[MDEV-15574] Certificate on mariadb.org is not trusted Created: 2018-03-15  Updated: 2018-04-15  Resolved: 2018-04-15

Status: Closed
Project: MariaDB Server
Component/s: OTHER
Affects Version/s: None
Fix Version/s: N/A

Type: Bug Priority: Minor
Reporter: Oli Sennhauser Assignee: Unassigned
Resolution: Cannot Reproduce Votes: 0
Labels: None
Environment:

Debian9


 Description   

Debian 9 seems to be a bit picky about your certificate:

mysql@debian9:~/download$ wget http://downloads.mariadb.org/f/mariadb-${MAVERSION}/bintar-linux-glibc_${GLIBCVERSION}-x86_64/mariadb-${MAVERSION}-linux-glibc_${GLIBCVERSION}-x86_64.tar.gz
 
--2018-03-15 15:06:05--  http://downloads.mariadb.org/f/mariadb-10.2.13/bintar-linux-glibc_214-x86_64/mariadb-10.2.13-linux-glibc_214-x86_64.tar.gz
 
Resolving downloads.mariadb.org (downloads.mariadb.org)... 173.203.201.148
 
Connecting to downloads.mariadb.org (downloads.mariadb.org)|173.203.201.148|:80... connected.
 
HTTP request sent, awaiting response... 302 Found
 
Location: https://downloads.mariadb.org/f/mariadb-10.2.13/bintar-linux-glibc_214-x86_64/mariadb-10.2.13-linux-glibc_214-x86_64.tar.gz [following]
 
--2018-03-15 15:06:06--  https://downloads.mariadb.org/f/mariadb-10.2.13/bintar-linux-glibc_214-x86_64/mariadb-10.2.13-linux-glibc_214-x86_64.tar.gz
 
Connecting to downloads.mariadb.org (downloads.mariadb.org)|173.203.201.148|:443... connected.
 
ERROR: The certificate of ‘downloads.mariadb.org’ is not trusted.
 
ERROR: The certificate of ‘downloads.mariadb.org’ hasn't got a known issuer.

Workaround

wget --no-check-certificate ...



 Comments   
Comment by Elena Stepanova [ 2018-03-15 ]

otto, dbart, any comments on this?

Comment by Otto Kekäläinen [ 2018-03-15 ]

The check https://www.ssllabs.com/ssltest/analyze.html?d=downloads.mariadb.org yields pretty bad results.
We should update the TLS settings to something like (quick copy from another server I maintain with A+ status):

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_stapling on;
ssl_stapling_verify on;

Comment by Daniel Bartholomew [ 2018-03-15 ]

I have just now tested the following wget command on Debian 7 Wheezy, Debian 8 Jessie, Debian 9 Stretch, Debian Sid, and (just to be thorough) Ubuntu Xenial:

wget http://downloads.mariadb.org/f/mariadb-10.2.13/bintar-linux-glibc_214-x86_64/mariadb-10.2.13-linux-glibc_214-x86_64.tar.gz

On all versions, the wget command connected to the http site, was redirected to https://downloads.mariadb.org and connected to it without issues and then was redirected to a mirror and downloaded the file just fine. So I'm currently unable to reproduce the error.

Here's the full output from my Debian 9 VM:

buildbot@debian-9-stretch-amd64:~$ wget http://downloads.mariadb.org/f/mariadb-10.2.13/bintar-linux-glibc_214-x86_64/mariadb-10.2.13-linux-glibc_214-x86_64.tar.gz
 
--2018-03-15 11:02:36--  http://downloads.mariadb.org/f/mariadb-10.2.13/bintar-linux-glibc_214-x86_64/mariadb-10.2.13-linux-glibc_214-x86_64.tar.gz
 
Resolving downloads.mariadb.org (downloads.mariadb.org)... 173.203.201.148
 
Connecting to downloads.mariadb.org (downloads.mariadb.org)|173.203.201.148|:80... connected.
 
HTTP request sent, awaiting response... 302 Found
 
Location: https://downloads.mariadb.org/f/mariadb-10.2.13/bintar-linux-glibc_214-x86_64/mariadb-10.2.13-linux-glibc_214-x86_64.tar.gz [following]
 
--2018-03-15 11:02:36--  https://downloads.mariadb.org/f/mariadb-10.2.13/bintar-linux-glibc_214-x86_64/mariadb-10.2.13-linux-glibc_214-x86_64.tar.gz
 
Connecting to downloads.mariadb.org (downloads.mariadb.org)|173.203.201.148|:443... connected.
 
HTTP request sent, awaiting response... 302 FOUND
 
Location: http://mirror.netinch.com/pub/mariadb//mariadb-10.2.13/bintar-linux-glibc_214-x86_64/mariadb-10.2.13-linux-glibc_214-x86_64.tar.gz [following]
 
--2018-03-15 11:02:40--  http://mirror.netinch.com/pub/mariadb//mariadb-10.2.13/bintar-linux-glibc_214-x86_64/mariadb-10.2.13-linux-glibc_214-x86_64.tar.gz
 
Resolving mirror.netinch.com (mirror.netinch.com)... 185.31.136.36
 
Connecting to mirror.netinch.com (mirror.netinch.com)|185.31.136.36|:80... connected.
 
HTTP request sent, awaiting response... 200 OK
 
Length: 605661646 (578M) [application/x-gzip]
 
Saving to: ‘mariadb-10.2.13-linux-glibc_214-x86_64.tar.gz.2’
 
 
 
mariadb-10.2.13-linux-gli 100%[=====================================>] 577.60M  10.9MB/s    in 52s     
 
 
2018-03-15 11:03:33 (11.1 MB/s) - ‘mariadb-10.2.13-linux-glibc_214-x86_64.tar.gz.2’ saved [605661646/605661646]

oli: Could you try using wget to download via https from some other site? I just want to check to see if your system is failing for all https requests, or just for requests from downloads.mariadb.org. For example, you could try downloading the Ansible source from github (it's only ~6mb):

wget https://github.com/ansible/ansible/archive/v2.4.3.0-1.tar.gz

Does that give the same error? Or does it succeed?

Thanks.

Comment by Daniel Bartholomew [ 2018-03-15 ]

otto Are you going to apply the updated TLS settings to the server, or did you want me to?

Comment by Oli Sennhauser [ 2018-03-15 ]

Hmmmm... It seems to be in my Debian9 VirtualBox Image...

root@debian9:~# wget https://github.com/ansible/ansible/archive/v2.4.3.0-1.tar.gz
-2018-03-15 21:57:48- https://github.com/ansible/ansible/archive/v2.4.3.0-1.tar.gz
Resolving github.com (github.com)... 192.30.253.113, 192.30.253.112
Connecting to github.com (github.com)|192.30.253.113|:443... connected.
ERROR: The certificate of ‘github.com’ is not trusted.
ERROR: The certificate of ‘github.com’ hasn't got a known issuer.

root@debian9:~# wget https://support.fromdual.com/admin/download/myenv-2.0.0.tar.gz
-2018-03-15 21:58:43- https://support.fromdual.com/admin/download/myenv-2.0.0.tar.gz
Resolving support.fromdual.com (support.fromdual.com)... 176.9.20.211
Connecting to support.fromdual.com (support.fromdual.com)|176.9.20.211|:443... connected.
ERROR: The certificate of ‘support.fromdual.com’ is not trusted.
ERROR: The certificate of ‘support.fromdual.com’ hasn't got a known issuer.

I just renewed our Certificate yesterday and it complains as well.
OK. So, sorry for the false alarm.
I did some distro-cross-testing and only Debian9 failed.

Generated at Thu Feb 08 08:22:25 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.