MacOS Sequoia local network access and the new ‘Allow [app name] to find devices on local network’ prompt

After upgrading to Sequoia a number of my installed apps sometime after the first boot popped up a prompt to ‘Allow [app name] to find devices on local network?’. Thinking this was odd I answered no for each of these and didn’t think any more of it. A couple of days later I realized I couldn’t access any websites running locally on my network, for example services running in containers on my Proxmox server. I could still ping their ips and get a response, but Chrome was saying ‘No route to host’.

After some Googling I found some posts with the same issue and it’s related to this prompt for accessing local devices. To enable the access after you’ve already answered no to the popup, go to System Settings, Privacy and Security, Local Network and enable access for any apps that need it:

Let’s Encrypt certificate expired on older Macs

I have a number of older machines that I use on a regular basis, so I’m no stranger to the struggles of not being able to browse current websites on older machines with older browsers and the typical SSL/TLS support issues that you run into. I was surprised to see this error this week on my 2008 Mac Pro running Mac OS X 10.11 El Capitan and a latest version of Chrome:

Looking at the certificate for any site not loading it looks like the certificate has expired:

I’m not seeing this on my other later/current machines though, so clearly something on these older machines is no longer getting updates. Browsing around a few other sites and seeing the same issue on many sites so it was not just limited to a single site, so I realized something else was going on. Some Googling found this article:

Following the steps to download the updated certificate from LetsEncrypt and install it into Keychain did the job.

New WoSign/StartCom certificates issued after Jan 1st 2017 blocked on Apple products

My first 1 year free SSL certificate with StartSSL is about to expire this month, so time to renew for another year. At this point last year I wasn’t sure what would happen at this point 1 year later, but appears you just apply for another new certificate, and then replace it on the servers where you are using it.

 

However, once I had requested my new certificate and uploaded it to my OpenShift account, Chrome blocked access to my site with a ‘certificate revoked’ error. I bit of digging turned up this article. Due to a number of security related issues with the Certificate Authority WoSign and later their undisclosed purchase of StartCom/StartSSL, it appears use of certificates from either of these companies are now blocked on all Apple products if issued after Jan 1st 2017, and also on Firefox and Chrome too. More info on Wikipedia here, and Mozilla here and here.

Cookie blocking and using third party logons (like OpenID)

It’s one thing to block cookies because you don’t want to be tracked, but in most cases cookies provide essential functionality for some sites, like sites using a logon via another third party site, like OpenID.

Trying to logon with your Google account to the Kinja network of sites for example doesn’t work if you’re blocking third party cookies in Chrome. The logon fails silently. To work around this (and presumably for other similar sites too), just add a ‘Cookie and site data exception’ in your Chrome settings, in this case for [*.]kinja.com