Fixing Emacs' unknown and untrusted authority TLS error

XKCD: Real Programmers

I recently upgraded my MacOS version of Emacs to 25.3 and was looking to install a couple of new packages.

Installing packages

I have the following in my init.el (or equivalent):

(require 'package)
(add-to-list 'package-archives '("melpa" . "") t)

Unfortunately when I ran M-x list-packages I got the following error:

Certificate information
Issued by:          Let's Encrypt Authority X3
Issued to:
Public key:         RSA, signature: RSA-SHA256
Protocol:           TLS1.2, key: ECDHE-RSA, cipher: AES-128-GCM, mac: AEAD
Security level:     Medium
Valid:              From 2017-09-18 to 2017-12-17

The TLS connection to is insecure for the following

certificate was signed with an insecure algorithm
the certificate was signed by an unknown and therefore untrusted authority
certificate could not be verified

Googling didn't help. There were all sorts of misunderstandings - including blaming the package prelude (which I don't have installed).


Huh? Let's Encrypt isn't trusted? Is this a MITM attack? Nope.

You can check that is legit by running the following on the command line



gnutls-cli --tofu

or just visit in your web browser.

The solution

It looks like the MacOS version of Emacs doesn't find the correct certificate authorities.

Step 1

Using homebrew (if you're on MacOS) install LibreSSL:

brew install libressl

Step 2

Set up Emacs to use the certificate authorities you just installed. Simple as adding the following to your init.el:

(require 'gnutls)
(add-to-list 'gnutls-trustfiles "/usr/local/etc/openssl/cert.pem")

This command tells Emacs to use the guntls package (which has, in the past had problems) and prepend the TLS CA certificates from LibreSSL to the list of trusted CAs.

Now when I install packages it all works.


Please, please, please IGNORE any advice you see along the lines of

replace https with http


Start emacs with 'emacs --insecure'

Security is important. Don't just turn it off because you can't get something to work.


Comments powered by Disqus