I recently updated to OSX 10.7.2 and can no longer open the Keychain Access app. It hangs on startup. A side effect of this is that I can no longer access my department's WPA Enterprise network as network preferences cannot access the certificates stored in the keychain.
Please help!
MacBook Pro, Mac OS X (10.7.2)
I work at a university and have heard from two students who appear to be experiencing the same issue: attempts to start Keychain Access cause it to hang before it displays the window (ye olde spinning rainbow wheel) and the attempts to connect to our WPA Enterprise network 802.1x result in a similar hang after they're prompted to enter their 802.1x credentials. Interestingly, we also have an open guest network which redirects users to an https splash page...the students can connect to this network and even ping outside, but the splash page never comes up in either Safari or Firefox. (Firefox eventually returns an error to the effect that "the connection has been interrupted."
Hope this additional information helps anyone who might have an idea of how to resolve this.
I work at a university and have heard from two students who appear to be experiencing the same issue: attempts to start Keychain Access cause it to hang before it displays the window (ye olde spinning rainbow wheel) and the attempts to connect to our WPA Enterprise network 802.1x result in a similar hang after they're prompted to enter their 802.1x credentials. Interestingly, we also have an open guest network which redirects users to an https splash page...the students can connect to this network and even ping outside, but the splash page never comes up in either Safari or Firefox. (Firefox eventually returns an error to the effect that "the connection has been interrupted."
Hope this additional information helps anyone who might have an idea of how to resolve this.
Yeah this is the exact behaviour I'm experiencing.
I've been on the phone to Apple who talked me through a number of procedures that may have worked in some cases but did not work for me.
* See if Keychain Access will open from a new admin user account
* Hold shift, ctrl, alt & cmd when powering on the mac (absolutely nothing happened at all. No powerup)
* Hold alt, cmd, p and r keys when powering on the mac. Mac restarts after initial chimes. Allow to start up and check again.
* hold alt key on startup, boot into recovery parition, verify hard drive then repair file permissions. This also didn't help me.
I ran out of time at this point, but i think I'm going to have to do a reinstall. I'm calling again now and will update with the result.
I finally fixed it!
I managed to sort it out without having to reinstall. Possibly more by luck than judgement.
I booted into recovery partition and used disk utility to verify and repair all my disks and disk permissions. This can also be done from a Lion install DVD if you don't have recovery partition.
I hope this helps! Good luck!
I have experienced ver batem the same issues as everyone above, down to its destruction of my access to an 802.1X system. I have been able to pinpoint how to replicate the problem. For me, I have access to a secure ethernet network through my university residential network. This requires a log in every 5 hours with my university credentials. After a log in, safari will operate normally until the certificate has expired. Afterwards Safari becomes unresponsive and will not load pages or allow me to access the splash screen to relog into my university network. Keychain access becomes unresponsive, as does the installer for some DMGs.
A disk repair from the recovery partition only solves this issue for a time. I am also not able to do a reinstall from the recovery partition for some strange reason. It tells me to contact AppleCare which is never a good sign.
Hi garrickfromdallas,
We have the same problem where I am.
Apparently Apple's latest security patches embedded in 10.7.2 prevent Captive Portal Hijacking.
For example
I could not get Firefox 7.0.1 to work, but Opera 11.51 does notice the redirect but allows it!
There may be a setting in Keychain Access you can change to make it work, but I can't launch Keychain Access at the moment!
It seems a disk/permission repair only temporarily solves the problem.
After a disk repair, I can briefly access keychain access again until something requires a certificate, at which point it becomes unresponsive again.
Any ideas?
I'm seeing the same behavior. It started out with Adium freezing on startup; I looked at the crash report and it was crashing while trying to load something from the keychain, but Keychain Access also froze on startup. I went into ~/Library/Keychains and renamed login.keychain, at which point I was able to open Keychain Access and create a replacement login keychain. Unfortunately there isn't an earlier version of the file in the local Time Machine mirror.
The stack trace looks very similar to the one here, btw: https://discussions.apple.com/thread/3135259
At this point I'm running with a new keychain, so I lost all the old passwords that used to be stored there, but at least my computer is working. I just upgraded to 10.7.2 yesterday so it seems plausible that it's related to that. I'm not sure if there's any way to repair the old keychain though since I can't even open it in Keychain Access to try to use the repair facility there.
I am having the same issues. It only appears when i sign in to our guest wireless at work which uses a captive portal system. I am guessing at this point something happens to hang up keychain which kills me trying to view SSL sites in any browser ( i have not tried opera yet). Even if i disconnect and connect to a diff wireless, reboot, etc, the issue persists. When this happened the other day for the first time i just closed my mac and when i came back to it a couple hours later it was working fine. Anyone gotten anything official from Apple about it?
Ok I have a potential solution.
I was having this same problem, my university network (through ethernet) wasn't connecting, and nor was my home wifi network. Attempting to open keychain access only resulted in the spinning wheel.
I'm afraid my solution involved getting keychain access open. On one occassion it opened after a restart on my first attempt to open it, the second time I managed to get it open I had no browsers open but was using Excel 08 (after trying a few minutes earlier to open it with no success). Bacially keep trying until you can get it open, you ought to eventually strike.
Once you have it open, go to preferences. Click the 'certificates' tab. Turn off OCSP and CRL.
Now try connecting to the internet, as this resolved the issue for me. Hope it works for you to.
PS Can someone explain the dangers of having both OCSP and CRL set to off? It is surely a security risk and therefore only a temporary fix to get you to highly trusted sites.
PPS Turning off OCSP and CRL through the terminal may be possible, bypassing the tedium of getting keychain access open. Can someone offer instructions for everyone?
Hello,
We are finding the same solution seems to work for the time being with our systems at the University I work at.
However, it is not ideal because it stops the Keychain from checking whether or not a certificate has been expired or revoked. The two settings, OSCP and CRL are both methods to make sure a certificate is still valid and should be trusted by checking up the chain to the issuer. If the issuer is on the internet and you are stuck in a captive portal then how can you check? I think Lion is getting into a catch 22 here.
You can set these values in the command line using the following:
To set the CRL settings:
defaults write com.apple.security.revocation CRLStyle -string OFF
To set the OCSP settings:
defaults write com.apple.security.revocation OCSPStyle -string OFF
The next time my test machine beachballs while trying to launch Keychain access, I am going to try this as a quick workaround myself. We are seeing a continual stream of students coming into our HelpDesk with this problem and the fixes above only work for a short period of time. Then it all breaks again.
I have our network security people looking into allowing the certificate checks for our systems to go even from the captive portal. I will report back any success or failure as a workaround for this method.
Having to set machines to not check for revokation of certificates seems like one more step closer to just throwing put the whole trusted certificate idea as a usable security method.
Okay I have found out some more info.
If you are using a coptive portal to get to the internet is breaks because it cannot check for the certificate revokation. If you turn off the checks that seems to work but htat is a bad idea.
What needs to be done at the portal is to make acceptions in the firewall to allow the machines to get out to whatever CRL and OSCP sites needed to verify the status or revokation of the certificates being handed out by the portal itself. If it blocks these attempts, Lion thinks it is a hijack and will not go on the net.
What I see hapening is after this, a certificate shows up in the login keychain called "unkown". Then the keychain app stops working. When you launch it you get the beachball.
Once I had our wireless networking admin add in the exceptions for our portals' certificate status (they can find them in the certificates themselves), then everything seems to work. You will of course have to go through the whole reboot to recovery mode and fix drive and permissions to get the keychain access back and delete the unkown cert.
Once that is done AND the firewall allows OSCP and CRL checks then it all seems to work as designed.
Once that is done and things work as they should remember to make sure you turn on OSCP and CRL checks. They are there for a very good reason.
By the way in my previous post I was going to try turning them off at the command line when the keychain would not load to see if it would help?
It didn't The settings were set correctly to off but once the keychain is pooched, that's it. You can connect securely to anything.
Anyone else have anyhting to add. Has anyone tried the same thing with the portal firewall?
Success? Failure?
So far this has worked throught the day. I will report back if it continues to work.
We have just resolved the connection issue in our campus by allowing pass through access to our certificate provider's OCSP and CRL servers in the wifi network's captive portal settings.
It worked for our Lion 10.7.2 test machine after a restart. KeyChain access also worked after the restart, previously we had the spinning beach ball.
We will get more affected users to test and confirm that the solutions works.
If you are a Firefox user and you are somewhere like a hotel and Firefox does not allow the captive portal hijack, you could try disabling OCSP.
Here is my post on how to do that:
Good luck, and remember to switch it back on when you have left the premises.
I have been having problems getting on my work wifi for months and finally re-installed Lion from scratch. That finally led me to the Keychain Access being the culprit, as now it wouldn't open at all. After finding this discussion I tried several things to get keychain access to load but it kept locking up until I went into the System Preferences, selected Wi-Fi, unchecked the "Ask to join new networks" box, then clicked Advanced, and then removed the work network and un-checked the "Remember networks this computer has joined" box. Rebooted and then since it was not trying to join a network it wasn't having a certificate problem. I was able to open Keychain Access and run the repair. No errors were found. I turned off the CRL and OSCP checking and then exited Keychain. Opened Safari and the login page opened just fine. I am so releived that I can now go back and re-install from my time machine backup. Thanks for the solution.
I had the same problems on my MacBook Air with Lion 10.7. For some uknown reasons the Keychain Access freezed every time I run it.
The following solution worked for me:
- open terminal
cd ~/Library/Keychains
mv login.keychain _login.keychain_ (this is just renaming the login.keychain file)
- log out and login
The Keychain Access application should start normally now. Hope it helps!
Keychain Access hangs after update to 10.7.2. Any help?
