9 Replies Latest reply: Jan 20, 2007 5:53 AM by manuze
sciwaysat Level 1 (10 points)
I keep getting the message:

Safari can't verify the identity of the website "www.google.com" The certificate for this website is invalid. You might be connecting to a website that might be pretending to be...

I check the "details" for the cert and it shows that the first two levels in the chain are valid, though the third level (or leaf) is invalid. ("This certificate is not valid -2147408878).

Has anyone run across this before? and how do I tell safari that it really is google?

Everytime with google and quite often with a few other sites I have to tell safari the cert is ok.

any help with this would be great

imac intel core duo 1.83Ghz   Mac OS X (10.4.8)  
  • Hawaiian_Starman Level 7 (21,405 points)
    Certificates are retained in the keychain database.

    Go to your Utilities folder and select Keychain Access. When opened, click on the X509 anchors on the left in the Keychains section. Below, in the "category" section, select "certificates". Either use the Spotlight panel to find the certificate, or manually search through the list.

    When you find the applicable certificate, double click to open the file. Down the bottom click on the "trust settings" triangle. In the first drop down menu, select "always trust". All the other drop down menu ought to change to the same setting. Close the panel, and if finished, close keychains.

    Restart Safari and try the site(s) in question.

    Post back.
  • sciwaysat Level 1 (10 points)

    Nope, didn't work. I've gone through all the help files for keychain access and followed your instructions to the letter, but safari still gives me the same warning.

    Also, the X509 anchors listing "on the left in the keychains section" is missing. It was there last time I checked ( a few weeks ago) but was missing when I went to follow your tips.

    The full URL for the site in question is: https://www.google.com/adsense/

    The root and intermediate certs are ok (issued by Thawte SGC CA) but the last cert on the chain (leaf) shows: "thawte cert has an invalid issuer expires tue may 15 2007".

    I'm thinking of resetting keychain access to factory default settings and starting fresh, or deleting the keychain and creating a new one.

    Any ideas on what to do next?

  • Hawaiian_Starman Level 7 (21,405 points)
    When I select the link you provided no certificate warning shows up.

    Go back to Keychain Access and select "keychain first aid" in the Keychain menu. Select "repair" If errors appear, rerun until you get a clean pass.

    Post back.

    Message was edited by: Hawaiian_Starman
  • sciwaysat Level 1 (10 points)
    Ran first aid and it showed an error with my keychain lock settings so changed the settings to get a clean pass, and did. but that has nothing to do with the cert being accepted.

    I've tried to access the adsense part of google from different directions (off a google search results page, bookmark, ect) thinking the url was the prob, no luck.

    my safari insists the cert is invalid. (btw X509 was there, just had to hit the "show keychains" button at bottom of window, must be blind)

    What I've tried so far:

    Went through the X509 anchors and deleated all the invalid certs (many were out of date) plus all the google certs in anchors and my keychain login.

    did a spotlight search for anything related to Thawte or google in keychain access and deleated anything that was invalid and checked that everything else is valid, and it is. (all certs now show as valid).

    closed K-Access, cleared the cache, cookies, and history for safari closed it and rebooted.

    reopened K-Access to make sure everything is still clean, it is, then closed it.

    opened safari, went to adsense and got the same warning, checked the details, scrolled down and clicked the link for the .crt, went through the process to add the root cert to anchors and keychain login. rechecked for the invalid cert (it was there) removed it rebooted and still get the same warning.

    if you can, do a spotlight search in K-Access for www.google.com and see what comes up. (if you went to the url I posted the cert should be on your machine)

    a work around I found to avoid the warning is to set the preferances for cert acceptance to "best attempt", the cert still shows as invalid but I no longer get the warning.

    At this point I'll give my brain a rest and try to trouble shoot this again later today.

    If you come up with anything post back

  • Hawaiian_Starman Level 7 (21,405 points)
    Well strange as it might sound, I don't have a Google certificate in my keychain file. Perhaps, removing the certificate and your Google cookies via Safari Preferences>Security>Cookies might make the alert go away. Also, empty the cache before trying the site.

    Post back.
  • Eric Hildum Level 2 (265 points)
    This isn't a Safari problem or a problem on your Mac. Safari is actually working correctly. Basically, the certificate on this server is bad, and you will get the error message until such time as Google actually fixes the bad certificate. Of course, this could also indicate that someone has hacked the DNS system, and you are not actually connecting to the Google server. Given the nature of this site, I am inclined to believe it is a bad certificate in this case.

    I have run into similar types of problem a number of times, though usually the issue is an expired certificate because the web site owner forgot to renew the certificate on time.

    The other occasion you are likely to see an error of this nature is when the site uses a self signed certificate with their own certificate authority. Since the root authority is not a standard one, Safari will not have a way to verify that the certificate is valid. The solution for this problem, IF YOU KNOW THE SITE IS TRUSTWORTHY, is to install their root certificate on your system. This is not a step to be taken lightly, and if you do not understand the implications you should NOT do it.
  • sciwaysat Level 1 (10 points)

    Many Thanks, you confirmed my best guess as far as google/adsense is concerned.

    One thing I don't quite understand is, if I set K-Access preferences/certificates to "Best Attempt" the cert in question shows as valid, though when pref's are set to "Require if Cert Indicates" it shows as invalid.

    Must be the "www.google.com" cert (issued by Thawte SCG CA) doesn't meet the higher trust settings for some reason, (like you said the cert may be bad).

    I took a very close look at the details for that cert and compared it to other certs from Thawte and everything seems to be in order. I've added it to X509 anchors and left the pref's set to "best attempt" for now.

    I'll probably play around with the settings later but for now I'll leave well enough alone. I'll leave this post open for a while to see if anyone has an idea, but I think my question has been answered.

  • Hawaiian_Starman Level 7 (21,405 points)
    This isn't a Safari problem or a problem on your Mac. Safari is actually working correctly. Basically, the certificate on this server is bad, and you will get the error message until such time as Google actually fixes the bad certificate.

    Insightful. Thanks.

    So, I'm left wondering why no certificate exists on my system, or certificate warning appears in Safari when I access the Google site?
  • manuze Level 1 (0 points)
    Thanks for working free for apple on this forum...
    I remember having seen a pag on .mac where Apple promise to answer within 48h or so.
    Does anybody knows where to find this access?

    I pay for .mac and can not sinchronize both apples I have because safari and .mac pref return all apple certificate are invalid.....

    2007-01-20 13:36:17.266 System Preferences[268] Connection failed. Error - untrusted server certificate https://www.mac.com/WebObjects/Info.woa/wa/DynamicUI/dotMacPreferencesPaneMessag e

    If there is no help from Apple from people that pay and for an issue related to theirs secure web site I wonder how it goes for someone that can not acces a secure bank site for example....

    Thanks Apple for letting me posting a question on which I was never able to find an answer for a service I'm paying for.