comodo ssl certificates failing

Take a look at the 'COMODO RSA Certification Authority' certificate(s), which should be in your System Roots Keychain. Since your Mac(s) consider it invalid all the certificates below it in the chain will cease to be trusted.

For reference, on my OS X 10.10.3 system I have one such certificate that expires on 31 Dec 2029 at 23:59. Its trust setting is 'Use System Defaults'.

If that seems in order you could try Keychain first aid.

Next, look into Keychain preferences at the certificate tab. Are OCSP and/or CRL on? If so, does turning them off (as an experiment, there are security implications) 'fix' the issue?

C.

For extra insight:

1. Two versions of "COMODO RSA Certification Authority" exist. The first one is a self-signed root, but is not bundled in 10.10's System Roots by default. The other newer version is an intermediate that uses "AddTrust External CA Root" as the system root, and AddTrust is in the System Roots.

2. In my local reproduction of this issue, the "Use System Defaults" setting for the root-version of this comodo certificate in a login keychain does not actually mark the certificate as trusted. The drop down needs to be explicitly set to Trusted. You may notice that the icon has a red "X" when using the default, which turns to a blue "+" once it's explicitly trusted.

3. If you have the root version of the comodo certificate added to your login keychain (still unsure what would have added it), it will leverage that version over the version AddTrust chain actually sent by the server, even if the root version is not marked as trusted.

I can confirm that I'm still experiencing the same exact issues with El Capitan (10.11).

The weird thing is that MAIL app is the one that is failing. The same exact certiticate is used to secure a website and SAFARI does trust the certificate.

I have the same issue on my two 10.11.3 machines, iPad and iPhone both on 9.3.1. What's weird is that the problem occurs every now and then and only with the Mail applications.

Restarting Mail on all devices seems to temporarily solve the issue.

The answer to use Keychain First Aid is not very helpful. Keychain First Aid has been removed from El Capitan.

As with others, I'm having this problem with any website that uses Comodo certs. They show as invalid, even though the CA cert verifies in Keychain Access and is marked as valid.

I did manage to get the websites at least working, by deleting all the certs in the login folder of Keychain Access, but the certs are still marked as invalid in Chrome.

Chrome says the cert is signed by an unknown authority.

I also get the following error:

Certificate Error

There are issues with the site's certificate chain (net::ERR_CERT_AUTHORITY_INVALID).

We contacted Comodo about this and they said it was a bug in apple mail. Apple mail takes the root cert with the furthest expiry date and does not check if there is another valid root cert with a closer date. Safari does this correctly, just not Apple mail. Comodo submitted a few years ago a new valid root cert but Apple hasn't added it yet.

I don't know if it's Comodo doing things wrong or bugs in Apple mail. But it does seem that Apple is ignoring this issue.

If a member of Apple staff reads this we would appreciate it if you could accept Comodo's new root cert or fix the bug in Apple Mail (use the furthest valid cert and not just the furthest cert).

Apple doesn’t routinely monitor the discussions. These are mostly user to user discussions.

Send Apple feedback. They won't answer, but at least will know there is a problem or a suggestion for change. If enough people send feedback, it may get the problem/suggested change solved sooner.

Mail Feedback