Wget cannot download from ftp.gnu.org using Let's Encrypt R3 CA certificate
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
wget (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
I'm working on Ubuntu 18.05, x86_64, fully patched. The system has been through both apt-get upgrade and dist-upgrade. The system provides Wget 1.19.4
The program below fails to download from ftp.gnu.org using Let's Encrypt R3 CA certificate. Let's Encrypt R3 is the issuer for ftp.gnu.org. It is about the best trust anchor you can choose (sans pinning the host's public key).
If I use Daniel Stenberg's cacert.pem (https:/
If I use a newer version of Wget built with an OpenSSL backend, then the download succeeds. For example, Wget 1.20.3 and Wget 1.21 with an OpenSSL backend work fine.
-----
$ ./wget-test.sh
Failed to download Ncurses
# Hmm... Add --debug to Wget command
$ ./wget-test.sh
Setting --quiet (quiet) to 1
Setting --quiet (quiet) to 1
Setting --output-document (outputdocument) to ncurses-6.1.tar.gz
Setting --output-document (outputdocument) to ncurses-6.1.tar.gz
Setting --ca-certificate (cacertificate) to lets-encrypt-
Setting --ca-certificate (cacertificate) to lets-encrypt-
DEBUG output created by Wget 1.19.4 on linux-gnu.
Reading HSTS entries from /home/jwalton/
URI encoding = ‘UTF-8’
Caching ftp.gnu.org => 209.51.188.20 2001:470:142:3::b
Created socket 4.
Releasing 0x00005590bdacd590 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 4 to SSL handle 0x00005590bdad1fd0
certificate:
subject: CN=ftp.gnu.org
issuer: CN=R3,O=Let's Encrypt,C=US
Closed 4/SSL 0x00005590bdad1fd0
Failed to download Ncurses
$ cat ./wget-test.sh
#!/usr/bin/env bash
{
# This is the new "Let's Encrypt Authority R3"
# https:/
echo "-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwI
TzELMAkGA1UEBhM
cmNoIEdyb3VwMRU
WhcNMjUwOTE1MTY
RW5jcnlwdDELMAk
AoIBAQC7AhUozPa
R5QUVTVXjJ6oojk
sxPnHKzhm+
NHz6a4uPVymZ+
Z3Vms/EY96Jc5lP
/kiFHaFpriV1uxP
AYYwHQYDVR0lBBY
Af8CAQAwHQYDVR0
FHm0WeZ7tuXkAXO
AoYWaHR0cDovL3g
Oi8veDEuYy5sZW5
gt8TAQEBMA0GCSq
PTNlclQtgaDqw+
ikfmZW4/
CkcheAmCJ8MqyJu
lJNXoB1lBMEKIq4
avAuvDszue5L3sz
yJMC6alLbBfODAL
yK5GhDDX8oVfGKF
hCExroL1+
HlUjr8gRsI3qfJO
MldlTTKB3zhThV1
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----"
# This is the original "Let's Encrypt Authority X3"
# https:/
echo "-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwI
MSQwIgYDVQQKExt
DkRTVCBSb290IEN
SjELMAkGA1UEBhM
GkxldCdzIEVuY3J
AQ8AMIIBCgKCAQE
q6meNQhY7LEqxGi
SMx+yk13EiSdRxt
Z8h/pZq4UmEUEz9
a6xK8xuQSXgvopZ
/PIzark5McWvxI0
AQH/BAgwBgEB/
CCsGAQUFBzABhiZ
bTA7BggrBgEFBQc
c3Ryb290Y2F4My5
VAYDVR0gBE0wSzA
ARYiaHR0cDovL2N
MDGgL6AthitodHR
Y3JsMB0GA1UdDgQ
AAOCAQEA3TPXEfN
uM2VcGfl96S8Tih
wApIvJSwtmVi4MF
X4Po1QYz+
PfZ+G6Z6h7mjem0
KOqkqm57TH2H3eD
-----END CERTIFICATE-----"
} > lets-encrypt-
WGET=/usr/bin/wget
LETS_ENCRYPT_
if ! "$WGET" -q -O ncurses-6.1.tar.gz --ca-certificat
"https:/
then
echo "Failed to download Ncurses"
exit 1
fi
-----
$ apt-cache show wget
Package: wget
Architecture: amd64
Version: 1.19.4-1ubuntu2.2
Multi-Arch: foreign
Priority: standard
Section: web
Origin: Ubuntu
Maintainer: Ubuntu Developers <email address hidden>
Original-
Bugs: https:/
Installed-Size: 932
Depends: libc6 (>= 2.17), libidn2-0 (>= 0.6), libpcre3, libpsl5 (>= 0.16.0), libssl1.1 (>= 1.1.0), libuuid1 (>= 2.16)
Recommends: ca-certificates
Conflicts: wget-ssl
Filename: pool/main/
Size: 315936
MD5sum: f90d75fd4a7653c
SHA1: 3e5f489afdbc3d7
SHA256: ccf494f932e83e0
SHA512: c06cd1cf745912d
Homepage: https:/
Description-en: retrieves files from the web
Wget is a network utility to retrieve files from the web
using HTTP(S) and FTP, the two most widely used internet
protocols. It works non-interactively, so it will work in
the background, after having logged off. The program supports
recursive retrieval of web-authoring pages as well as FTP
sites -- you can use Wget to make mirrors of archives and
home pages or to travel the web like a WWW robot.
...