tlmgr update fails on macOS 10.13.6

Norbert Preining norbert at
Fri Oct 29 17:13:01 CEST 2021

> both use Let's Encrypt certs, and apparently need to fix the
> certificate chain they're serving. What a mess.

In most cases, the reason for this is that Lets Encrypt deprecated the 
DST Root CA X3 certificate, but older clients not automatically update
to the newer certificate chain.

I was hit myself by that.

What needs to be done is either a completely new reissue of the
certificate, or - if one uses the official client from FSF certbot - a
sufficiently new version (meaning >= 1.12) and adding either the command
line option
	--preferred-chain "ISRG Root X1"
or adding the configuration file option
	preferred_chain = ISRG Root X1
to each /etc/letsencrypt/renewal/*.conf in the [renewalparams] section.

After that, certificates should be properly verified again.

But the question remains, how to bring all the clients to actually DO
this update :-(



PREINING Norbert                    
Fujitsu Research  +  IFMGA Guide  +  TU Wien  +  TeX Live  + Debian Dev
GPG: 0x860CDC13   fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13

More information about the tex-live mailing list.