diff --git a/.github/workflows/builds.yml b/.github/workflows/builds.yml
index 8e1dc09db532..6e8a0d2824d9 100644
--- a/.github/workflows/builds.yml
+++ b/.github/workflows/builds.yml
@@ -1391,8 +1391,7 @@ jobs:
 
   macos-latest:
     name: MacOS Latest
-    # use 10.15 for now. Build fails on macos-11 (aka macos-latest)
-    runs-on: macos-10.15
+    runs-on: macos-latest
     needs: [prepare-deps]
     steps:
       # Cache Rust stuff.
@@ -1409,6 +1408,7 @@ jobs:
           hiredis \
           jansson \
           jq \
+          libiconv \
           libmagic \
           libnet \
           libtool \
@@ -1434,9 +1434,10 @@ jobs:
       - run: tar xvf prep/libhtp.tar.gz
       - run: tar xvf prep/suricata-update.tar.gz
       - run: ./autogen.sh
-      - run: CFLAGS="${DEFAULT_CFLAGS}" ./configure --enable-unittests
+      - run: CFLAGS="${DEFAULT_CFLAGS}" CPPFLAGS="-I/usr/local/opt/libiconv/include" CXXFLAGS="-I/usr/local/opt/libiconv/include" LDFLAGS="-L/usr/local/opt/libiconv/lib" ./configure --enable-unittests
       - run: make -j2
-      - run: make check
+      # somehow it gets included by some C++ stdlib header (case unsensitive)
+      - run: rm libhtp/VERSION && make check
       - run: tar xf prep/suricata-verify.tar.gz
       - name: Running suricata-verify
         run: python3 ./suricata-verify/run.py
diff --git a/doc/devguide/conf.py b/doc/devguide/conf.py
index 8b727a8aa381..39ba4e66309e 100644
--- a/doc/devguide/conf.py
+++ b/doc/devguide/conf.py
@@ -74,7 +74,7 @@
 #
 # This is also used if you do content translation via gettext catalogs.
 # Usually you set "language" from the command line for these cases.
-language = None
+language = 'en'
 
 # There are two options for replacing |today|: either, you set today to some
 # non-false value, then it is used:
diff --git a/requirements.txt b/requirements.txt
index 09da17f5189b..2f93e685674c 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -4,4 +4,4 @@
 #
 #   name {repo} {branch|tag}
 libhtp https://github.com/OISF/libhtp 0.5.44
-suricata-update https://github.com/OISF/suricata-update 1.2.7
+suricata-update https://github.com/OISF/suricata-update 1.2.8
diff --git a/rust/Cargo.toml.in b/rust/Cargo.toml.in
index 36daa9de87d4..fda82e3487e7 100644
--- a/rust/Cargo.toml.in
+++ b/rust/Cargo.toml.in
@@ -41,7 +41,11 @@ ntp-parser = "0.4"
 ipsec-parser = "0.5"
 snmp-parser = "0.6"
 tls-parser = "0.9"
-x509-parser = "0.6.5"
+# required by x509 to keep MSRV support
+chrono = "=0.4.19"
+thiserror = "=1.0.39"
+data-encoding = "=2.3.3"
+x509-parser = "0.8.2"
 libc = "0.2.67"
 
 [dev-dependencies]
diff --git a/rust/src/x509/mod.rs b/rust/src/x509/mod.rs
index 353edb1d4411..5ab268ba5b20 100644
--- a/rust/src/x509/mod.rs
+++ b/rust/src/x509/mod.rs
@@ -30,12 +30,8 @@ pub enum X509DecodeError {
     InvalidCert,
     /// Some length does not match, or certificate is incomplete
     InvalidLength,
-    InvalidVersion,
-    InvalidSerial,
-    InvalidAlgorithmIdentifier,
     InvalidX509Name,
     InvalidDate,
-    InvalidExtensions,
     /// DER structure is invalid
     InvalidDER,
 }
@@ -112,8 +108,8 @@ pub unsafe extern "C" fn rs_x509_get_validity(
         return -1;
     }
     let x509 = &*ptr;
-    let n_b = x509.0.tbs_certificate.validity.not_before.to_timespec().sec;
-    let n_a = x509.0.tbs_certificate.validity.not_after.to_timespec().sec;
+    let n_b = x509.0.tbs_certificate.validity.not_before.timestamp();
+    let n_a = x509.0.tbs_certificate.validity.not_after.timestamp();
     *not_before = n_b;
     *not_after = n_a;
     0
@@ -136,12 +132,8 @@ fn x509_parse_error_to_errcode(e: &nom::Err<X509Error>) -> X509DecodeError {
     match e {
         nom::Err::Incomplete(_) => X509DecodeError::InvalidLength,
         nom::Err::Error(e) | nom::Err::Failure(e) => match e {
-            X509Error::InvalidVersion => X509DecodeError::InvalidVersion,
-            X509Error::InvalidSerial => X509DecodeError::InvalidSerial,
-            X509Error::InvalidAlgorithmIdentifier => X509DecodeError::InvalidAlgorithmIdentifier,
             X509Error::InvalidX509Name => X509DecodeError::InvalidX509Name,
             X509Error::InvalidDate => X509DecodeError::InvalidDate,
-            X509Error::InvalidExtensions => X509DecodeError::InvalidExtensions,
             X509Error::Der(_) => X509DecodeError::InvalidDER,
             _ => X509DecodeError::InvalidCert,
         },
diff --git a/src/output-json-file.c b/src/output-json-file.c
index b86f1ba11813..9bee329371cf 100644
--- a/src/output-json-file.c
+++ b/src/output-json-file.c
@@ -179,7 +179,7 @@ JsonBuilder *JsonBuildFileInfoRecord(const Packet *p, const File *ff, const bool
             break;
         case ALPROTO_HTTP2:
             jb_get_mark(js, &mark);
-            jb_open_object(js, "http2");
+            jb_open_object(js, "http");
             if (EveHTTP2AddMetadata(p->flow, ff->txid, js)) {
                 jb_close(js);
             } else {
diff --git a/src/util-daemon.c b/src/util-daemon.c
index 8e6e6b63cda5..085df077e686 100644
--- a/src/util-daemon.c
+++ b/src/util-daemon.c
@@ -110,7 +110,14 @@ void Daemonize (void)
               through conf file */
 
     /* Creates a new process */
+#if defined(OS_DARWIN) && defined(__clang__)
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+#endif
     pid = fork();
+#if defined(OS_DARWIN) && defined(__clang__)
+#pragma clang diagnostic pop
+#endif
 
     if (pid < 0) {
         /* Fork error */