When trying to access a couple of high-profile websites (*.apple.com, twitter.com) via HTTPS, they've since recently been getting their certificates rejected by some client apps (Chrome, App Store, curl) but not by others (Safari, Firefox, wget, lynx).
This is a bit paralyzing, because with App Store unable to talk to identity.apple.com I can't get OS updates anymore.
I'm running OSX 10.9.5 on a 2013 rMBP. I'm not aware of having made any major changes in the system recently. Not using any network-sniffing or otherwise unusual software. I haven't been messing with stored certificate-authority data – I wouldn't even quite know how to do that. I do have Homebrew-installed OpenSSL, if that changes anything.
Could anyone help me fix this?
Best Answer
(With great thanks to @Tetsujin for pointing me in the right direction)
Looking up details of the certificates, in browsers that allow doing that and in Keychain Access, showed that all the breakage was traceable to a "VeriSign Class 3 Public Primary Certification Authority - G5" which was untrusted; I haven't figured out why that was, and it wasn't prominently marked as such in KA.
Anyway, in KA I've set this cert to be "always trusted" on SSL, and everything is now loading well, though the other certs calling upon it are marked as "signed by an untrusted authority".