Public bug reported: I'm working on Ubuntu 18.05, x86_64, fully patched. The system has been through both apt-get upgrade and dist-upgrade. The system provides Wget 1.19.4
The program below fails to download from ftp.gnu.org using Let's Encrypt R3 CA certificate. Let's Encrypt R3 is the issuer for ftp.gnu.org. It is about the best trust anchor you can choose (sans pinning the host's public key). If I use Daniel Stenberg's cacert.pem (https://curl.haxx.se/docs/caextract.html), then the download succeeds. I'm not a fan of using the CA Zoo when I know the Issuing CA in advance. There's no reason to trust every PKI in the world. If I use a newer version of Wget built with an OpenSSL backend, then the download succeeds. For example, Wget 1.20.3 and Wget 1.21 with an OpenSSL backend work fine. ----- $ ./wget-test.sh Failed to download Ncurses # Hmm... Add --debug to Wget command $ ./wget-test.sh Setting --quiet (quiet) to 1 Setting --quiet (quiet) to 1 Setting --output-document (outputdocument) to ncurses-6.1.tar.gz Setting --output-document (outputdocument) to ncurses-6.1.tar.gz Setting --ca-certificate (cacertificate) to lets-encrypt-roots.pem Setting --ca-certificate (cacertificate) to lets-encrypt-roots.pem DEBUG output created by Wget 1.19.4 on linux-gnu. Reading HSTS entries from /home/jwalton/.wget-hsts URI encoding = ‘UTF-8’ Caching ftp.gnu.org => 209.51.188.20 2001:470:142:3::b Created socket 4. Releasing 0x00005590bdacd590 (new refcount 1). Initiating SSL handshake. Handshake successful; connected socket 4 to SSL handle 0x00005590bdad1fd0 certificate: subject: CN=ftp.gnu.org issuer: CN=R3,O=Let's Encrypt,C=US Closed 4/SSL 0x00005590bdad1fd0 Failed to download Ncurses $ cat ./wget-test.sh #!/usr/bin/env bash { # This is the new "Let's Encrypt Authority R3" # https://letsencrypt.org/certificates/ echo "-----BEGIN CERTIFICATE----- MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG /kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX nLRbwHOoq7hHwg== -----END CERTIFICATE-----" # This is the original "Let's Encrypt Authority X3" # https://letsencrypt.org/certificates/ echo "-----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== -----END CERTIFICATE-----" } > lets-encrypt-roots.pem WGET=/usr/bin/wget LETS_ENCRYPT_ROOT=lets-encrypt-roots.pem if ! "$WGET" -q -O ncurses-6.1.tar.gz --ca-certificate="$LETS_ENCRYPT_ROOT" \ "https://ftp.gnu.org/pub/gnu/ncurses/ncurses-6.1.tar.gz"; then echo "Failed to download Ncurses" exit 1 fi ----- $ apt-cache show wget Package: wget Architecture: amd64 Version: 1.19.4-1ubuntu2.2 Multi-Arch: foreign Priority: standard Section: web Origin: Ubuntu Maintainer: Ubuntu Developers <ubuntu-devel-disc...@lists.ubuntu.com> Original-Maintainer: Noël Köthe <n...@debian.org> Bugs: https://bugs.launchpad.net/ubuntu/+filebug Installed-Size: 932 Depends: libc6 (>= 2.17), libidn2-0 (>= 0.6), libpcre3, libpsl5 (>= 0.16.0), libssl1.1 (>= 1.1.0), libuuid1 (>= 2.16) Recommends: ca-certificates Conflicts: wget-ssl Filename: pool/main/w/wget/wget_1.19.4-1ubuntu2.2_amd64.deb Size: 315936 MD5sum: f90d75fd4a7653c58b13dee6ca4a32a6 SHA1: 3e5f489afdbc3d74da3a7820a0f60c8cc30116d4 SHA256: ccf494f932e83e08b218702b9c2fc00cfcdf697ab0c7b3af62e94f99e427f048 SHA512: c06cd1cf745912d553f86b89ed299573a39e0ba2c52876ce01f5436df7fda45ddef0706c6ad03a50955e281f20d02f060e4a90b7748b57ee6619b7b83992778c Homepage: https://www.gnu.org/software/wget/ Description-en: retrieves files from the web Wget is a network utility to retrieve files from the web using HTTP(S) and FTP, the two most widely used internet protocols. It works non-interactively, so it will work in the background, after having logged off. The program supports recursive retrieval of web-authoring pages as well as FTP sites -- you can use Wget to make mirrors of archives and home pages or to travel the web like a WWW robot. ... ** Affects: wget (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910567 Title: Wget cannot download from ftp.gnu.org using Let's Encrypt R3 CA certificate To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wget/+bug/1910567/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
