Subscribe to
Posts
Comments
NSLog(); Header Image

Still Attempting to Fix Safari, iBooks Store in Mavericks

I'm still working on the problems explained in this post: Safari 7.0 in Mavericks Cannot Load iBooks Store, Twitter.com, PayPal.com.

I created a new admin account called "Test" that works fine. When I say "fine" I mean I can do these things, which I cannot do on my account:

  • Load both PayPal.com and Twitter.com in Safari
  • Load the iBooks Store
  • Click on the magnifying glass to show a Safari download in the Finder

If there was an easy way to move my files to the new user while keeping everything (username, user ID, etc.) as I like it, I'd do so.

Currently, I plan to use the new account as a test. First I'll boot to another drive, rename my ~/Library, and copy the Test user's Library into my account, then boot into it. If that works, I'll slowly pull things across to see when/where the "breakage" occurs.

P.S. Happy Birthday to my wife. She's now in her "late 30s." 😀

7 Responses to "Still Attempting to Fix Safari, iBooks Store in Mavericks"

  1. Replacing my Library with the Library from the other user (for whom everything works) did not work either.

    This is a maddening, frustrating, annoying, weird bug.

  2. Predictably, I cannot load Twitter or PayPal in iCab or OmniWeb either. Launching Twitter produces an error in the console, as does sending a Tweet from the Notification Center, but both work (the app launches, the tweet posts).

    I've cleaned out several .files in my home directory. I removed MacPorts. I tried cleaning out all Internet Plug-Ins. I tried cleaning out all added PrefPanes.

    Still nothing is working.

    P.S. My fonts all pass the Font Book validation.

  3. FYI,

    I'm not sure if this has been stated yet (I didn't find it), but the error number specified seems to indicate that it's a root cert problem.

    From :

    errSSLNoRootCert = -9813, /* cert chain not verified by root */

    I'd look at your keychain(s) to look for any weird root certs, and maybe check to make sure your keychains in /Library/Keychains and /System/Library/Keychains are all OK. Ya never know....

    Also, you might download the SSL cert used on those services (the PayPal one might be easiest), and manually verify them using Keychain Access to see what happens.

  4. Frank, I'll profess a good amount of ignorance when it comes to the Keychain.

    I'm not sure what I'd be looking for to find any "weird root certs." Keychain First Aid reports no issues: http://cl.ly/image/3Y061v333u3Q . That screenshot also shows what keychains I have - just the standard login, iCloud, System, and System Roots.

    If I show only Certificates, Login has 51, iCloud has 0 (of course), System has 15, and System Roots has 211 (with two expired - MPHPT, CertiNomis).

    Mucking around with the Keychain makes me nervous. 😉 And Safari (and iBooks Store) works with other users on the same machine, so it seems unlikely to be something in /Library/Keychains/.

    I'd appreciate any help you could provide, and if you're able to help me solve this, I'd happily take a look at your Amazon Wishlist or something. 🙂

  5. Well, I will certainly try, but this is a very odd bug.

    As a side note, I also have issues with SSL websites/services when at work, behind an authenticated web proxy. I believe the issue there is that OCSP doesn't work very well through the web proxy. This problem still happens even AFTER I've turned off OCSP (including the errors in the system log!), so, I tend to think, right now, that OCSP is a major weakness in Mavericks. However when I'm outside the proxy, I have no real issues.

    In fact, I can quasi-replicate your issue while I'm behind the firewall. Sometimes it says it can't connect to certain SSL sites (I even got it to not connect to PayPal a bit), but other times it just takes a LONG time to connect.

    I'm assuming you have no proxy setup, though. (Note that Apple's Safari parental controls use a quasi-proxy setup, so that can cause issues like this sometimes, too.)

    So, I wonder what happens when you try to verify the cert:

    You can download the cert using openssl (since you can't do it in Safari):

    openssl s_client -connect paypal.com:443 -showcerts

    From the output of that, you'll see three certs (the entire chain), and the one at the top is the http://www.paypal.com cert. Copy and paste the cert block into an appropriately named text file (I like http://www.paypal.com.cer as that's how Safari names it when I drag and drop it from Safari).

    Now, let's get good old security to validate it:

    security -v verify-cert -c /path/to/www.paypal.com.cer -p ssl -s paypal.com -n -L

    Hopefully, it'll give another clue....

    (Mine normally came back OK/Verified, but sometimes came back:
    Cert Verify Result: CSSMERR_TP_NOT_TRUSTED)

  6. Oh, one more thing:

    It can seem like a good idea to mark certain certs as "Always Trust," but in some instances that can actually foul things up. (Specifically, I know that can foul up app signing, or at least used to be able to do that.)

    In any case, in looking at your keychain screen shot (the first one in the comments of the old post), I'd probably try deleting that root CA out of your login keychain, and marking the one in your system defaults to "Use System Defaults" instead of "Always Trust" and see if that makes any difference.

    (If you haven't already.)

    In my system roots, I don't have any of the root CAs in there set to "Always Trust." And the only ones I have set to "Always Trust" in any of my other keychains are my enterprise root CAs. So, unless you're doing something fancy, you probably don't need any certs marked as "Always Trust." Even the Apple code signing ones are signed by Apple's Root CA, which is in the System Roots (clever, Apple...)

  7. Frank, I looked on Amazon using the email address you used to comment, but couldn't find a wish list to send you anything. Please let me know if I can.

    I "Got Info" on ALL the certificates on my computer in both my "System" and "local" keychains (15 and 45 now, respectively). If they said "Always Trust" I changed them to "Use System Defaults." I even toggled those for certificates like the one at http://evolvr.thegolfevolution.com/ - certificates on sites I operate. In fact, most of them seemed to be on sites like this - MediaTemple, Plesk, or email servers with certificates. I don't recall adjusting a certificate that seemed "global."

    I did delete two or three certificates outright. I believe one was expired, and the other two may have been certificates that had an email address as the name of the certificate.

    Either way, without even restarting Safari, I was able to connect to Twitter.com and PayPal.com. I was able to open the iBooks Store. I don't know exactly what step fixed this issue - I was tempted to restore settings from my nightly backup, or to boot to it and take it step-by-step, cert-by-cert - but I was so glad to be able to visit sites again I just went back to getting work done.

    So thank you. 🙂 And I'm serious about the Amazon wish list thing.

    P.S. I updated the Apple Discussions thread a few days ago when I did this. I've been delayed in posting more details here.