Package: mirrors Severity: important X-Debbugs-Cc: [email protected] Dear Maintainer,
Description:> When attempting to connect to ftp.us.debian.org via SSL on port 443 the server presents a certificate for *.osuosl.org or mirrors.wikimedia.org instead of a valid certificate for the debian.org subdomain CURL Output - subjectAltName does not match hostname ftp.us.debian.org - SSL: no alternative certificate subject name matches target hostname 'ftp.us.debian.org' This causes APT to fail when HTTPS is selected Ign:8 https://ftp.us.debian.org/debian trixie-updates InRelease Err:8 https://ftp.us.debian.org/debian trixie-updates InRelease SSL connection failed: error:0A000086:SSL routines::certificate verify failed / Success [IP: 64.50.233.100 443] Err:4 https://ftp.us.debian.org/debian trixie InRelease SSL connection failed: error:0A000086:SSL routines::certificate verify failed / Success [IP: 64.50.233.100 443] All packages are up to date. Warning: Failed to fetch https://ftp.us.debian.org/debian/dists/trixie/InRelease SSL connection failed: error:0A000086:SSL routines::certificate verify failed / Success [IP: 64.50.233.100 443] Warning: Failed to fetch https://ftp.us.debian.org/debian/dists/trixie-updates/InRelease SSL connection failed: error:0A000086:SSL routines::certificate verify failed / Success [IP: 64.50.233.100 443] Two examples as below Host ftp.us.debian.org:443 was resolved. * IPv6: 2600:3402:200:227::2, 2600:3404:200:237::2, 2620:0:861:2:208:80:154:139 * IPv4: 64.50.236.52, 64.50.233.100, 208.80.154.139 * Trying [2600:3402:200:227::2]:443... * Immediate connect fail for 2600:3402:200:227::2: Network is unreachable * Trying [2600:3404:200:237::2]:443... * Immediate connect fail for 2600:3404:200:237::2: Network is unreachable * Trying [2620:0:861:2:208:80:154:139]:443... * Immediate connect fail for 2620:0:861:2:208:80:154:139: Network is unreachable * Trying 64.50.236.52:443... * ALPN: curl offers h2,http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305 / x25519 / RSASSA-PSS * ALPN: server accepted http/1.1 * Server certificate: * subject: C=US; ST=Oregon; O=Oregon State University; CN=*.osuosl.org * start date: Jul 17 00:00:00 2025 GMT * expire date: Aug 17 23:59:59 2026 GMT * subjectAltName does not match hostname ftp.us.debian.org * SSL: no alternative certificate subject name matches target hostname 'ftp.us.debian.org' * closing connection #0 curl: (60) SSL: no alternative certificate subject name matches target hostname 'ftp.us.debian.org' More details here: https://curl.se/docs/sslcerts.html curl -vI https://ftp.us.debian.org * Host ftp.us.debian.org:443 was resolved. * IPv6: 2620:0:861:2:208:80:154:139, 2600:3404:200:237::2, 2600:3402:200:227::2 * IPv4: 208.80.154.139, 64.50.233.100, 64.50.236.52 * Trying [2620:0:861:2:208:80:154:139]:443... * Immediate connect fail for 2620:0:861:2:208:80:154:139: Network is unreachable * Trying [2600:3404:200:237::2]:443... * Immediate connect fail for 2600:3404:200:237::2: Network is unreachable * Trying [2600:3402:200:227::2]:443... * Immediate connect fail for 2600:3402:200:227::2: Network is unreachable * Trying 208.80.154.139:443... * ALPN: curl offers h2,http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS change cipher, Change cipher spec (1): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_CHACHA20_POLY1305_SHA256 / x25519 / id-ecPublicKey * ALPN: server accepted http/1.1 * Server certificate: * subject: CN=mirrors.wikimedia.org * start date: Mar 5 18:56:25 2026 GMT * expire date: Jun 3 18:56:24 2026 GMT * subjectAltName does not match hostname ftp.us.debian.org * SSL: no alternative certificate subject name matches target hostname 'ftp.us.debian.org' * closing connection #0 curl: (60) SSL: no alternative certificate subject name matches target hostname 'ftp.us.debian.org' More details here: https://curl.se/docs/sslcerts.html
