You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: andy465
andy465 Author
User level: Level 1
7 points

"There was an error connecting to the Apple ID server" untrusted CRL issue

I started getting errors when logging into my Apple account on iTunes/App Store/iBooks etc, which I noticed today.


When attempting login, these would return the message "There was an error connecting to the Apple ID server"

User uploaded file


Debugging this with Wireshark, I noticed that iTunes was disconnecting as soon as it saw the server SSL certificate.


I opened the domain url it was using (https://gsa.apple.com) in Safari to see whether it reported any certificate issues, and it confirmed that the intermediary certificate, though valid, couldn't be verified against it's CRL as it believes http://crl.apple.com/root.crl is an untrusted CRL.

User uploaded file


Other OSX computers I've checked serve the same certificate, and validate the certificate successfully.


I've attempted to set the certificate to always trust, but it had no effect.


I've changed the Keychain Access -> Preferences -> Certificates -> Certificate Revocation List (CRL) to "Best attempt", which appears to fix the issue, however I'm not keen on this change as it might weaken my computer's security compared to "Require if certificate indicates"


Is there any way to restore OSX's trusted CRL list to fix this?

MacBook Pro with Retina display, OS X El Capitan (10.11.4)

Posted on Apr 24, 2016 2:12 PM

Reply
Question marked as Top-ranking reply
User profile for user: andy465
andy465 Author
User level: Level 1
7 points

Posted on Apr 24, 2016 2:24 PM

Actually, I just found the other computer's Keychain Access -> Preferences -> Certificates -> Certificate Revocation List (CRL) is set to "Best attempt", and turning it to "Require if certificate indicates" causes the same issue, so I assume this is an issue with Apple's ID server certificates themselves.


I believe I set the CRL settings to "Require if certificate indicates" a while back to try to improve security. So at one point up to recently, https://gsa.apple.com did work with those settings, and possibly they've changed the intermediate certificate, which has the untrusted CRL issue. That it's http://crl.apple.com/root.crl and not https seems suspect and might be the source of the untrustedness issue.

View in context
2 replies
Question marked as Top-ranking reply
User profile for user: andy465
andy465 Author
User level: Level 1
7 points

Apr 24, 2016 2:24 PM in response to andy465

Actually, I just found the other computer's Keychain Access -> Preferences -> Certificates -> Certificate Revocation List (CRL) is set to "Best attempt", and turning it to "Require if certificate indicates" causes the same issue, so I assume this is an issue with Apple's ID server certificates themselves.


I believe I set the CRL settings to "Require if certificate indicates" a while back to try to improve security. So at one point up to recently, https://gsa.apple.com did work with those settings, and possibly they've changed the intermediate certificate, which has the untrusted CRL issue. That it's http://crl.apple.com/root.crl and not https seems suspect and might be the source of the untrustedness issue.

Reply
User profile for user: Digi421
Digi421
User level: Level 1
4 points

Aug 17, 2016 3:07 AM in response to andy465

No, that's fine. Access to CRLs is HTTP, because if it was HTTPS, you'd need another CRL request to verify the certificate used to download the CRL and that would loop ad infinitum.

The problem is that the certificate of the (root) CA that issued the certificate for gsa.apple.com isn't known and hence isn't trusted.

Reply

"There was an error connecting to the Apple ID server" untrusted CRL issue

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up