Sectigo root CA expiry issue

bug-wget

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Sectigo root CA expiry issue

From:	Tenboro
Subject:	Sectigo root CA expiry issue
Date:	Sat, 30 May 2020 19:57:22 +0200

Hello,

Today I started getting some errors with a maintenance script that makes
use of wget, where it claims that a certificate has expired.

DEBUG output created by Wget 1.19.5 on linux-gnu.

Reading HSTS entries from /root/.wget-hsts
URI encoding = ‘UTF-8’
--2020-05-30 17:29:58-- https://ehwiki.org/
Certificates loaded: 154
Resolving ehwiki.org (ehwiki.org)... 94.100.29.76
Caching ehwiki.org => 94.100.29.76
Connecting to ehwiki.org (ehwiki.org)|94.100.29.76|:443... connected.
Created socket 4.
Releasing 0x00005633a3c84880 (new refcount 1).
ERROR: The certificate of ‘ehwiki.org’ is not trusted.
ERROR: The certificate of ‘ehwiki.org’ has expired.

However, the certificate does not expire until March 2021. Doing the same
with curl on the same box produces no errors, so it does not seem to be an
issue with the system CA certs. Based on some slouching around, it seems to
have something to do with wget not correctly handling the expiry of the
Sectigo AddTrust root certificate:

https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020

This test link from Sectigo similarly works in Chrome/Firefox/curl, but not
in wget.

https://addtrustchain.test.certificatetest.com/

wget -d https://addtrustchain.test.certificatetest.com/
DEBUG output created by Wget 1.19.5 on linux-gnu.

Reading HSTS entries from /root/.wget-hsts
URI encoding = ‘UTF-8’
Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
--2020-05-30 17:50:32-- https://addtrustchain.test.certificatetest.com/
Certificates loaded: 154
Resolving addtrustchain.test.certificatetest.com (
addtrustchain.test.certificatetest.com)... 35.245.138.9
Caching addtrustchain.test.certificatetest.com => 35.245.138.9
Connecting to addtrustchain.test.certificatetest.com (
addtrustchain.test.certificatetest.com)|35.245.138.9|:443... connected.
Created socket 3.
Releasing 0x0000559518283390 (new refcount 1).
ERROR: The certificate of ‘addtrustchain.test.certificatetest.com’ is not
trusted.
ERROR: The certificate of ‘addtrustchain.test.certificatetest.com’ has
expired.

curl https://addtrustchain.test.certificatetest.com/
Certificate issued from a CA signed by <b>USERTrust RSA Certification
Authority</b> with a cross cert via server chain from <b>AddTrust External
CA Root</b>

The issue is present on CentOS 6, CentOS 7 and CentOS 8 installations with
all updates applied.

I'm not sure if this is a distro issue or an issue with wget itself?

[Prev in Thread]

Current Thread

[Next in Thread]

Sectigo root CA expiry issue, Tenboro <=
- Re: Sectigo root CA expiry issue, Petr Pisar, 2020/05/30
  - Re: Sectigo root CA expiry issue, darnir, 2020/05/30
    - Re: Sectigo root CA expiry issue, Tim Rühsen, 2020/05/31
- Re: Sectigo root CA expiry issue, Tim Rühsen, 2020/05/31

Prev by Date: Re: Broken OpenSSL + Wget on Linux Mint
Next by Date: Re: Sectigo root CA expiry issue
Previous by thread: Broken OpenSSL + Wget on Linux Mint
Next by thread: Re: Sectigo root CA expiry issue
Index(es):
- Date
- Thread