Certificate validation is failing since 08/24/2021 - BlackListedLeaf certificate validation is failing

All customers that are using some versions of our product are complaining because they are not able to connect to the service. This happens because a certificate validation done in the code is failing. The certificate didn't expire but looking into the console logs these error is observed:

default 08:39:03.218259 -0300 trustd cert[1]: BlackListedLeaf =(leaf)[force]> 0 default 08:39:03.218790 -0300 trustd cert[1]: BlackListedLeaf =(leaf)[force]> 0 default 08:39:03.218897 -0300 trustd cert[2]: AnchorTrusted =(leaf)[force]> 0 default 08:39:03.219086 -0300 trustd cert[1]: BlackListedLeaf =(path)[force]> 0 default 08:39:03.221455 -0300 dsAccessService Trust evaluate failure: [ca1 BlackListedLeaf] default 08:39:03.221929 -0300 NNNService SecStaticCode: verification failed (trust result 6, error -2147409652) default 08:39:03.221964 -0300 NNNService MacOS error: -2147409652 default 08:39:03.226483 -0300 NNNService MacOS error: -2147409652 default 08:39:03.853294 -0300 trustd cert[1]: BlackListedLeaf =(leaf)[force]> 0 default 08:39:03.853663 -0300 trustd cert[1]: BlackListedLeaf =(leaf)[force]> 0 default 08:39:03.853791 -0300 trustd cert[2]: AnchorTrusted =(leaf)[force]> 0 default 08:39:03.854047 -0300 trustd cert[1]: BlackListedLeaf =(path)[force]> 0 default 08:39:03.855542 -0300 NNNService Trust evaluate failure: [ca1 BlackListedLeaf] default 08:39:03.856172 -0300 NNNService SecStaticCode: verification failed (trust result 6, error -2147409652)

As you can see this is the certificate validation that fails: Trust evaluate failure: [ca1 BlackListedLeaf]

We need to understand why the app certificate is blacklisted. Is there any new policy enforced by Apple to blacklist certificates?

Is it possible that the issue be related with an update on for XProtect and MRT Configuration Data? https://eclecticlight.co/2021/08/23/apple-has-pushed-updates-to-xprotect-and-mrt-27/

I suspect that this is fallout from Information for website operators about distrusting Symantec certificate authorities. This is somewhat outside of DTS’s wheelhouse — the system-wide trust policy on our platforms is the purview of Apple Support — but here’s my understanding:

  • We missed the deadline described in that article (25 Feb 2020).

  • The change has now rolled out completely.

  • Folks are working to update the article to reflect the above.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Certificate validation is failing since 08/24/2021 - BlackListedLeaf certificate validation is failing
 
 
Q