Homebrew’s SSL certificate validation is failing, preventing it from fetching packages or updating itself because it can’t trust the remote servers it’s trying to connect to.
Cause 1: Outdated openssl and curl
Homebrew relies on system-provided openssl and curl, which might be outdated and not have the latest root certificates.
Diagnosis: Check your installed versions:
brew --prefix openssl
brew --prefix curl
Compare these with the latest stable versions available for macOS.
Fix:
Reinstall openssl and curl via Homebrew, forcing an update and relinking:
brew reinstall openssl
brew reinstall curl
This ensures Homebrew uses its own, more up-to-date versions and that they are correctly linked into your PATH.
Why it works: Homebrew’s versions of openssl and curl are compiled with more recent certificate bundles, allowing them to validate modern SSL certificates.
Cause 2: Corrupted or Expired Root Certificates on macOS
macOS itself maintains a trust store for root certificates. If this store is corrupted or contains expired certificates, it can interfere with Homebrew’s validation.
Diagnosis: Open the "Keychain Access" application on your Mac. In the "System Roots" keychain, look for any certificates that are marked as "expired" or have security warnings. Also, check for any unusual or untrusted certificates.
Fix: For expired certificates: macOS typically handles these automatically, but if you see a manually installed expired certificate, you can delete it. For system-wide issues, sometimes a macOS update can resolve underlying problems with the trust store. For potentially untrusted certificates: Right-click on a suspicious certificate and select "Get Info." Under "Trust," set all settings to "Use System Defaults" or explicitly "Never Trust."
Why it works: By ensuring the system’s root certificate store is clean and trusting only valid, current root authorities, you remove a potential source of validation failure.
Cause 3: Incorrect curl Configuration or Environment Variables
Sometimes, curl might be configured to use a specific certificate authority bundle that is incorrect or inaccessible, or environment variables might be overriding default behavior.
Diagnosis:
Check your ~/.curlrc file for any cacert directives.
Check your environment variables for CURL_CA_BUNDLE or SSL_CERT_FILE.
env | grep -i ssl
env | grep -i curl
Fix:
If you find a ~/.curlrc file with a cacert line, comment it out or delete it.
If environment variables are set, unset them:
unset CURL_CA_BUNDLE
unset SSL_CERT_FILE
Then, try running Homebrew commands again.
Why it works: Removing explicit, potentially incorrect certificate bundle configurations or environment variable overrides allows curl to fall back to its default, usually correct, certificate lookup mechanism.
Cause 4: Firewall or Proxy Interference
Network security devices like firewalls or proxies can intercept SSL/TLS traffic, often by presenting their own certificate. If Homebrew or curl doesn’t trust this intermediary certificate, connections will fail.
Diagnosis: Try running Homebrew commands from a different network (e.g., personal Wi-Fi vs. corporate network). If it works elsewhere, your network is the likely culprit. Check your system’s proxy settings in System Settings > Network > Proxies.
Fix: If you’re on a corporate network, you might need to import your organization’s root CA certificate into your macOS Keychain (Keychain Access > System Roots) and trust it. Consult your IT department for the correct certificate and import procedure. If you have manual proxy settings configured, ensure they are correct or temporarily disable them to test.
Why it works: By either trusting the proxy’s certificate or removing proxy interference, you allow Homebrew to establish a direct, trusted connection to the remote server.
Cause 5: Homebrew’s Internal Certificate Store Issues
Less commonly, Homebrew itself might have an issue with its own internal certificate handling, especially if it’s an older installation or was manually modified.
Diagnosis:
Check the cacert.pem file location referenced by Homebrew. This is often within the Homebrew installation directory.
brew --prefix`/etc/openssl/cert.pem` # Example path, may vary
Verify this file exists and is not corrupted.
Fix:
Reinstalling openssl via Homebrew (as in Cause 1) usually rebuilds or updates this file. If you suspect corruption, you can try to manually replace it with a known good cacert.pem file from a trusted source, but this is advanced and generally not recommended unless you know exactly what you’re doing.
Why it works: Homebrew has its own mechanisms for managing certificates, and ensuring its internal store is intact and up-to-date is crucial for its operations.
Cause 6: macOS System Integrity Protection (SIP) Interference
While rare, if SIP is disabled or misconfigured, it could potentially affect how Homebrew interacts with system libraries, including SSL.
Diagnosis: Check the status of SIP:
csrutil status
If SIP is disabled, this might be a contributing factor if other solutions don’t work.
Fix:
Re-enable SIP by booting into Recovery Mode, running csrutil enable, and rebooting. This is a system-wide security feature and should generally be enabled.
Why it works: SIP protects critical system files and directories. Re-enabling it ensures that Homebrew and its dependencies are operating within a secure and expected system environment.
After addressing these, you might encounter a "zlib not found" error if Homebrew’s core dependencies are also affected by the initial SSL issues.