*.drupal.org wildcard certificate and wget --no-check-certificate [#2145537]

First of all, I know this is pretty trivial, but I'm posting because I also know that developer experience is important.

Some time ago the SSL certificate for drupal.org was moved to a wildcard. I imagine this was done for cost-effectiveness and reduced maintenance. However, since this was done, if you use wget with default parameters (to download a patch, for instance) you get the "WARNING: certificate common name `*.drupal.org' doesn't match requested host name `drupal.org'." error. To get around this, you must include "--no-check-certificate" with the wget command.

This bugs me and it has to bug others too.

Is there some middle ground where we can use the wildcard for everything except the root domain so that we're still cost-effective, but also make this better?

Comments

Comment #1

JeffSheltren CreditAttribution: JeffSheltren commented 27 November 2013 at 19:53

Status:

Active

» Closed (duplicate)

It's likely you're using an old version of wget which has a bug that it doesn't check subjectaltname correctly. There have been at least a couple other issues filed about this:

https://drupal.org/node/2087077
https://drupal.org/node/1931940

My suggestion is to update wget to something more recent.

Comment #2

cameron prince CreditAttribution: cameron prince commented 27 November 2013 at 19:57

Thank you for your reply. I did search the queue before posting, but was looking for "wildcard." I am using wget-1.11.4-3.el5_8.2, which is current for CentOS.

Comment #3

JeffSheltren CreditAttribution: JeffSheltren commented 27 November 2013 at 20:08

Right, I've been trying to get RedHat to fix this for some time, but it doesn't look like it will happen in EL5 or EL6.

https://bugzilla.redhat.com/show_bug.cgi?id=903756
https://bugzilla.redhat.com/show_bug.cgi?id=736445

It should be possible to rebuild a recent Fedora wget RPM on either EL5 or EL6 if you're so inclined. Sorry I can't be more help.

Comment #4

cameron prince CreditAttribution: cameron prince commented 4 March 2014 at 21:34

This continues to be a frustrating issue to deal with. Why is it a decision was made that didn't consider how many people this would impact, regardless if it's a bug in wget? The same version of wget doesn't throw an error with github in https mode. Just seems like a choice was made that was good for the admins at the expense of the developers.

Comment #5

JeffSheltren CreditAttribution: JeffSheltren commented 4 March 2014 at 21:55

Hi, I understand your frustration, but at the same time you're using a version of wget that is pushing 7 years old, and we have to draw the line somewhere.

For the record, this is now fixed in the EL6 wget package (which it wasn't at the time of my last comment). It's dead simple to rebuild that RPM on EL5; in fact, I'd be happy to do so and post it online if you'd find it useful. But I don't think we'll be moving away from a wildcard cert simply to make things work with an old/buggy version of wget.

Comment #6

cameron prince CreditAttribution: cameron prince commented 14 March 2014 at 16:25

Hi and thanks again for your reply. Can you confirm the version that includes the fix if you recall off the top of your head? I wouldn't expect or ask you to compile it for me, but if I could confirm the proper version, I certainly would appreciate it. Here's what I found in a quick Google search:

http://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/wg...

Is this one safe to proceed with?