bug-wget
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Sectigo root CA expiry issue

From: darnir
Subject: Re: Sectigo root CA expiry issue
Date: Sun, 31 May 2020 00:18:08 +0200
User-agent: K-9 Mail for Android 
For anyone interested, this topic is currently trending on Hacker News:

https://news.ycombinator.com/item?id=23362759

On May 30, 2020 9:02:36 PM GMT+02:00, Petr Pisar <petr.pisar@atlas.cz> wrote:
>On Sat, May 30, 2020 at 07:57:22PM +0200, Tenboro wrote:
>> Today I started getting some errors with a maintenance script that
>makes
>> use of wget, where it claims that a certificate has expired.
>> 
>> DEBUG output created by Wget 1.19.5 on linux-gnu.
>> 
>> Reading HSTS entries from /root/.wget-hsts
>> URI encoding = ‘UTF-8’
>> --2020-05-30 17:29:58--  https://ehwiki.org/
>> Certificates loaded: 154
>> Resolving ehwiki.org (ehwiki.org)... 94.100.29.76
>> Caching ehwiki.org => 94.100.29.76
>> Connecting to ehwiki.org (ehwiki.org)|94.100.29.76|:443... connected.
>> Created socket 4.
>> Releasing 0x00005633a3c84880 (new refcount 1).
>> ERROR: The certificate of ‘ehwiki.org’ is not trusted.
>> ERROR: The certificate of ‘ehwiki.org’ has expired.
>> 
>> However, the certificate does not expire until March 2021.
>
>Yes. That's a badly worder error message by wget. The issue is not with
>ehwiki.org certificate. The issue is with its authority's certificate.
>
>> Doing the same
>> with curl on the same box produces no errors, so it does not seem to
>be an
>> issue with the system CA certs. Based on some slouching around, it
>seems to
>> have something to do with wget not correctly handling the expiry of
>the
>> Sectigo AddTrust root certificate:
>> 
>>
>https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020
>> 
>[...]
>> The issue is present on CentOS 6, CentOS 7 and CentOS 8 installations
>with
>> all updates applied.
>> 
>> I'm not sure if this is a distro issue or an issue with wget itself?
>
>I experience it on Gentoo either. The problem is not in wget:
>
>$ wget --version
>GNU Wget 1.20.3 built on linux-gnu.
>
>-cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls 
>-ntlm +opie -psl +ssl/gnutls 
>
>but in GnuTLS library:
>
>$ gnutls-cli --port https ehwiki.org
>Processed 158 CA certificate(s).
>Resolving 'ehwiki.org:https'...
>Connecting to '94.100.29.76:443'...
>- Certificate type: X.509
>- Got a certificate list of 3 certificates.
>- Certificate[0] info:
>- subject `CN=ehwiki.org,OU=Gandi Standard SSL,OU=Domain Control
>Validated', issuer `CN=Gandi Standard SSL CA
>2,O=Gandi,L=Paris,ST=Paris,C=FR', serial
>0x63a5ea656ff9efdfe68ec85d3025466c, RSA key 2048 bits, signed using
>RSA-SHA256, activated `2019-01-31 00:00:00 UTC', expires `2021-03-12
>23:59:59 UTC',
>pin-sha256="wPbqFLlZqQbuF+thnCarsf0k8CbvM8wbbjhcT45lx78="
>        Public Key ID:
>                sha1:63ddc827cb0c5efda0634864ececc9855001c8bc
>sha256:c0f6ea14b959a906ee17eb619c26abb1fd24f026ef33cc1b6e385c4f8e65c7bf
>        Public Key PIN:
>                pin-sha256:wPbqFLlZqQbuF+thnCarsf0k8CbvM8wbbjhcT45lx78=
>
>- Certificate[1] info:
>- subject `CN=Gandi Standard SSL CA 2,O=Gandi,L=Paris,ST=Paris,C=FR',
>issuer `CN=USERTrust RSA Certification Authority,O=The USERTRUST
>Network,L=Jersey City,ST=New Jersey,C=US', serial
>0x05e4dc3b9438ab3b8597cba6a19850e3, RSA key 2048 bits, signed using
>RSA-SHA384, activated `2014-09-12 00:00:00 UTC', expires `2024-09-11
>23:59:59 UTC',
>pin-sha256="WGJkyYjx1QMdMe0UqlyOKXtydPDVrk7sl2fV+nNm1r4="
>- Certificate[2] info:
>- subject `CN=USERTrust RSA Certification Authority,O=The USERTRUST
>Network,L=Jersey City,ST=New Jersey,C=US', issuer `CN=AddTrust External
>CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial
>0x13ea28705bf4eced0c36630980614336, RSA key 4096 bits, signed using
>RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30
>10:48:38 UTC',
>pin-sha256="x4QzPSC810K5/cMjb05Qm4k3Bw5zBn4lTdO/nEW/Td4="
>- Status: The certificate is NOT trusted. The certificate chain uses
>expired certificate. 
>*** PKI verification of server certificate failed...
>*** Fatal error: Error in the certificate.
>
>It seems that GnuTLS stops on a failure in the first certificate chain,
>while
>other libraries like OpenSSL explore other chains before giving up.
>
>It would help if ehwiki.org server did not send to expired certificate
>in the
>certificate chain of the TLS handshake and send the alternative one
>that has
>not yet expired as advertised on the Sectigo web page you linked.
>
>-- Petr

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]