tlmgr update fails on macOS 10.13.6
norbert at preining.info
Fri Oct 29 17:13:01 CEST 2021
> both use Let's Encrypt certs, and apparently need to fix the
> certificate chain they're serving. What a mess.
In most cases, the reason for this is that Lets Encrypt deprecated the
DST Root CA X3 certificate, but older clients not automatically update
to the newer certificate chain.
I was hit myself by that.
What needs to be done is either a completely new reissue of the
certificate, or - if one uses the official client from FSF certbot - a
sufficiently new version (meaning >= 1.12) and adding either the command
--preferred-chain "ISRG Root X1"
or adding the configuration file option
preferred_chain = ISRG Root X1
to each /etc/letsencrypt/renewal/*.conf in the [renewalparams] section.
After that, certificates should be properly verified again.
But the question remains, how to bring all the clients to actually DO
this update :-(
PREINING Norbert https://www.preining.info
Fujitsu Research + IFMGA Guide + TU Wien + TeX Live + Debian Dev
GPG: 0x860CDC13 fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13
More information about the tex-live