Hello, Today I started getting some errors with a maintenance script that makes use of wget, where it claims that a certificate has expired.
DEBUG output created by Wget 1.19.5 on linux-gnu. Reading HSTS entries from /root/.wget-hsts URI encoding = ‘UTF-8’ --2020-05-30 17:29:58-- https://ehwiki.org/ Certificates loaded: 154 Resolving ehwiki.org (ehwiki.org)... 94.100.29.76 Caching ehwiki.org => 94.100.29.76 Connecting to ehwiki.org (ehwiki.org)|94.100.29.76|:443... connected. Created socket 4. Releasing 0x00005633a3c84880 (new refcount 1). ERROR: The certificate of ‘ehwiki.org’ is not trusted. ERROR: The certificate of ‘ehwiki.org’ has expired. However, the certificate does not expire until March 2021. Doing the same with curl on the same box produces no errors, so it does not seem to be an issue with the system CA certs. Based on some slouching around, it seems to have something to do with wget not correctly handling the expiry of the Sectigo AddTrust root certificate: https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020 This test link from Sectigo similarly works in Chrome/Firefox/curl, but not in wget. https://addtrustchain.test.certificatetest.com/ wget -d https://addtrustchain.test.certificatetest.com/ DEBUG output created by Wget 1.19.5 on linux-gnu. Reading HSTS entries from /root/.wget-hsts URI encoding = ‘UTF-8’ Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8) --2020-05-30 17:50:32-- https://addtrustchain.test.certificatetest.com/ Certificates loaded: 154 Resolving addtrustchain.test.certificatetest.com ( addtrustchain.test.certificatetest.com)... 35.245.138.9 Caching addtrustchain.test.certificatetest.com => 35.245.138.9 Connecting to addtrustchain.test.certificatetest.com ( addtrustchain.test.certificatetest.com)|35.245.138.9|:443... connected. Created socket 3. Releasing 0x0000559518283390 (new refcount 1). ERROR: The certificate of ‘addtrustchain.test.certificatetest.com’ is not trusted. ERROR: The certificate of ‘addtrustchain.test.certificatetest.com’ has expired. curl https://addtrustchain.test.certificatetest.com/ Certificate issued from a CA signed by <b>USERTrust RSA Certification Authority</b> with a cross cert via server chain from <b>AddTrust External CA Root</b> The issue is present on CentOS 6, CentOS 7 and CentOS 8 installations with all updates applied. I'm not sure if this is a distro issue or an issue with wget itself?
