I contacted NLNet Labs, they updated their certs which made NSD fetch on Mojave work again for me.
Somewhere during my tests accidentally OpenSSL was activated on my machine (a destroot on nsd 4.3.8 maybe?), which killed all the installed ports that were dependent on an opensll 1.1.1 dylib (which had been made inaccessible), so suddenly a lot of programs couldn’t start anymore (Abort 6) because the dylib wasn’t there. That kind of forced me to do a quick update of everything. So I updated NSD to 4.3.8 and created a pull request for it (as the existing MacPorts version 4.1.2 would not compile with OpenSSL3 which is now standard and I am an NSD maintainer) That change has now been merged with MacPorts master (yes! yes! I did it correctly! I’m getting the hang of it!) Everything NSD is back as it should be. Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>) R&A Enterprise Architecture <https://ea.rna.nl/> (main site) Book: Chess and the Art of Enterprise Architecture <https://ea.rna.nl/the-book/> Book: Mastering ArchiMate <https://ea.rna.nl/the-book-edition-iii/> > On 8 Nov 2021, at 03:54, Dave Horsfall <d...@horsfall.org> wrote: > > On Sun, 7 Nov 2021, Bill Cole wrote: > >>> So I wonder how widespread this problem is? >> >> The problem in this case is not the existence of the cert in the CA bundle, >> but the fact that this particular expired cert was used in an alternative >> validation path and the logic of verification for multi-path certs isn't >> correct. Normally, expired root CAs should stay in there because that allows >> positive non-verification of certs supposedly issued by an expired (and >> maybe compromised) root CA. > > Gotcha; thanks. > >>> And I'm not happy with those that are set way in the future; I heard >>> somewhere that 5 years is the recommended max. >> >> CAs are special. The current limit on server certs is 397 days. I don't >> think there's a consensus on CA lifetimes because of the conflicting risks >> of too-short and too-long lives. > > One day past a leap year :-) I don't remember where I saw the 5-year > recommendation, unfortunately. > > -- Dave
