Bug 443512

Summary: wget fails with bogus certificate chain error
Product: Red Hat Enterprise Linux 4 Reporter: Tom Swiss <tms>
Component: wgetAssignee: Karsten Hopp <karsten>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: low    
Version: 4.6CC: pknirsch
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-09-07 13:39:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tom Swiss 2008-04-21 22:08:59 UTC 
Description of problem:

The supplied version of wget fails on a site with a valid SSL certificate and
chain of trust.

Version-Release number of selected component (if applicable):

wget-1.10.2-0.40E

How reproducible:

Use wget to retrieve https://www.trocadero.com

Steps to Reproduce:
1. From a shell command line: wget https://www.trocadero.com

  
Actual results:

As run on our RHEL 4.6 box:

wget https://www.trocadero.com
--17:52:41--  https://www.trocadero.com/
           => `index.html'
Resolving www.trocadero.com... 216.132.102.18
Connecting to www.trocadero.com|216.132.102.18|:443... connected.
ERROR: Certificate verification error for www.trocadero.com: self signed
certificate in certificate chain
To connect to www.trocadero.com insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.



Expected results:

I would expect to see the same results I get on my Fedora Core 6 box at home
(using wget-1.10.2-8.fc6.1)

wget https://www.trocadero.com
--17:53:38--  https://www.trocadero.com/
Resolving www.trocadero.com... 216.132.102.18
Connecting to www.trocadero.com|216.132.102.18|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3699 (3.6K) [text/html]
Saving to: `index.html'

100%[=======================================>] 3,699       --.-K/s   in 0.05s  

17:53:40 (76.1 KB/s) - `index.html' saved [3699/3699]


Additional info:

Our certificate is our course not self-signed. This problem appeared when we
updated our Network Solutions SSL certificate, which now has a chain of trust
through UTN-UserFirst and AddTrust. 

No problems are encountered using this certificate with Firefox or IE, it works
with the wget on my Fedora Core box, and openssl reports our CA chain to be a-ok:

# openssl verify -CAfile /etc/httpd/conf/ssl.crt/netsol_CA_chain.txt
/etc/httpd/conf/ssl.crt/server.crt
/etc/httpd/conf/ssl.crt/server.crt: OK

We can of course work around this by using the --no-check-certificate, but that
defeats half the purpose of using SSL.
Comment 1 Phil Knirsch 2010-09-07 13:39:35 UTC 
Verified that with the current rebased wget-1.11.4-2.el5_4.1 i'm not getting that problem anymore.

Closing as ERRATA.

Thanks & regards, Phil