Server certificate not signed by any root server


#1

When I have tried syncing OmniFocus 2.0.4 (under OS X, 10.9.5) very recently, I have encountered a warning and so cancelled the connection. The warning is as follows: “The server certificate for “sync.omnigroup.com” is not signed by any root server. This site may not be trustworthy. Would you like to connect anyway?” I’ve seen this message each time I’ve attempted to sync today, using different WiFi networks. By contrast, OmniFocus for iPhone (2.4.4) has been able to sync without difficulties.

I’ve seen another thread about certificate signatures, but the issue seemed to be about involvement of an unexpected party. Here, “Thawte Premium Server CA” is listed, however. Whether or not a coincidence, I had recently installed a few updates (including Security Update 2015-004) and it was after the update process that I began having problems, but I would not have expected this to affect the signature of a certificate. The details I see are shown below:

Has anyone else encountered this issue recently? What is the safest way to proceed?


#2

Yes, me too. I’ve emailed support@omnigroup.com to say:

Your sync server (sync.omnigroup.com) has a certificate issue. According to OS X 10.9.5, it is “not signed by any root server”. Please let me know when this is fixed so I can sync with confidence that I am not suffering from a man-in-the-middle attack.

It’s not really safe to sync until this is resolved, because someone may have compromised the server or the connection to it.


#3

Omnigroup support was really helpful. They checked to make sure their certificate was OK, and helped me track down the problem on my workstation.

If you’ve upgraded your Mac over the years and started with something below OS X 10.5, you have an obsolete keychain that needs to be removed. Open Keychain Access, right-click on the X509Anchors keychain, and click remove. You can tell it to leave the files in place. Once you’ve done this, restart OmniFocus and it should sync without issue. You’ll also have a lot less noise in your system logs about “Warning: accessing obsolete X509Anchors”.