Обсуждение: certificate issue between download and ftp
Hi, not sure if this is the correct place to send this but as it's related with the servers and access to downloads, this seems the most appropriate list. I just tried downloading a pgdg yum repo and got a certificate error: # wget https://download.postgresql.org/pub/repos/yum/10/redhat/rhel-6-x86_64/pgdg-centos10-10-2.noarch.rpm --2018-06-21 10:45:04-- https://download.postgresql.org/pub/repos/yum/10/redhat/rhel-6-x86_64/pgdg-centos10-10-2.noarch.rpm Resolviendo download.postgresql.org... 204.145.124.244, 174.143.35.246, 87.238.57.227, ... Connecting to download.postgresql.org|204.145.124.244|:443... conectado. ERROR: certificate common name `ftp.postgresql.org' doesn't match requested host name `download.postgresql.org'. To connect to download.postgresql.org insecurely, use `--no-check-certificate'. Seems clear from the error what the problem is, so I'm just reporting here. Regards, -- Martín Marqués http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services
Greetings, * Martín Marqués (martin@2ndquadrant.com) wrote: > Hi, not sure if this is the correct place to send this but as it's > related with the servers and access to downloads, this seems the most > appropriate list. > > I just tried downloading a pgdg yum repo and got a certificate error: > > # wget https://download.postgresql.org/pub/repos/yum/10/redhat/rhel-6-x86_64/pgdg-centos10-10-2.noarch.rpm > --2018-06-21 10:45:04-- > https://download.postgresql.org/pub/repos/yum/10/redhat/rhel-6-x86_64/pgdg-centos10-10-2.noarch.rpm > Resolviendo download.postgresql.org... 204.145.124.244, > 174.143.35.246, 87.238.57.227, ... > Connecting to download.postgresql.org|204.145.124.244|:443... conectado. > ERROR: certificate common name `ftp.postgresql.org' doesn't match > requested host name `download.postgresql.org'. > To connect to download.postgresql.org insecurely, use `--no-check-certificate'. > > Seems clear from the error what the problem is, so I'm just reporting here. While ftp.postgresql.org is the common name on the certificate, download.postgresql.org is listed as a Subject Alternative Name and therefore should be accepted. I certainly don't have any issue here using a recent Ubuntu version. What version of wget is that..? Thanks! Stephen
Вложения
El 21/06/18 a las 11:53, Martín Marqués escribió: > Hi, not sure if this is the correct place to send this but as it's > related with the servers and access to downloads, this seems the most > appropriate list. > > I just tried downloading a pgdg yum repo and got a certificate error: > > # wget https://download.postgresql.org/pub/repos/yum/10/redhat/rhel-6-x86_64/pgdg-centos10-10-2.noarch.rpm > --2018-06-21 10:45:04-- > https://download.postgresql.org/pub/repos/yum/10/redhat/rhel-6-x86_64/pgdg-centos10-10-2.noarch.rpm > Resolviendo download.postgresql.org... 204.145.124.244, > 174.143.35.246, 87.238.57.227, ... > Connecting to download.postgresql.org|204.145.124.244|:443... conectado. > ERROR: certificate common name `ftp.postgresql.org' doesn't match > requested host name `download.postgresql.org'. > To connect to download.postgresql.org insecurely, use `--no-check-certificate'. > > Seems clear from the error what the problem is, so I'm just reporting here. Seems I had to investigate a bit further before sending. It looks like it's related to access from a specific server. No errors from my laptop, so I'm starting to suspect something broken in the routing. -- Martín Marqués http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services
Stephen Frost <sfrost@snowman.net> writes: > While ftp.postgresql.org is the common name on the certificate, > download.postgresql.org is listed as a Subject Alternative Name and > therefore should be accepted. I certainly don't have any issue here > using a recent Ubuntu version. FWIW, the given case works for me with RHEL6's wget (wget-1.12-10.el6), but I see this entry in the changelog for that package: * Fri Jan 31 2014 Tomas Hozza <thozza@redhat.com> 1.12-2 - Fix wget to recognize certificates with alternative names (#736445) which likely was a back-patch from upstream 1.13 or later. It's reasonable to suspect that there are still wget's in the wild with this bug. How much of a PITA would it be to avoid use of alternative names for the download servers? regards, tom lane
El 21/06/18 a las 12:08, Tom Lane escribió: > Stephen Frost <sfrost@snowman.net> writes: >> While ftp.postgresql.org is the common name on the certificate, >> download.postgresql.org is listed as a Subject Alternative Name and >> therefore should be accepted. I certainly don't have any issue here >> using a recent Ubuntu version. > > FWIW, the given case works for me with RHEL6's wget (wget-1.12-10.el6), > but I see this entry in the changelog for that package: > > * Fri Jan 31 2014 Tomas Hozza <thozza@redhat.com> 1.12-2 > - Fix wget to recognize certificates with alternative names (#736445) Yeah, that seems to be the problem: # wget --version GNU Wget 1.12 built on linux-gnu. # rpm -qa | grep wget wget-1.12-1.4.el6.x86_64 Updated wget to the latest on Centos6 (1.12-10) and now it works great. Sorry for the noise. This is a server that just dropped on my lap. -- Martín Marqués http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services