User profile for user: tpat17
tpat17 Author
User level: Level 1
17 points

Unable to establish secure connection to idmsa.apple.com

Here is my basic problem: I can no longer establish a secure connection to idmsa.apple.com with any app that uses ATS (App Transport Security) like Safari, nscurl, etc.


When trying to log in to any Apple site, like these communities, using Safari, it says “can’t establish a secure connection to the server”. However, using other browsers (Firefox) I can successfully log in to Apple sites but I presume Firefox is not using ATS like Safari.


I am running macOS 10.13.6 with all the latest updates. I thought maybe it was an issue with my account, but the problem persists in a freshly created account.


Trying to run nscurl using ATS diagnostics results in all failures (partial output below). At this point, idmsa.apple.com it is the only URL that fails for me.


================================================================================


Default ATS Secure Connection
---
ATS Default Connection
ATS Dictionary:
{
}
2020-03-23 20:00:33.554 nscurl[8037:2234736] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x7f88536319c0>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey=(
    "<cert(0x7f8853827000) s: idmsa.apple.com i: Apple IST CA 2 - G1>",
    "<cert(0x7f885381bc00) s: Apple IST CA 2 - G1 i: Baltimore CyberTrust Root>"
), NSUnderlyingError=0x7f8853411fe0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x7f88536319c0>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(
    "<cert(0x7f8853827000) s: idmsa.apple.com i: Apple IST CA 2 - G1>",
    "<cert(0x7f885381bc00) s: Apple IST CA 2 - G1 i: Baltimore CyberTrust Root>"
)}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://idmsa.apple.com/, NSErrorFailingURLStringKey=https://idmsa.apple.com/, NSErrorClientCertificateStateKey=0}
---


================================================================================


Any ideas what could be causing this?

Posted on Mar 24, 2020 4:05 PM

Reply
Question marked as Top-ranking reply
User profile for user: tpat17
tpat17 Author
User level: Level 1
17 points

Posted on Mar 25, 2020 2:32 PM

It ended up being the pinning rules found in /Library/Keychains/pinningrules.sqlite3


Comparing this sqlite3 db to a known good one revealed a bunch of missing root CA hashes for idmsa.apple.com. Not sure why these would have been missing (bad update?).


Regardless, I fixed it with the python script below. I would make a backup of the pinningrules.sqlite3 db first though.


#!/usr/bin/python

import plistlib
import sqlite3

conn = sqlite3.connect('/Library/Keychains/pinningrules.sqlite3')
conn.row_factory = sqlite3.Row
if conn:
	cursor = conn.cursor()
	cursor.execute("select policies from rules where policyName='IdMS' and domainSuffix='apple.com'")
	if cursor:
		row = cursor.fetchone()
		plist = plistlib.readPlistFromString(row['policies'])
		for p in plist:
			if 'AnchorSHA256' in p:
				p['AnchorSHA256'] = [
					plistlib.Data('\xff\x85j-%\x1d\xcd\x88\xd3fV\xf4P\x12g\x98\xcf\xab\xaa\xde@y\x9cr-\xe4\xd2\xb5\xdb6\xa7:'),
					plistlib.Data('\x16\xafW\xa9\xf6v\xb0\xab\x12`\x95\xaa^\xba\xde\xf2*\xb3\x11\x19\xd6D\xac\x95\xcdK\x93\xdb\xf3\xf2j\xeb'),
					plistlib.Data('1\xadfH\xf8\x10A8\xc78\xf3\x9e\xa42\x0139>:\x18\xcc\x02)n\xf9|*\xc9\xefg1\xd0'),
					plistlib.Data('^\xdbz\xc4;\x82\xa0j\x87a\xe8\xd7\xbeIy\xeb\xf2a\x1f}\xd7\x9b\xf9\x1c\x1ckVj!\x9e\xd7f'),
					plistlib.Data("\xcb<\xcb\xb7`1\xe5\xe0\x13\x8f\x8d\xd3\x9a#\xf9\xdeG\xff\xc3^C\xc1\x14L\xea'\xd4jZ\xb1\xcb_"),
					plistlib.Data("\xd7\xa7\xa0\xfb]~'1\xd7q\xe9HN\xbc\xde\xf7\x1d_\x0c>\n)Hx+\xc8>\xe0\xeai\x9e\xf4"),
					plistlib.Data('\x17\x93\x92z\x06\x14T\x97\x89\xad\xce/\x8f4\xf7\xf0\xb6m\x0f:\xe3\xa3\xb8M!\xec\x15\xdb\xbaO\xad\xc7'),
					plistlib.Data('\xe7\x93\xc9\xb0/\xd8\xaa\x13\xe2\x1c1"\x8a\xcc\xb0\x81\x19d;t\x9c\x89\x89d\xb1tmF\xc3\xd4\xcb\xd2')
				]
		cursor.execute("update rules set policies = ? where policyName='IdMS' and domainSuffix='apple.com'", [plistlib.writePlistToString(plist)])
		conn.commit()



View in context

Similar questions

22 replies
User profile for user: Scott Bernard
Scott Bernard
User level: Level 1
46 points

May 25, 2020 1:22 PM in response to Locomotivation

Here is what I think worked:

  1. open terminal
  2. type sudo su - *then press enter*
  3. Enter your password *then press enter*
  4. type vi repair-icloud-safari.py to create the file. *then press enter* **found previous attempt at same file, hit D to delete**
  5. type i *then press enter*
  6. copy and paste the entire script from this post starting with the '#!/usr/bin/python' into your terminal window. *then press enter*
  7. hit the ESC key
  8. type :wq *then press enter*
  9. You should be back at the ~root#: prompt. *yes*
  10. type the following after the root# prompt: python repair-icloud-safari.py *then press enter*
  11. type exit *then press enter*


Now how do I test it?

Note: I already had the "AppleISTCA2G1.cer" fix installed before I found this solution.


Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Unable to establish secure connection to idmsa.apple.com

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up