AM in response to Scott Bernard

First, backup your mac, just in case anything goes sideways.

Then do this:

open terminal
type sudo su -
Enter your password
type vi repair-icloud-safari.py to create the file.
press the i key
copy and paste the entire script from this post starting with the '#!/usr/bin/python' into your terminal window.
press the ESC key
press the : key
type wq and press RETURN to save the file and exit the editor. You should be back at the ~root#: prompt.
type the following after the root# prompt: python repair-icloud-safari.py and press RETURN
type exit

Cheers!

Reply

Answer 3

May 25, 2020 1:22 PM in response to Locomotivation

Here is what I think worked:

open terminal
type sudo su - *then press enter*
Enter your password *then press enter*
type vi repair-icloud-safari.py to create the file. *then press enter* **found previous attempt at same file, hit D to delete**
type i *then press enter*
copy and paste the entire script from this post starting with the '#!/usr/bin/python' into your terminal window. *then press enter*
hit the ESC key
type :wq *then press enter*
You should be back at the ~root#: prompt. *yes*
type the following after the root# prompt: python repair-icloud-safari.py *then press enter*
type exit *then press enter*

Now how do I test it?

Note: I already had the "AppleISTCA2G1.cer" fix installed before I found this solution.

Reply

Answer 4

May 25, 2020 11:46 PM in response to BDAqua

Well, this <see image> just started happening... I swear it wasn't there when I began.

It happens in both Safari and Firefox, despite all Apple service sign-ons now working fine. It also happens with both fixes.

The focus area of the page appears fine, but sometimes scrolling up seems to "catch" and pull back to the focus area. I -AM- already logged into discussions fine, and it shows this at the same time.

Reply

Answer 5

tpat17 Author

Level 1

17 points

Mar 25, 2020 4:21 AM in response to Taro-71

I actually did try this and while it does work, I don't consider it a fix. This is a workaround. You shouldn't have to install the intermediate certificate. I have 2 other installs running the same version of macOS High Sierra and this is not needed.

Reply

Answer 6

Taro-71

Level 1

40 points

Mar 25, 2020 4:40 AM in response to tpat17

Yeah, I agree with you that this is a workaround.

Maybe the fix could help Apple engineers to understand where is the root of the problem:

Why some installations of High Sierra lost the certificate? (Before you wrote the following quote, I thought every High Sierra)

tpat17 wrote:

I have 2 other installs running the same version of macOS High Sierra and this is not needed.

I hope this could help them to find a permanent solution to the problem, but meawhile it's better than nothing 🙄

Reply

Answer 7

tpat17 Author

Level 1

17 points

Mar 25, 2020 12:08 PM in response to Taro-71

I agree that adding the intermediate cert is better than nothing.

I've been looking into this some more and it looks like this might be a certificate pinning issue. After downloading the cert from idmsa.apple.com, I ran the following against it:

security verify-cert -c idmsa_cert.cer -p ssl -C -s idmsa.apple.com

This results in the following error:

Cert Verify Result: Certificate authority pinning mismatch

Running the same command on another working macOS 10.13.6 Mac results in the following:

...certificate verification successful.

Wondering if you have the same results?

Reply

Answer 8

May 25, 2020 12:41 PM in response to Locomotivation

1st try: I messed up somewhere by step 8. Getting error sound. Attempted to try again but it says vi process still running.

2nd try: step 9 gives error sound this time. This time says "su, vim, sh, sudo" still running, when I try to quit.

Maybe I'm hitting "enter" on a step I shouldn't be?

Reply

Answer 9

May 25, 2020 1:06 PM in response to Scott Bernard

No worries.

So first make sure you delete the colon in the text. Backspace should do the trick if you are in insert mode. If you are not and the cursor is on top of the colon, just press x to delete it.

Now, hit ESC a few times till you get the error sound.

Then press the : key and the colon should appear at the bottom.

Then press wq