SSL certs on MacOS

Like all OSes, MacOS includes a number of root certificates which it trusts when checking the validity of certificates supplied by websites. These get updated with standard OS updates. And as on most OSes, some applications (e.g. Firefox) ignore the OS-provided root certificates, and use their own.

A slight complication is that the OS-provided browser, Safari, and some of the OS-provided command-line tools, such as curl, use different certificate collections. This is an issue because the collection used by curl in High Sierra (10.13.6) does not include the certificate needed to verify the identity of websites using Let's Encrypt after 1st October 2021, whereas an updated copy of Safari on that OS version does.

This can be fixed by updating the collection used by curl manually, using the collection provided by Mozilla. So, in a browser which does have a reasonably up-to-date collection, visit https://curl.se/docs/caextract.html and download cacert.pem.

Then replace the system collection with

sudo cp /etc/ssl/cert.pem /etc/ssl/cert.pem.org
sudo cp ~/Downloads/cacert-2021-10-26.pem /etc/ssl/cert.pem

Note that the precise name of the certificate file downloaded changes frequently. Just type up to ~/Downloads/cacert and then press {TAB}, and the rest of the name should be filled in automatically.

Of course the best fix is to upgrade to a supported version of MacOS, but maybe your hardware is insufficiently new to support that.