See also: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352370753
Regards, Tim On 31.05.20 00:18, [email protected] wrote: > For anyone interested, this topic is currently trending on Hacker News: > > https://news.ycombinator.com/item?id=23362759 > > On May 30, 2020 9:02:36 PM GMT+02:00, Petr Pisar <[email protected]> wrote: >> On Sat, May 30, 2020 at 07:57:22PM +0200, Tenboro wrote: >>> Today I started getting some errors with a maintenance script that >> makes >>> use of wget, where it claims that a certificate has expired. >>> >>> DEBUG output created by Wget 1.19.5 on linux-gnu. >>> >>> Reading HSTS entries from /root/.wget-hsts >>> URI encoding = ‘UTF-8’ >>> --2020-05-30 17:29:58-- https://ehwiki.org/ >>> Certificates loaded: 154 >>> Resolving ehwiki.org (ehwiki.org)... 94.100.29.76 >>> Caching ehwiki.org => 94.100.29.76 >>> Connecting to ehwiki.org (ehwiki.org)|94.100.29.76|:443... connected. >>> Created socket 4. >>> Releasing 0x00005633a3c84880 (new refcount 1). >>> ERROR: The certificate of ‘ehwiki.org’ is not trusted. >>> ERROR: The certificate of ‘ehwiki.org’ has expired. >>> >>> However, the certificate does not expire until March 2021. >> >> Yes. That's a badly worder error message by wget. The issue is not with >> ehwiki.org certificate. The issue is with its authority's certificate. >> >>> Doing the same >>> with curl on the same box produces no errors, so it does not seem to >> be an >>> issue with the system CA certs. Based on some slouching around, it >> seems to >>> have something to do with wget not correctly handling the expiry of >> the >>> Sectigo AddTrust root certificate: >>> >>> >> https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020 >>> >> [...] >>> The issue is present on CentOS 6, CentOS 7 and CentOS 8 installations >> with >>> all updates applied. >>> >>> I'm not sure if this is a distro issue or an issue with wget itself? >> >> I experience it on Gentoo either. The problem is not in wget: >> >> $ wget --version >> GNU Wget 1.20.3 built on linux-gnu. >> >> -cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls >> -ntlm +opie -psl +ssl/gnutls >> >> but in GnuTLS library: >> >> $ gnutls-cli --port https ehwiki.org >> Processed 158 CA certificate(s). >> Resolving 'ehwiki.org:https'... >> Connecting to '94.100.29.76:443'... >> - Certificate type: X.509 >> - Got a certificate list of 3 certificates. >> - Certificate[0] info: >> - subject `CN=ehwiki.org,OU=Gandi Standard SSL,OU=Domain Control >> Validated', issuer `CN=Gandi Standard SSL CA >> 2,O=Gandi,L=Paris,ST=Paris,C=FR', serial >> 0x63a5ea656ff9efdfe68ec85d3025466c, RSA key 2048 bits, signed using >> RSA-SHA256, activated `2019-01-31 00:00:00 UTC', expires `2021-03-12 >> 23:59:59 UTC', >> pin-sha256="wPbqFLlZqQbuF+thnCarsf0k8CbvM8wbbjhcT45lx78=" >> Public Key ID: >> sha1:63ddc827cb0c5efda0634864ececc9855001c8bc >> sha256:c0f6ea14b959a906ee17eb619c26abb1fd24f026ef33cc1b6e385c4f8e65c7bf >> Public Key PIN: >> pin-sha256:wPbqFLlZqQbuF+thnCarsf0k8CbvM8wbbjhcT45lx78= >> >> - Certificate[1] info: >> - subject `CN=Gandi Standard SSL CA 2,O=Gandi,L=Paris,ST=Paris,C=FR', >> issuer `CN=USERTrust RSA Certification Authority,O=The USERTRUST >> Network,L=Jersey City,ST=New Jersey,C=US', serial >> 0x05e4dc3b9438ab3b8597cba6a19850e3, RSA key 2048 bits, signed using >> RSA-SHA384, activated `2014-09-12 00:00:00 UTC', expires `2024-09-11 >> 23:59:59 UTC', >> pin-sha256="WGJkyYjx1QMdMe0UqlyOKXtydPDVrk7sl2fV+nNm1r4=" >> - Certificate[2] info: >> - subject `CN=USERTrust RSA Certification Authority,O=The USERTRUST >> Network,L=Jersey City,ST=New Jersey,C=US', issuer `CN=AddTrust External >> CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial >> 0x13ea28705bf4eced0c36630980614336, RSA key 4096 bits, signed using >> RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 >> 10:48:38 UTC', >> pin-sha256="x4QzPSC810K5/cMjb05Qm4k3Bw5zBn4lTdO/nEW/Td4=" >> - Status: The certificate is NOT trusted. The certificate chain uses >> expired certificate. >> *** PKI verification of server certificate failed... >> *** Fatal error: Error in the certificate. >> >> It seems that GnuTLS stops on a failure in the first certificate chain, >> while >> other libraries like OpenSSL explore other chains before giving up. >> >> It would help if ehwiki.org server did not send to expired certificate >> in the >> certificate chain of the TLS handshake and send the alternative one >> that has >> not yet expired as advertised on the Sectigo web page you linked. >> >> -- Petr >
signature.asc
Description: OpenPGP digital signature
