[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Sectigo root CA expiry issue
From: |
Tim Rühsen |
Subject: |
Re: Sectigo root CA expiry issue |
Date: |
Sun, 31 May 2020 20:37:57 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0 |
Thanks for your report. This is fixed now in GnuTLS and likely goes into
the release 3.6.14, scheduled for tomorrow.
https://gitlab.com/gnutls/gnutls/-/issues/1008
https://gitlab.com/gnutls/gnutls/-/merge_requests/1271
Regards, Tim
On 30.05.20 19:57, Tenboro wrote:
> Hello,
>
> Today I started getting some errors with a maintenance script that makes
> use of wget, where it claims that a certificate has expired.
>
> DEBUG output created by Wget 1.19.5 on linux-gnu.
>
> Reading HSTS entries from /root/.wget-hsts
> URI encoding = ‘UTF-8’
> --2020-05-30 17:29:58-- https://ehwiki.org/
> Certificates loaded: 154
> Resolving ehwiki.org (ehwiki.org)... 94.100.29.76
> Caching ehwiki.org => 94.100.29.76
> Connecting to ehwiki.org (ehwiki.org)|94.100.29.76|:443... connected.
> Created socket 4.
> Releasing 0x00005633a3c84880 (new refcount 1).
> ERROR: The certificate of ‘ehwiki.org’ is not trusted.
> ERROR: The certificate of ‘ehwiki.org’ has expired.
>
> However, the certificate does not expire until March 2021. Doing the same
> with curl on the same box produces no errors, so it does not seem to be an
> issue with the system CA certs. Based on some slouching around, it seems to
> have something to do with wget not correctly handling the expiry of the
> Sectigo AddTrust root certificate:
>
> https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020
>
> This test link from Sectigo similarly works in Chrome/Firefox/curl, but not
> in wget.
>
> https://addtrustchain.test.certificatetest.com/
>
> wget -d https://addtrustchain.test.certificatetest.com/
> DEBUG output created by Wget 1.19.5 on linux-gnu.
>
> Reading HSTS entries from /root/.wget-hsts
> URI encoding = ‘UTF-8’
> Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
> --2020-05-30 17:50:32-- https://addtrustchain.test.certificatetest.com/
> Certificates loaded: 154
> Resolving addtrustchain.test.certificatetest.com (
> addtrustchain.test.certificatetest.com)... 35.245.138.9
> Caching addtrustchain.test.certificatetest.com => 35.245.138.9
> Connecting to addtrustchain.test.certificatetest.com (
> addtrustchain.test.certificatetest.com)|35.245.138.9|:443... connected.
> Created socket 3.
> Releasing 0x0000559518283390 (new refcount 1).
> ERROR: The certificate of ‘addtrustchain.test.certificatetest.com’ is not
> trusted.
> ERROR: The certificate of ‘addtrustchain.test.certificatetest.com’ has
> expired.
>
> curl https://addtrustchain.test.certificatetest.com/
> Certificate issued from a CA signed by <b>USERTrust RSA Certification
> Authority</b> with a cross cert via server chain from <b>AddTrust External
> CA Root</b>
>
>
> The issue is present on CentOS 6, CentOS 7 and CentOS 8 installations with
> all updates applied.
>
> I'm not sure if this is a distro issue or an issue with wget itself?
>
signature.asc
Description: OpenPGP digital signature