View all Worklets
macOS

cURL Root Certificates Update

Installs cURL root certificates on Catalina or earlier

Worklet Details

Introduction to the Bash-Based cURL Root Certificates Update Worklet

The cURL Root Certificates Update Worklet is a script that resolves issues with recent expiry of Let's Encrypt root certificates on macOS Catalina or earlier. This bash-based Worklet efficiently identifies the need for an update and installs the latest version of /etc/ssl/cert.pem.

By using this Worklet, users can ensure that their system has an up-to-date root certificate, mitigating potential security risks and ensuring seamless communication with secure servers.

Why would you use the cURL Root Certificates Update Worklet?

Issues with certificate verification can lead to errors such as "certificate verify failed" or "local issuer certificate" warnings. These can disrupt interaction with various services and applications, necessitating manual intervention to resolve the problem.

The cURL Root Certificates Update Worklet helps automate this process by identifying outdated CA bundles and updating them accordingly. This saves time and effort for administrators while preventing disruptions due to expired or untrusted certificates.

Components of the cURL Root Certificates Update Worklet

The Worklet consists of two main components: an evaluation script and a remediation script. The evaluation script checks if the system requires an updated CA bundle by comparing its current version against a defined threshold.

If necessary the remediation script, which downloads up-to-date CA certificates from a trusted source, backs up existing CA bundles, and replaces them with newer versions.

How does the cURL Root Certificates Update Worklet work?

Upon execution, the evaluation script first verifies whether your macOS version is supported (Catalina or earlier). It then checks your current certificate version by examining /etc/ssl/cert.pem. If your certificate version is below the threshold, it triggers the remediation part of the Worklet.

During remediation, the updated certificate file is downloaded from a reliable source onto a temporary location (/tmp/cert.pem). Once download is completed, the existing certificate file at /etc/ssl/cert.pem is backed up and replaced with the new version. Finally, the script tests connectivity to ensure that the updated certificates have resolved any previous issues.

What is the expected outcome when you use the cURL Root Certificates Update Worklet?

When you execute this Worklet on a macOS system with outdated or expired root certificates, it will intelligently identify if an update is required and proceed with downloading and installing an updated CA bundle onto your system.

As a result, previously encountered certificate verification errors should be resolved, restoring secure communication between your device and remote servers. If your system is already running updated CA certificates, no changes will be made, ensuring that this Worklet does not interfere with working configurations.

View in app

Consider Worklets your easy button

What's a Worklet?

A Worklet is an automation script, written in Bash or PowerShell, designed for seamless execution on endpoints – at scale – within the Automox platform. Worklet automation scripts perform configuration, remediation, and the installation or removal of applications and settings across Windows, macOS, and Linux.

do more with worklets