Thanks for your report. This is fixed now in GnuTLS and likely goes into the release 3.6.14, scheduled for tomorrow.
https://gitlab.com/gnutls/gnutls/-/issues/1008 https://gitlab.com/gnutls/gnutls/-/merge_requests/1271 Regards, Tim On 30.05.20 19:57, Tenboro wrote: > Hello, > > Today I started getting some errors with a maintenance script that makes > use of wget, where it claims that a certificate has expired. > > DEBUG output created by Wget 1.19.5 on linux-gnu. > > Reading HSTS entries from /root/.wget-hsts > URI encoding = ‘UTF-8’ > --2020-05-30 17:29:58-- https://ehwiki.org/ > Certificates loaded: 154 > Resolving ehwiki.org (ehwiki.org)... 94.100.29.76 > Caching ehwiki.org => 94.100.29.76 > Connecting to ehwiki.org (ehwiki.org)|94.100.29.76|:443... connected. > Created socket 4. > Releasing 0x00005633a3c84880 (new refcount 1). > ERROR: The certificate of ‘ehwiki.org’ is not trusted. > ERROR: The certificate of ‘ehwiki.org’ has expired. > > However, the certificate does not expire until March 2021. Doing the same > with curl on the same box produces no errors, so it does not seem to be an > issue with the system CA certs. Based on some slouching around, it seems to > have something to do with wget not correctly handling the expiry of the > Sectigo AddTrust root certificate: > > https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020 > > This test link from Sectigo similarly works in Chrome/Firefox/curl, but not > in wget. > > https://addtrustchain.test.certificatetest.com/ > > wget -d https://addtrustchain.test.certificatetest.com/ > DEBUG output created by Wget 1.19.5 on linux-gnu. > > Reading HSTS entries from /root/.wget-hsts > URI encoding = ‘UTF-8’ > Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8) > --2020-05-30 17:50:32-- https://addtrustchain.test.certificatetest.com/ > Certificates loaded: 154 > Resolving addtrustchain.test.certificatetest.com ( > addtrustchain.test.certificatetest.com)... 35.245.138.9 > Caching addtrustchain.test.certificatetest.com => 35.245.138.9 > Connecting to addtrustchain.test.certificatetest.com ( > addtrustchain.test.certificatetest.com)|35.245.138.9|:443... connected. > Created socket 3. > Releasing 0x0000559518283390 (new refcount 1). > ERROR: The certificate of ‘addtrustchain.test.certificatetest.com’ is not > trusted. > ERROR: The certificate of ‘addtrustchain.test.certificatetest.com’ has > expired. > > curl https://addtrustchain.test.certificatetest.com/ > Certificate issued from a CA signed by <b>USERTrust RSA Certification > Authority</b> with a cross cert via server chain from <b>AddTrust External > CA Root</b> > > > The issue is present on CentOS 6, CentOS 7 and CentOS 8 installations with > all updates applied. > > I'm not sure if this is a distro issue or an issue with wget itself? >
signature.asc
Description: OpenPGP digital signature
