I found a script online that checks at X o’clock in the morning and downloads the latest beta, fortunately it also stores the previous packages as well for a certain amount of time so was able to roll back.
PMS 1.32.0 updates our openSSL library to openSSL v3 and finally dumps the long-deprecated openSSL v2.
As such, openSSL v3 dropped support for some encryption methods
Unless you specified one of the more secure methods when you created your cert, you were likely to get one which is no longer supported by openSSL v3.
Working with Engineering, and confirming PMS behavior, I have information for you on how to regenerate your certificates to be PMS-compatible moving forward
Here is my (redacted) certificate generation script
# Generate new p12 (Acme LE is valid until 2025)
openssl pkcs12 -export -out mydomain.p12 \
-certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256 \
-inkey mydomain.key -in mydomain.crt \
-certfile Acme-LE.crt \
-password pass:MyPasswordHere
i can confirm that after adding this line into my p12 generation script and regenerate the cert everything works again as expected. thx for the fast solution
It’s not a toss up on whether it’s a breaking change. Things broke. Full stop. And it’s not a matter of “which openSSL is on the server.” I have a wildcard certificate, which isn’t generated on that server.
That being said, the computer that I rebuilt the cert chain on is on macOS 13, running
openssl version
LibreSSL 3.3.6
My wildcard PFX, which had worked perfectly well until yesterday no longer works. I had to rebuild as a .p12. If I have to do work to maintain functionality and security, it’s a breaking change.
Also, Any mechanism (pseudo-domain/cert) which demonstrates the problem is all I need. If it mirrors your case, but is otherwise fictitious, then perfect.
This would have been on presumably a LibreSSL 3.x version. I know I was on Ventura at that point, but I’m not sure exactly when Apple shipped 3.x. macOS wasn’t updated to 3.x in Monterey 12.6.3. At least that’s what my test box is telling me.
I had to add -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256 with LibreSSL 3.3.6 yesterday to make it work.
Really where I’m going with this is that I built my wildcard in November on the openssl binary that was current on my daily driver, while running the latest version of macOS at the time. And, I’m on macOS Ventura 13.3 currently, and yesterday I had to add the flags above to the command to make it work.
This is why I say that it’s a breaking change.