I recently upgraded my MacOS version of Emacs to 25.3 and was looking to install a couple of new packages.

Installing packages

I have the following in my =init.el (or equivalent):

(require 'package)
(add-to-list 'package-archives '("melpa" . "https://melpa.org/packages/") t)

Unfortunately when I ran M-x list-packages I got the following error:

Certificate information
Issued by:          Let's Encrypt Authority X3
Issued to:          CN=melpa.org
Hostname:           melpa.org
Public key:         RSA, signature: RSA-SHA256
Protocol:           TLS1.2, key: ECDHE-RSA, cipher: AES-128-GCM, mac: AEAD
Security level:     Medium
Valid:              From 2017-09-18 to 2017-12-17


The TLS connection to melpa.org:443 is insecure for the following
reasons:

certificate was signed with an insecure algorithm
the certificate was signed by an unknown and therefore untrusted authority
certificate could not be verified

Googling didn’t help. There were all sorts of misunderstandings - including blaming the package prelude (which I don’t have installed).

Checking melpa.org

Huh? Let’s Encrypt isn’t trusted? Is this a MITM attack? Nope.

You can check that melpa.org is legit by running the following on the command line

curl https://melpa.org

or

gnutls-cli --tofu melpa.org

or just visit https://melpa.org in your web browser.

The solution

It looks like the MacOS version of Emacs doesn’t find the correct certificate authorities.

Step 1

Using homebrew (if you’re on MacOS) install LibreSSL:

brew install libressl

Step 2

Set up Emacs to use the certificate authorities you just installed. Simple as adding the following to your init.el:

(require 'gnutls)
(add-to-list 'gnutls-trustfiles "/usr/local/etc/openssl/cert.pem")

This command tells Emacs to use the guntls package (which has, in the past had problems) and prepend the TLS CA certificates from LibreSSL to the list of trusted CAs.

Now when I install packages it all works.

What NOT TO DO

Please, please, please IGNORE any advice you see along the lines of

replace https with http

or

Start emacs with ‘emacs --insecure

Security is important. Don’t just turn it off because you can’t get something to work.