For anyone interested, this topic is currently trending on Hacker News: https://news.ycombinator.com/item?id=23362759
On May 30, 2020 9:02:36 PM GMT+02:00, Petr Pisar <[email protected]> wrote: >On Sat, May 30, 2020 at 07:57:22PM +0200, Tenboro wrote: >> Today I started getting some errors with a maintenance script that >makes >> use of wget, where it claims that a certificate has expired. >> >> DEBUG output created by Wget 1.19.5 on linux-gnu. >> >> Reading HSTS entries from /root/.wget-hsts >> URI encoding = ‘UTF-8’ >> --2020-05-30 17:29:58-- https://ehwiki.org/ >> Certificates loaded: 154 >> Resolving ehwiki.org (ehwiki.org)... 94.100.29.76 >> Caching ehwiki.org => 94.100.29.76 >> Connecting to ehwiki.org (ehwiki.org)|94.100.29.76|:443... connected. >> Created socket 4. >> Releasing 0x00005633a3c84880 (new refcount 1). >> ERROR: The certificate of ‘ehwiki.org’ is not trusted. >> ERROR: The certificate of ‘ehwiki.org’ has expired. >> >> However, the certificate does not expire until March 2021. > >Yes. That's a badly worder error message by wget. The issue is not with >ehwiki.org certificate. The issue is with its authority's certificate. > >> Doing the same >> with curl on the same box produces no errors, so it does not seem to >be an >> issue with the system CA certs. Based on some slouching around, it >seems to >> have something to do with wget not correctly handling the expiry of >the >> Sectigo AddTrust root certificate: >> >> >https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020 >> >[...] >> The issue is present on CentOS 6, CentOS 7 and CentOS 8 installations >with >> all updates applied. >> >> I'm not sure if this is a distro issue or an issue with wget itself? > >I experience it on Gentoo either. The problem is not in wget: > >$ wget --version >GNU Wget 1.20.3 built on linux-gnu. > >-cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls >-ntlm +opie -psl +ssl/gnutls > >but in GnuTLS library: > >$ gnutls-cli --port https ehwiki.org >Processed 158 CA certificate(s). >Resolving 'ehwiki.org:https'... >Connecting to '94.100.29.76:443'... >- Certificate type: X.509 >- Got a certificate list of 3 certificates. >- Certificate[0] info: >- subject `CN=ehwiki.org,OU=Gandi Standard SSL,OU=Domain Control >Validated', issuer `CN=Gandi Standard SSL CA >2,O=Gandi,L=Paris,ST=Paris,C=FR', serial >0x63a5ea656ff9efdfe68ec85d3025466c, RSA key 2048 bits, signed using >RSA-SHA256, activated `2019-01-31 00:00:00 UTC', expires `2021-03-12 >23:59:59 UTC', >pin-sha256="wPbqFLlZqQbuF+thnCarsf0k8CbvM8wbbjhcT45lx78=" > Public Key ID: > sha1:63ddc827cb0c5efda0634864ececc9855001c8bc >sha256:c0f6ea14b959a906ee17eb619c26abb1fd24f026ef33cc1b6e385c4f8e65c7bf > Public Key PIN: > pin-sha256:wPbqFLlZqQbuF+thnCarsf0k8CbvM8wbbjhcT45lx78= > >- Certificate[1] info: >- subject `CN=Gandi Standard SSL CA 2,O=Gandi,L=Paris,ST=Paris,C=FR', >issuer `CN=USERTrust RSA Certification Authority,O=The USERTRUST >Network,L=Jersey City,ST=New Jersey,C=US', serial >0x05e4dc3b9438ab3b8597cba6a19850e3, RSA key 2048 bits, signed using >RSA-SHA384, activated `2014-09-12 00:00:00 UTC', expires `2024-09-11 >23:59:59 UTC', >pin-sha256="WGJkyYjx1QMdMe0UqlyOKXtydPDVrk7sl2fV+nNm1r4=" >- Certificate[2] info: >- subject `CN=USERTrust RSA Certification Authority,O=The USERTRUST >Network,L=Jersey City,ST=New Jersey,C=US', issuer `CN=AddTrust External >CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial >0x13ea28705bf4eced0c36630980614336, RSA key 4096 bits, signed using >RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 >10:48:38 UTC', >pin-sha256="x4QzPSC810K5/cMjb05Qm4k3Bw5zBn4lTdO/nEW/Td4=" >- Status: The certificate is NOT trusted. The certificate chain uses >expired certificate. >*** PKI verification of server certificate failed... >*** Fatal error: Error in the certificate. > >It seems that GnuTLS stops on a failure in the first certificate chain, >while >other libraries like OpenSSL explore other chains before giving up. > >It would help if ehwiki.org server did not send to expired certificate >in the >certificate chain of the TLS handshake and send the alternative one >that has >not yet expired as advertised on the Sectigo web page you linked. > >-- Petr -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
