Well, I did a bit of searching before I decided to post here. I've been getting this message for the past month whenever I visit one of two sites. Both sites are professional companies that sell products in the audio community, but only two website are flagging these errors.
The issue spans across all browsers (Safari, Chrome, and Firefox), each of these three throw the error that's similar. I've already rechecked the automatic date/time update in date and time preferences and I've already used the keychain repair. Both of those were some of the top rated fixes, but neither fixed it for me. I've read that sometimes deleting certain certificates in keychain can fix the issue, but I'm not too savvy with the inner workings of the web and wasn't entirely sure what I was supposed to be doing.
Can anyone suggest any other ways to fix the issue? It spans multiple browsers and both sites have valid certificates (I work for one of the companies that I'm having issues with), so it's on my end. Any suggestions would be greatly appreciated.
OS 10.8.4 /
Chrome: Version – Version 47.0.2526.106 (64-bit) /
Safari Version 6.0.5
Output of terminal command openssl s_client -host store.tokyodawn.net -port 443:
Last login: Sun Jan 10 02:02:29 on console
Name Removed - $ openssl s_client -host store.tokyodawn.net -port 443 -prexit -showcerts
CONNECTED(00000003)
depth=1 /C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL SHA256 CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/CN=store.tokyodawn.net
i:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL SHA256 CA
-----BEGIN CERTIFICATE-----
MIIEhDCCA2ygAwIBAgIQH1h2tfm+vg3wJe7z44Yz0jANBgkqhkiG9w0BAQsFADBl
...
-----END CERTIFICATE-----
1 s:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL SHA256 CA
i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2008 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G3
-----BEGIN CERTIFICATE-----
MIIE3DCCA8SgAwIBAgIQPiM0Wu0sClF7Jt7UgB0QqjANBgkqhkiG9w0BAQsFADCB
...
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=store.tokyodawn.net
issuer=/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL SHA256 CA
---
No client certificate CA names sent
---
SSL handshake has read 3366 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: B667B7B5FB70ECD8AAF870F88E32DE12A150DA0176FBACF30556A183EA1F69C0
Session-ID-ctx:
Master-Key: 6F443715158ACC11BC307DAF1EBB0A6BEE5E9169EABA377F230D528F3E7D7A31C61068E28B8C5F0CFF16653791D9FF25
Key-Arg : None
Start Time: 1452415952
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
closed
---
Certificate chain
0 s:/CN=store.tokyodawn.net
i:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL SHA256 CA
-----BEGIN CERTIFICATE-----
MIIEhDCCA2ygAwIBAgIQH1h2tfm+vg3wJe7z44Yz0jANBgkqhkiG9w0BAQsFADBl
...
-----END CERTIFICATE-----
1 s:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL SHA256 CA
i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2008 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G3
-----BEGIN CERTIFICATE-----
MIIE3DCCA8SgAwIBAgIQPiM0Wu0sClF7Jt7UgB0QqjANBgkqhkiG9w0BAQsFADCB
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=store.tokyodawn.net
issuer=/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL SHA256 CA
---
No client certificate CA names sent
---
SSL handshake has read 3403 bytes and written 493 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: B667B7B5FB70ECD8AAF870F88E32DE12A150DA0176FBACF30556A183EA1F69C0
Session-ID-ctx:
Master-Key: 6F443715158ACC11BC307DAF1EBB0A6BEE5E9169EABA377F230D528F3E7D7A31C61068E28B8C5F0CFF16653791D9FF25
Key-Arg : None
Start Time: 1452415952
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Best Answer
In my opinion you are missing an important root certificate. As a result the certification chain is incomplete and the intermediate certification authority thawte DV SSL SHA256 CA can't be verified.
To restore the default content of /System/Library/Keychains download the OS X 10.8.5 Combo Updater. You may either install it or extract the files. If you have reasons not to update to 10.8.5, additionally download and install Pacifist. Open the image OSXUpdCombo10.8.5.dmg. In the mounted image open the file OSXUpdCombo10.8.5.pkg with Pacifist. Then install them by choosing the three files in the keychain folder and hitting Install (red circle).
You need admin privileges to do so.
This might not solve your problems immediately but you got all the Thawte certificates back and start over resolving your issue.
Additionally I advice to update to OS X 10.8.5 and install any supplemental updates for 10.8.5 and the newest security updates: Security Update 2015-006 Mountain Lion.