macOS10.15.4, "The root CA certificate is not trusted for this purpose"

jonaspeter

Hi,

I have a problem with Qt5.12.8 accepting certificates on macOS 10.15.4.

We are building a software stack, where we use the QNetworkAccessManager in order to connect to a server.

If i want to run it, it gets me "The root CA certificate is not trusted for this purpose" (error code 17). I am sure that the certificate is the correct one, because if I run everything on windows 10 or macOS10.14.x it works like a charm. The certificate iteslf is not a self-signed certificate but a certificate signed by a (apple)-trusted authority.

What I have done so far:

google, google, google, but unfortuately I did not get a solution...
I installed the newest (1.1.1g) openssl with brew and linked it to /usr/bin/openssl in order to make it the system default.
I tried a combination of this (https://stackoverflow.com/questions/13093025/qt-on-osx-10-5-8-the-root-ca-certificate-is-not-trusted-for-this-purpose) "solution" and this post (https://forum.qt.io/topic/55853/openssl-and-mac-os-x/7) where I build my Qtlibraries from source, not linked with openssl, but with the mac-specific SecureTransport.

And that's about it, I do not have any other idea.

Does anyone has a hint in which direction I can search furhter?

Pleas hit me up if you need any further specifications

Thank you very much

SGaist

Hi and welcome to devnet,

Please check QTBUG-65002, the last comment might give another clue why it is happening.

Janine

@jonaspeter did you ever figure this out? I am having the same problem on macOS 10.15.7 with Qt5.15.1

Alexey Matal

@jonaspeter @Janine I having a same problem on 10.15.4, Qt 5.14.2
@SGaist In QTBUG-65002 there is no any solution. Can you provide explanations about last comment?

First time I got this problem in QML in XmlHttpRequest. XmlHttpRequest so
silently gave an empty responseText.

After few hours of searching solution I tried to create test application with raw QNAM in Qt (C++) - an got the same error...

In system cert-policy I set the "always trust" for this cert.

Any solution? :(

SGaist

From what I understand, you certificate might be considered as weak so SecureTransport rejects it.