Related Article

About the security content of OS X Yosemite v10.10.3 and Security Update 2015-004

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Question:

Question: app store unavailable following security update 2015-004 (Mavericks)

Just installed the Security Update 2015-004 (for Mavericks - being on 10.9.5).


When restarted, Mac came up with the App Store (as usually, apparently looking for further updates).


Problem: Window stays bank, just showing the greyish AppStore icon. Even when changing to other categories (Featured, Top Charts, ...).


Tries to fool around, pressed Command-? (to get to AppStore help). Result:

" Help Center can't verify the identity of the server "help.apple.com" " (and showing all the vertificate readings).


Apple forgot that some certificates are 'bad' ?


Here, already the top level certificate is not trusted (VeriSign Class 3 Public Primary Certification Authority - G5). Is this normal - just ignore (aka, check-mark the Always trust) ???

Posted on

Reply
Question marked as Solved
Answer:
Answer:

I solved this problem by deleting all VeriSign certificates in my login keychain.

I did not touch any certificates in the System Roots keychain.


I exported the 4 certs there first of course, but App Store and iTunes connected and work properly without them in my login keychain.


Good luck,

Ohmi

Posted on

Question marked as Helpful

Apr 9, 2015 2:00 PM in response to jorgfromFra In response to jorgfromFra

This could be a complicated problem to solve, as there are several possible causes for it.

Back up all data, then take each of the following steps that you haven't already taken. Stop when the problem is resolved.

Step 1

From the menu bar, select

 ▹ System Preferences... ▹ Date & Time

Select the Time Zone tab in the preference pane that opens and check that the time zone matches your location. Then select the Date & Time tab. Check that the data and time shown (including the year) are correct, and correct them if not.

Check the box marked

Set date and time automatically

if it's not already checked, and select one of the Apple time servers from the menu next to it.

Step 2

Start up in safe mode and log in to the account with the problem.


Note: If FileVault is enabled in OS X 10.9 or earlier, or if a firmware password is set, or if the startup volume is a software RAID, you can’t do this. Ask for further instructions.

Safe mode is much slower to start up and run than normal, with limited graphics performance, and some things won’t work at all, including sound output and Wi-Fi on certain models. The next normal startup may also be somewhat slow.

The login screen appears even if you usually login automatically. You must know your login password in order to log in. If you’ve forgotten the password, you will need to reset it before you begin.

If the problem is not reproducible in safe mode, then it's caused by third-party "anti-virus" or "security" software. If you know what that software is, remove it as directed by the developer after backing up all data. If you don't know what it is, ask for instructions.

Step 3


Triple-click anywhere in the line below on this page to select it:

/System/Library/Keychains/SystemCACertificates.keychain

Right-click or control-click the highlighted line and select

Services Show Info

from the contextual menu.* An Info dialog should open. The dialog should show "You can only read" in the Sharing & Permissions section.

Repeat with this line:

/System/Library/Keychains/SystemRootCertificates.keychain

If instead of the Info dialog, you get a message that either file can't be found, reinstall OS X.

*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. Open a TextEdit window and paste into it by pressing command-V. Select the line you just pasted and continue as above.

Step 4

Launch the Keychain Access application in any of the following ways:

☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

☞ In the Finder, select Go Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

☞ Open LaunchPad and start typing the name.

In the upper left corner of the window, you should see a list headed Keychains. If not, click the button in the lower left corner that looks like a triangle inside a square.

In the Keychains list, there should be items named System and System Roots. If not, select

File Add Keychain

from the menu bar and add the following items:

/Library/Keychains/System.keychain

/System/Library/Keychains/SystemRootCertificates.keychain

Open the View menu in the menu bar. If one of the items in the menu is

Show Expired Certificates

select it. Otherwise it will show

Hide Expired Certificates

which is what you want.

From the Category list in the lower left corner of the window, select Certificates. Look carefully at the list of certificates in the right side of the window. If any of them has a blue-and-white plus sign or a red "X" in the icon, double-click it. An inspection window will open. Click the disclosure triangle labeled Trust to disclose the trust settings for the certificate. From the menu labeled

Secure Sockets Layer (SSL)

select

no value specified

Close the inspection window. You'll be prompted for your administrator password to update the settings.

Now open the same inspection window again, and select

When using this certificate: Use System Defaults

Save the change in the same way as before.

Revert all the certificates with non-default trust settings. Never again change any of those settings.

Step 5

Select My Certificates from the Category list. From the list of certificates shown, delete any that are marked with a red X as expired or invalid.

Export all remaining certificates, delete them from the keychain, and reimport. For instructions, select

Help Keychain Access Help

from the menu bar and search for the term "export" in the help window. Export each certificate as an individual file; don't combine them into one big file.

Step 6

From the menu bar, select

Keychain Access Preferences... Certificates

There are three menus in the window. Change the selection in the top two to Best attempt, and in the bottom one to CRL.

Step 7

Triple-click anywhere in the line of text below on this page to select it:

/var/db/crls

Copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select

Go Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.

A folder named "crls" should open. Move all the files in that folder to the Trash. You’ll be prompted for your administrator login password.

Restart the computer, empty the Trash, and test.

Step 8

Triple-click anywhere in the line below on this page to select it:

open -e /etc/hosts

Copy the selected text to the Clipboard by pressing the key combination command-C.

Launch the built-in Terminal application in the same way you launched Keychain Access.

Paste into the Terminal window by pressing command-V. I've tested these instructions only with the Safari web browser. If you use another browser, you may have to press the return key after pasting. A TextEdit window should open. At the top of the window, you should see this:

##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost

If that's not what you see, post the contents of the window.

There’s more to the conversation

Read all replies

Page content loaded

Question marked as Helpful

Apr 9, 2015 2:00 PM in response to jorgfromFra In response to jorgfromFra

This could be a complicated problem to solve, as there are several possible causes for it.

Back up all data, then take each of the following steps that you haven't already taken. Stop when the problem is resolved.

Step 1

From the menu bar, select

 ▹ System Preferences... ▹ Date & Time

Select the Time Zone tab in the preference pane that opens and check that the time zone matches your location. Then select the Date & Time tab. Check that the data and time shown (including the year) are correct, and correct them if not.

Check the box marked

Set date and time automatically

if it's not already checked, and select one of the Apple time servers from the menu next to it.

Step 2

Start up in safe mode and log in to the account with the problem.


Note: If FileVault is enabled in OS X 10.9 or earlier, or if a firmware password is set, or if the startup volume is a software RAID, you can’t do this. Ask for further instructions.

Safe mode is much slower to start up and run than normal, with limited graphics performance, and some things won’t work at all, including sound output and Wi-Fi on certain models. The next normal startup may also be somewhat slow.

The login screen appears even if you usually login automatically. You must know your login password in order to log in. If you’ve forgotten the password, you will need to reset it before you begin.

If the problem is not reproducible in safe mode, then it's caused by third-party "anti-virus" or "security" software. If you know what that software is, remove it as directed by the developer after backing up all data. If you don't know what it is, ask for instructions.

Step 3


Triple-click anywhere in the line below on this page to select it:

/System/Library/Keychains/SystemCACertificates.keychain

Right-click or control-click the highlighted line and select

Services Show Info

from the contextual menu.* An Info dialog should open. The dialog should show "You can only read" in the Sharing & Permissions section.

Repeat with this line:

/System/Library/Keychains/SystemRootCertificates.keychain

If instead of the Info dialog, you get a message that either file can't be found, reinstall OS X.

*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. Open a TextEdit window and paste into it by pressing command-V. Select the line you just pasted and continue as above.

Step 4

Launch the Keychain Access application in any of the following ways:

☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

☞ In the Finder, select Go Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

☞ Open LaunchPad and start typing the name.

In the upper left corner of the window, you should see a list headed Keychains. If not, click the button in the lower left corner that looks like a triangle inside a square.

In the Keychains list, there should be items named System and System Roots. If not, select

File Add Keychain

from the menu bar and add the following items:

/Library/Keychains/System.keychain

/System/Library/Keychains/SystemRootCertificates.keychain

Open the View menu in the menu bar. If one of the items in the menu is

Show Expired Certificates

select it. Otherwise it will show

Hide Expired Certificates

which is what you want.

From the Category list in the lower left corner of the window, select Certificates. Look carefully at the list of certificates in the right side of the window. If any of them has a blue-and-white plus sign or a red "X" in the icon, double-click it. An inspection window will open. Click the disclosure triangle labeled Trust to disclose the trust settings for the certificate. From the menu labeled

Secure Sockets Layer (SSL)

select

no value specified

Close the inspection window. You'll be prompted for your administrator password to update the settings.

Now open the same inspection window again, and select

When using this certificate: Use System Defaults

Save the change in the same way as before.

Revert all the certificates with non-default trust settings. Never again change any of those settings.

Step 5

Select My Certificates from the Category list. From the list of certificates shown, delete any that are marked with a red X as expired or invalid.

Export all remaining certificates, delete them from the keychain, and reimport. For instructions, select

Help Keychain Access Help

from the menu bar and search for the term "export" in the help window. Export each certificate as an individual file; don't combine them into one big file.

Step 6

From the menu bar, select

Keychain Access Preferences... Certificates

There are three menus in the window. Change the selection in the top two to Best attempt, and in the bottom one to CRL.

Step 7

Triple-click anywhere in the line of text below on this page to select it:

/var/db/crls

Copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select

Go Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.

A folder named "crls" should open. Move all the files in that folder to the Trash. You’ll be prompted for your administrator login password.

Restart the computer, empty the Trash, and test.

Step 8

Triple-click anywhere in the line below on this page to select it:

open -e /etc/hosts

Copy the selected text to the Clipboard by pressing the key combination command-C.

Launch the built-in Terminal application in the same way you launched Keychain Access.

Paste into the Terminal window by pressing command-V. I've tested these instructions only with the Safari web browser. If you use another browser, you may have to press the return key after pasting. A TextEdit window should open. At the top of the window, you should see this:

##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost

If that's not what you see, post the contents of the window.

Apr 9, 2015 2:00 PM

Reply Helpful (5)

Apr 9, 2015 11:51 AM in response to Linc Davis In response to Linc Davis

Same symptoms as OP, occurring after installing Security Update 2015-004 for Mavericks . None of the above steps worked, I had no certificates with the blue icon in my keychain.


My /etc/hosts has:

##

# Host Database

#

# localhost is used to configure the loopback interface

# when the system is booting. Do not change this entry.

##

127.0.0.1 localhost

255.255.255.255 broadcasthost

::1 localhost

fe80::1%lo0 localhost


so one extra line from your post.


I could attempt to upgrade to Yosemite from a USB boot installer I have, but I wonder if that will fix this problem.

Apr 9, 2015 11:51 AM

Reply Helpful
Question marked as Solved

Apr 9, 2015 1:31 PM in response to jorgfromFra In response to jorgfromFra

I solved this problem by deleting all VeriSign certificates in my login keychain.

I did not touch any certificates in the System Roots keychain.


I exported the 4 certs there first of course, but App Store and iTunes connected and work properly without them in my login keychain.


Good luck,

Ohmi

Apr 9, 2015 1:31 PM

Reply Helpful (25)

Apr 9, 2015 1:47 PM in response to ohmiap In response to ohmiap

Well, also went through all the steps from Linc - no resolution to the problem.


[BTW, many thanks to Linc for always being helpful, have seen your posts many, many times!!!]


Apart from App Store (the least important for me), many pages I use in Safari are https - and almost on every site now I get that the certificate is deemed no good ... Firefox, though, being apparently unaffected.


I also get the same output from /etc/hosts , with the one line more than to what Linc expected (?):

##

# Host Database

#

# localhost is used to configure the loopback interface

# when the system is booting. Do not change this entry.

##

127.0.0.1 localhost

255.255.255.255 broadcasthost

::1 localhost

fe80::1%lo0 localhost


Now, my impression (as someone not be involved too much into all these security/certificate things) is that somehow the Security Update must have messed with one important certificate; that one is always 'complained' about. I'll attach a picture of the App Stop Help window that reports this.


It's always this one: VeriSign Class 3 Public Primary Certification Authority - G5

The strange thing to me is that in the Keychain.app, checking the certificates, there's one with the same name, but valid (no blue-and-white plus sign or a red "X"). Yet here in this App Store Help menue, it comes up with the red "X".


BTW, to Linc: What to do with the Keychain.app Preference change to CRL, before it was OSCP. And what to do with the files that were trashed from /var/db/crls ? Should I revert all of this ?


User uploaded file

Apr 9, 2015 1:47 PM

Reply Helpful (1)

Apr 9, 2015 1:59 PM in response to ohmiap In response to ohmiap

hey ohmiap - That was it, solved. (Just wondering if the certs will appear missing for something else later ?)


I had just 2 VeriSign certificates under the Keychain.app (within login, under the Keychains menue).


Deleted them, quitted Keychain.app, then started App Store.app and it just worked (unlike Apple's path of current SW development/QC ... )


Thanks to both of you !


jorg

Apr 9, 2015 1:59 PM

Reply Helpful (1)

Apr 9, 2015 4:02 PM in response to Linc Davis In response to Linc Davis

True, deleting certificates, as in Step 5 of your instructions, was the thing to do (in your instructions: Select My Certificates from the Category list, ... delete any that are marked with a red X).

Only that under this category there was only one certificate (with a red "X"), I deleted that (something with .apple. in its name) - however, without having an effect / resolution of the problem.

Thus I went further along your instructions, also doing the changes as to steps 6,7 (and that's why I ask whether to revert anything there; just seen that some files appeared again in /var/db/crls [but I also had reverted Preferences back to Certificates -> Priority -> OCSP; was like that before]).


The problematic certificates to delete (VeriSign) were under: Keychain -> login, Category -> Certificates.


Many thanks for your and ohmia's help !


Cheers (so happy I can work again !),

jorg

Apr 9, 2015 4:02 PM

Reply Helpful

Apr 9, 2015 4:13 PM in response to jorgfromFra In response to jorgfromFra

I'm belaboring this point so that others who may find this thread won't be confused. In Step 5, you were to delete the invalid certificates first, then export and delete all remaining certificates in the default keychain.

Apr 9, 2015 4:13 PM

Reply Helpful (1)

Apr 11, 2015 4:33 AM in response to jorgfromFra In response to jorgfromFra

Thanks. I exported VeriSign Class 3 Public Primary Certification Authority - G5.cer from my Keychain login, and then deleted this certificate. I was able to access the App Store after this, and I was also able to start iTunes without getting the certificate error message.

Apr 11, 2015 4:33 AM

Reply Helpful

Apr 12, 2015 8:25 AM in response to dltd In response to dltd

Re: app store unavailable following security update 2015-004 (Mavericks)

Linc Davis,Hi dltd

I need your help.I have iMac 21" OS X version 10.9.5,Pro:3.1Ghz intel Core i7,16 GB. I have problem same like Ohmiap,Jorgfromfra.Has been 2 weeks happen to me App Store mess up,I check and try every single question and answer at forum community but still not solve it.I read yesterday and I did your steps 1-7 today twice but not yet solve it.I don't have idea,How to exsport and deleted VeriSign Class 3 Public Primary certification Authority-5.Thank you so much.

Apr 12, 2015 8:25 AM

Reply Helpful

Apr 12, 2015 10:41 AM in response to jorgfromFra In response to jorgfromFra

I can confirm the problem as well as the solution.


OS X 10.8.5. After installing Security Update 2015-004, I couldn't browse to any website using the root certificate "VeriSign Class 3 Public Primary Certification Authority - G5" without a security warning ("invalid certificate"). I'm using Chrome and Safari, both of which rely on the OS for the list of trusted root CAs.

I had such an entry in my Login certificates list; removing it resolved the conflict and solved the problem.


I can add to the discussion that while the certificates` names matched, their serial numbers didn't. The correct one (and updated one from Apple) starts with 18 DA, while the wrong one starts with 25 0C. Apple's release notes confirm that this update updated the certificate trust policy, and the correct serial number for the certificate.


I'm still wondering why many of us had this wrong(?) certificate in our Login Keychain. Had we all trusted a hacker's forget certificate at some point? I find it hard to believe (and also a bit scary), perhaps Linc would be able to offer a more reasonable explanation.


PS: Firefox is unaffected because unlike Chrome and Safari, it uses its own list of trusted CAs and not the OS's.


Taruna Utama: all you say about your problem is "App Store mess up" [sic]. How do you know it's the same problem described in this thread? My hunch is that it's not. A closer look at the Console logs would reveal more.


Apr 12, 2015 10:41 AM

Reply Helpful (3)

Apr 12, 2015 11:32 AM in response to Made Taruna Utama In response to Made Taruna Utama

Hi. From Keychain Access, select login in the Keycahins area of the left sidebar. From the list of certificates displayed, right click on the desired certificate, select the Export option, and then specify the destination location.


You can right click on the desired certificate, and then select the Delete option.

Apr 12, 2015 11:32 AM

Reply Helpful
User profile for user: jorgfromFra

Question: app store unavailable following security update 2015-004 (Mavericks)