skip to Main Content

I have a Debian 10 buster server, one of several identical hardware/software configs. I use a script that deploys them, they are all identical. However, one of them is throwing an error when using wget:

# wget https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/linux-5.6.15.tar.xz
--2020-05-30 12:49:20--  https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/linux-5.6.15.tar.xz
Resolving mirrors.edge.kernel.org (mirrors.edge.kernel.org)... 147.75.69.165, 2604:1380:1000:8100::1
Connecting to mirrors.edge.kernel.org (mirrors.edge.kernel.org)|147.75.69.165|:443... connected.
ERROR: The certificate of ‘mirrors.edge.kernel.org’ is not trusted.
ERROR: The certificate of ‘mirrors.edge.kernel.org’ has expired.

Things I’ve done:

  • Checked that the SSL certificate is valid
  • Confirmed the exact same command works on other servers
  • Checked the system date, confirmed correct
  • Checked resolv.conf, configuring for 8.8.8.8 8.8.4.4 identical to others
  • Checked name resolution manually, working fine
  • Reinstall apt-get install --reinstall ca-certificates
  • Ran update-ca-certificates --fresh
  • Ran c_rehash
  • Used curl, it works fine without errors, shows correct SSL expiration

The problem seems to only be wget from what I can tell. I don’t need a workaround. I need a solution so I have confidence this server is operating as it should.

3

Answers


  1. Chosen as BEST ANSWER

    I was able to solve my own problem using --no-dns-cache

    # wget --no-dns-cache --debug https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/linux-5.6.15.tar.xz
    

    After this, it apparently updated whatever file was broken. It now works without the --no-dns-cache as well. So strange, but it seems stable.


  2. I have the same symptom for f-droid.org:

    % wget 'https://f-droid.org/F-Droid.apk'
    --2020-06-03 14:10:18--  https://f-droid.org/F-Droid.apk
    Resolving f-droid.org (f-droid.org)... 217.160.165.113, 148.251.140.42
    Connecting to f-droid.org (f-droid.org)|217.160.165.113|:443... connected.
    ERROR: The certificate of ‘f-droid.org’ is not trusted.
    ERROR: The certificate of ‘f-droid.org’ has expired.
    

    In my case (Debian 9 stretch), curl doesn’t work either:

    % curl 'https://f-droid.org/F-Droid.apk'
    curl: (60) SSL certificate problem: certificate has expired
    More details here: https://curl.haxx.se/docs/sslcerts.html
    

    Looking at wget source one can see the error comes from status flag returned by gnutls_certificate_verify_peers2. We can ask gnutls to show certificate verification details:

    % gnutls-cli f-droid.org -p 443
    Processed 151 CA certificate(s).
    Resolving 'f-droid.org:443'...
    Connecting to '217.160.165.113:443'...
    - Certificate type: X.509
    - Got a certificate list of 3 certificates.
    - Certificate[0] info:
     - subject `CN=f-droid.org,OU=PositiveSSL,OU=Domain Control Validated', issuer `CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x02a8508e042b9f065fafadd87cd7d103, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-09-17 00:00:00 UTC', expires `2020-09-16 23:59:59 UTC', key-ID `sha256:e97ccbf3c188b5cf69a83ed0fc39b001ce1688a62b573193cef3f74984c7d703'
        Public Key ID:
                sha1:638f93856e1f5edfcbd40c46d4160cff21b0713a
                sha256:e97ccbf3c188b5cf69a83ed0fc39b001ce1688a62b573193cef3f74984c7d703
        Public key's random art:
                +--[ RSA 2048]----+
                |           o o+o.|
                |            *...o|
                |           E ..+ |
                |         .  ... o|
                |        S .   o .|
                |       o *   . o.|
                |        * o .  .o|
                |       . + o .o. |
                |          o   .oo|
                +-----------------+
    
    - Certificate[1] info:
     - subject `CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', serial 0x7d5b5126b476ba11db74160bbc530da7, RSA key 2048 bits, signed using RSA-SHA384, activated `2018-11-02 00:00:00 UTC', expires `2030-12-31 23:59:59 UTC', key-ID `sha256:e1ae9c3de848ece1ba72e0d991ae4d0d9ec547c6bad1dddab9d6beb0a7e0e0d8'
    - Certificate[2] info:
     - subject `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x13ea28705bf4eced0c36630980614336, RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', key-ID `sha256:c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde'
    - Status: The certificate is NOT trusted. The certificate chain uses expired certificate. 
    *** PKI verification of server certificate failed...
    

    So the problem is the USERTrust RSA Certification Authority certificate supplied by the server f-droid.org. This is an intermediate cert signed by AddTrust External CA Root that expired 4 days ago.

    The Debian ca-certificates package has a self-signed (root) certificate for USERTrust RSA Certification Authority:

    % openssl x509 -inform PEM -in /usr/share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt -text | grep -A2 Validity
        Validity
            Not Before: Feb  1 00:00:00 2010 GMT
            Not After : Jan 18 23:59:59 2038 GMT
    

    …but gnutls is confused by the expired cert supplied by the server, hence the error.

    In your case (mirrors.edge.kernel.org) the certificate chain is as follows:

    % gnutls-cli mirrors.edge.kernel.org -p 443
    Processed 151 CA certificate(s).
    Resolving 'mirrors.edge.kernel.org:443'...
    Connecting to '147.75.101.1:443'...
    - Certificate type: X.509
    - Got a certificate list of 3 certificates.
    - Certificate[0] info:
     - subject `CN=*.edge.kernel.org', issuer `CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x00a34d0ccfbf4ea450fe030fd3378f5d68, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-03-16 00:00:00 UTC', expires `2021-03-16 23:59:59 UTC', key-ID `sha256:f3746cf281b6453def23289054e75e26e157bfd9eed5252b76ffdc828b802e41'
        Public Key ID:
                sha1:72d8fc84d0dea848189bc3ff8eb1d47629fd72c0
                sha256:f3746cf281b6453def23289054e75e26e157bfd9eed5252b76ffdc828b802e41
        Public key's random art:
                +--[ RSA 2048]----+
                |                 |
                |       .         |
                |  .   . .        |
                | . =   * +       |
                |  * . o.S o      |
                |   + o =E+       |
                |    = = +..      |
                |   . * o...      |
                |    o.o  o.      |
                +-----------------+
    
    - Certificate[1] info:
     - subject `CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', serial 0x7d5b5126b476ba11db74160bbc530da7, RSA key 2048 bits, signed using RSA-SHA384, activated `2018-11-02 00:00:00 UTC', expires `2030-12-31 23:59:59 UTC', key-ID `sha256:e1ae9c3de848ece1ba72e0d991ae4d0d9ec547c6bad1dddab9d6beb0a7e0e0d8'
    - Certificate[2] info:
     - subject `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', issuer `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', serial 0x01fd6d30fca3ca51a81bbc640e35032d, RSA key 4096 bits, signed using RSA-SHA384, activated `2010-02-01 00:00:00 UTC', expires `2038-01-18 23:59:59 UTC', key-ID `sha256:c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde'
    - Status: The certificate is trusted. 
    

    Again we see USERTrust RSA Certification Authority, but here it’s a self-signed (root) certificate, not expired. I guess kernel.org did supply expired intermediate certificate too, but corrected under your hands. I think --no-dns-cache is irrelevant, mere coincidence.

    Incidentally, Firefox displays https://f-droid.org just fine. Show page info / Security reveals new self-signed (root) USERTrust cert: Not after: 18 January 2038, 23:59:59 GMT. That is, Firefox ignored the expired intermediate USERTrust cert supplied by the server, used the valid root USERTrust cert available locally.

    Resolution? The server webmaster should remove the obsolete intermediate certificate from the server configuration. In the meantime, use Firefox (or curl, if it works) instead of wget.

    Update: as f-droid people pointed out, the gnutls bug is fixed already, the fix should be in Debian-security soon.

    Login or Signup to reply.
  3. My problem was with the Let’s Encrypt cert, it said the same, on Debian 8.

    My solution:
    With the gnutls-cli command above I was able to look into the whole chain and it gave me a little more information, which eventually led me here: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

    With this information I issued

    # dpkg-reconfigure ca-certificates
    

    Unselected the already expired DST Root CA X3

    And it started to work.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search