"Unable to connect" error message on macOS 10.9-10.12.1

This is still affecting some Sparkle users, so posting the solution here for future reference.

On September 30th 2021 a 10 year old “root” certificate expired, this root certificate is owned by a popular certification authority called “Let’s Encrypt”.

How this interacts with Sparkle:

  • our website uses SSL for security, we use a server certificate signed by “Let’s Encrypt”
  • Sparkle connects to our website during publishing for some (fully anonymous) server side processing
  • the root certificate in question is used by browsers to trust website certificates like ours
  • in the case of Safari, the root certificate is part of macOS and can only be replaced by Apple
  • since Sparkle uses system functionality to connect to our website, a secure connection from Sparkle to our website can’t be established
  • the root certificate in question was used up to 5 years ago
  • a newer certificate was used in macOS starting with 10.12.2, but anybody using an older system is affected, and Sparkle can’t fix the system for you
  • because of how the system caches certificate validity, a certification-related error can pop up in an inconsistent way across different applications, and much later than September 30th

there are two options to fix this:

  • upgrade your Mac to at least macOS 10.12.2
  • change your system to trust the expired certificate

For the latter, this should work:

  • in the Finder, open Applications and find and open Utilities
  • in Utilities, open Keychain Access
  • on the Menu at the top of the screen click on View and click on View Expired Certificates
  • in the window toolbar search box enter “X3” the main window should show the DST Root CA X3 certificate
  • double-click to open the certificate information
  • within the certificate information window that opens, open the Trust section and change the “When using this certificate” setting to “Always Trust”
  • close the certificate information window, and you’ll need to enter the password for your main Mac account

Alternatively you can install an updated certificate by following the instructions in this reddit post.

Please note that this problem is affecting you because you are using an obsolete version of macOS (the obsolescence comes from Apple’s unwillingness to update older macOS versions, not from us!), and the problem will come up again in the future in the form of other certificates expiring. Also there is a reason certificates expire, so by always trusting it you are weakening the security of your system.

It is also possible to install the updated certificate issued by Let’s Encrypt, but we don’t have instructions on that at this time.

7 Likes