Bug#1130749: marked as done (mirrors: ftp.us.debian.org returns Incorrect wildcard certificate on port 443)

Sat, 14 Mar 2026 10:25:20 -0700 

Your message dated Sat, 14 Mar 2026 17:22:08 +0000
with message-id 
<bcbc996a90f413426a71c855b204339436897cfb.ca...@adam-barratt.org.uk>
and subject line Re: Bug#1130749: mirrors: ftp.us.debian.org returns Incorrect  
wildcard certificate on port 443
has caused the Debian Bug report #1130749,
regarding mirrors: ftp.us.debian.org returns Incorrect  wildcard certificate on 
port 443
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1130749: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130749
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: mirrors
Severity: important
X-Debbugs-Cc: [email protected]

Dear Maintainer,

Description:> When attempting to connect to ftp.us.debian.org via SSL on port 
443 the server presents a certificate 
for *.osuosl.org or mirrors.wikimedia.org instead of a valid certificate for 
the debian.org subdomain 

CURL Output 
 - subjectAltName does not match hostname ftp.us.debian.org
 - SSL: no alternative certificate subject name matches target hostname 
'ftp.us.debian.org'

This causes APT to fail when HTTPS is selected
Ign:8 https://ftp.us.debian.org/debian trixie-updates InRelease
Err:8 https://ftp.us.debian.org/debian trixie-updates InRelease
  SSL connection failed: error:0A000086:SSL routines::certificate verify failed 
/ Success [IP: 64.50.233.100 443]
Err:4 https://ftp.us.debian.org/debian trixie InRelease
  SSL connection failed: error:0A000086:SSL routines::certificate verify failed 
/ Success [IP: 64.50.233.100 443]
All packages are up to date.    
Warning: Failed to fetch 
https://ftp.us.debian.org/debian/dists/trixie/InRelease  SSL connection failed: 
error:0A000086:SSL routines::certificate verify failed / Success [IP: 
64.50.233.100 443]
Warning: Failed to fetch 
https://ftp.us.debian.org/debian/dists/trixie-updates/InRelease  SSL connection 
failed: error:0A000086:SSL routines::certificate verify failed / Success [IP: 
64.50.233.100 443]



Two examples as below 


Host ftp.us.debian.org:443 was resolved.
* IPv6: 2600:3402:200:227::2, 2600:3404:200:237::2, 2620:0:861:2:208:80:154:139
* IPv4: 64.50.236.52, 64.50.233.100, 208.80.154.139
*   Trying [2600:3402:200:227::2]:443...
* Immediate connect fail for 2600:3402:200:227::2: Network is unreachable
*   Trying [2600:3404:200:237::2]:443...
* Immediate connect fail for 2600:3404:200:237::2: Network is unreachable
*   Trying [2620:0:861:2:208:80:154:139]:443...
* Immediate connect fail for 2620:0:861:2:208:80:154:139: Network is unreachable
*   Trying 64.50.236.52:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305 / x25519 / 
RSASSA-PSS
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: C=US; ST=Oregon; O=Oregon State University; CN=*.osuosl.org
*  start date: Jul 17 00:00:00 2025 GMT
*  expire date: Aug 17 23:59:59 2026 GMT
*  subjectAltName does not match hostname ftp.us.debian.org
* SSL: no alternative certificate subject name matches target hostname 
'ftp.us.debian.org'
* closing connection #0
curl: (60) SSL: no alternative certificate subject name matches target hostname 
'ftp.us.debian.org'
More details here: https://curl.se/docs/sslcerts.html


curl -vI https://ftp.us.debian.org
* Host ftp.us.debian.org:443 was resolved.
* IPv6: 2620:0:861:2:208:80:154:139, 2600:3404:200:237::2, 2600:3402:200:227::2
* IPv4: 208.80.154.139, 64.50.233.100, 64.50.236.52
*   Trying [2620:0:861:2:208:80:154:139]:443...
* Immediate connect fail for 2620:0:861:2:208:80:154:139: Network is unreachable
*   Trying [2600:3404:200:237::2]:443...
* Immediate connect fail for 2600:3404:200:237::2: Network is unreachable
*   Trying [2600:3402:200:227::2]:443...
* Immediate connect fail for 2600:3402:200:227::2: Network is unreachable
*   Trying 208.80.154.139:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_CHACHA20_POLY1305_SHA256 / x25519 / 
id-ecPublicKey
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=mirrors.wikimedia.org
*  start date: Mar  5 18:56:25 2026 GMT
*  expire date: Jun  3 18:56:24 2026 GMT
*  subjectAltName does not match hostname ftp.us.debian.org
* SSL: no alternative certificate subject name matches target hostname 
'ftp.us.debian.org'
* closing connection #0
curl: (60) SSL: no alternative certificate subject name matches target hostname 
'ftp.us.debian.org'
More details here: https://curl.se/docs/sslcerts.html

--- End Message ---
--- Begin Message --- 
On Sat, 2026-03-14 at 12:14 -0500, bigops wrote:
> Description:> When attempting to connect to ftp.us.debian.org via SSL
> on port 443 the server presents a certificate 
> for *.osuosl.org or mirrors.wikimedia.org instead of a valid
> certificate for the debian.org subdomain 

That's not a bug. I'm afraid that it's not possible for us to support
TLS for ftp.CC.debian.org.

Those hostnames often point to servers that are not operated by the
Debian Project directly, and may be repointed to other servers at short
notice. There is no way for us to securely distribute certificates for
every country-code domain to every mirror server that it might
conceivably be pointed to.

If you find documentation that suggests that TLS is supported for
ftp.CC.debian.org, please correct it.

deb.debian.org and other mirrors directly under debian.org do support
TLS as you expect.

Regards,

Adam

--- End Message ---

Reply via email to