"Unable to connect" error message

Just a heads up on a problem that will affect you if you’re using macOS prior to 10.12.1.

This article sums it up:

About Sparkle:

  • our website uses SSL for security, we use a common certificate called “Let’s Encrypt”
  • Sparkle connects to our website during publishing for some server side processing
  • today a 10 year old “root” certificate used by Let’s Encrypt expired
  • the root certificate in question is used by browsers to trust website certificate like ours
  • the root certificate is part of macOS and can only be replaced by Apple
  • since Sparkle uses system functionality to connect to our website, the security can’t be established
  • the root certificate in question was used up to 5 years ago, say iOS 10, macOS 10.11, Android 4, Let’s Encrypt is so popular that it’s likely half the web will break for those devices
  • a newer certificate was used in macOS starting with 10.12.2, if you’re using an older system you are affected, and we can’t fix the system for you

This is very urgent for us to fix, but will likely require a few days to address. If you require an immediate fix unfortunately we can only suggest upgrading your macOS to at least 10.12.

There are other workarounds mentioned in references linked from the article above, namely:

I managed a workaround by going to the [IdentTrust DST Root CA X3] certificate, right-clicking and selecting Get Info. In the pop up, I expanded Trust settings and set the top drop down to “Always Trust”. I then restarted my browser and was able to access a site previously blocked by the expiry.

But this is technical in nature.

We’ll let everybody know as soon as we have a workaround for this.


Never a dull moment!
Thanks, Duncan, as ever, for being on top of things!

Gotta wonder how many Word Pressers will be in the weeds on this, with no one like you to help them!


Just to follow up on this, the fix is to do one of this two:

  • upgrade your Mac to at least macOS 10.12.2
  • open Keychain Access on your Mac, search for the “DST Root CA X3” certificate, double click to edit it and in the “Trust” section change the setting “When using this certificate” to “Always trust”

Please note that this problem is affecting you because you are using an obsolete version of macOS (the obsolescence comes from Apple’s unwillingness to update older macOS versions, not from us!), and the problem will come up again in the future in the form of other certificates expiring. Also there is a reason certificates expire, so by always trusting it you are weakening the security of your system.

1 Like

Also relevant, Keychain Access on older macOS versions might not be searching everywhere, so you have to select the “Certificates” section of the keychain, as per this screenshot:

What is being processed on your server “during publishing”? This is critical information for security and privacy for me and my clients!

Please be fully transparent and explain in full detail…

There’s a CSS optimizer that we run on the server, that’s all.

If you cannot find the DST Root CA X3 certificate
For older macOS, try:
• downloading https://letsencrypt.org/certs/isrgrootx1.der 28
• Open the Keychain Access app and dragging that file into the System folder of that app.
• then find the ISRG Root X1 certificate in System and double click on it, open the Trust menu and change “Use System Defaults” to “Always Trust”, then close that and enter your password to confirm the change (if prompted).