Ubuntu 14.04 works better. Under similar conditions, AAAA record is ignored and wget downloads certificate from correct server:
$ wget -d https://www.digicert.com/CACerts/DigiCertSHA2ExtendedValidationServerCA.crt
DEBUG output created by Wget 1.15 on linux-gnu.
URI encoding = ‘UTF-8’ --2014-04-24 13:54:34-- https://www.digicert.com/CACerts/DigiCertSHA2ExtendedValidationServerCA.crt Resolving www.digicert.com (www.digicert.com)... 64.78.193.234 Caching www.digicert.com => 64.78.193.234 Connecting to www.digicert.com (www.digicert.com)|64.78.193.234|:443... connected. Created socket 3. Releasing 0x00000000006ff3f0 (new refcount 1). Initiating SSL handshake. Handshake successful; connected socket 3 to SSL handle 0x00000000006ff670 certificate: subject: /businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Utah/serialNumber=5299537-0142/street=Suite 500/street=2600 West Executive Parkway/postalCode=84043/C=US/ST=Utah/L=Lehi/O=DigiCert, Inc./CN=www.digicert.com issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA X509 certificate successfully verified and matches host www.digicert.com
---request begin--- GET /CACerts/DigiCertSHA2ExtendedValidationServerCA.crt HTTP/1.1 User-Agent: Wget/1.15 (linux-gnu) Accept: */* Host: www.digicert.com Connection: Keep-Alive ...
$ host -a www.digicert.com Trying "www.digicert.com" ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14219 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;www.digicert.com. IN ANY
;; ANSWER SECTION: www.digicert.com. 299 IN A 64.78.193.234 www.digicert.com. 0 IN AAAA ::ffff:67.215.65.132
Received 78 bytes from 127.0.1.1#53 in 27 ms
$ host -t A www.digicert.com www.digicert.com has address 64.78.193.234
$ host -t AAAA www.digicert.com www.digicert.com has no AAAA record
Ubuntu 14.04 works better. Under similar conditions, AAAA record is ignored and wget downloads certificate from correct server:
$ wget -d https:/ /www.digicert. com/CACerts/ DigiCertSHA2Ext endedValidation ServerCA. crt
DEBUG output created by Wget 1.15 on linux-gnu.
URI encoding = ‘UTF-8’ /www.digicert. com/CACerts/ DigiCertSHA2Ext endedValidation ServerCA. crt com)... 64.78.193.234 com)|64. 78.193. 234|:443. .. connected. ry=Private Organization/ 1.3.6.1. 4.1.311. 60.2.1. 3=US/1. 3.6.1.4. 1.311.60. 2.1.2=Utah/ serialNumber= 5299537- 0142/street= Suite 500/street=2600 West Executive Parkway/ postalCode= 84043/C= US/ST=Utah/ L=Lehi/ O=DigiCert, Inc./CN= www.digicert. com www.digicert. com/CN= DigiCert SHA2 Extended Validation Server CA
--2014-04-24 13:54:34-- https:/
Resolving www.digicert.com (www.digicert.
Caching www.digicert.com => 64.78.193.234
Connecting to www.digicert.com (www.digicert.
Created socket 3.
Releasing 0x00000000006ff3f0 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x00000000006ff670
certificate:
subject: /businessCatego
issuer: /C=US/O=DigiCert Inc/OU=
X509 certificate successfully verified and matches host www.digicert.com
---request begin--- DigiCertSHA2Ext endedValidation ServerCA. crt HTTP/1.1
GET /CACerts/
User-Agent: Wget/1.15 (linux-gnu)
Accept: */*
Host: www.digicert.com
Connection: Keep-Alive
...
$ host -a www.digicert.com
Trying "www.digicert.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14219
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.digicert.com. IN ANY
;; ANSWER SECTION: 67.215. 65.132
www.digicert.com. 299 IN A 64.78.193.234
www.digicert.com. 0 IN AAAA ::ffff:
Received 78 bytes from 127.0.1.1#53 in 27 ms
$ host -t A www.digicert.com
www.digicert.com has address 64.78.193.234
$ host -t AAAA www.digicert.com
www.digicert.com has no AAAA record