When trying to clone a repo on OS X 10.14.6, it fails in the following way

$ /usr/bin/git --version
git version 2.21.1 (Apple Git-122.3)
$ /usr/bin/openssl version
LibreSSL 2.6.5
$ git clone https://host/repo.git
Cloning into 'repo'...
fatal: unable to access 'https://host/repo.git/': SSL certificate problem: certificate has expired

It would probably work with the ssl verification disabled, but that is not an option.

The same command succeeds on a different machine which has had no prior contact with the server.

A look on ssllabs.com reveals that the server sends two certificate chains, one of those has an expired "DST Root CA X3" certificate, the other one is valid. ssllabs.com also states that this root certificate is "In trust store" as opposed to Sent by server.

Is it possible to choose a specific (the non-expired one in this case) certificate chain for git?

I suspect the computer that can't clone the repo somehow remembers the expired certificate. If that is true, is there a way to forget/reject the expired cert chain?

CodePudding user response：

If you're using OpenSSL < 1.1.0 it sounds like you are running into a known issue (see last paragraph there) with android-compatible certs (as issued by default by CAs like LetsEncrypt). Usually, performing regular OS software updates will update OpenSSL and fix this.