Header RSS Feed
 
If you only want to see the articles of a certain category, please click on the desired category below:
ALL Android Backup BSD Database Hacks Hardware Internet Linux Mail MySQL Monitoring Network Personal PHP Proxy Shell Solaris Unix Virtualization VMware Windows Wyse

When github and wget on Debian Wheezy bite each other..
Tuesday - Mar 25th 2014 - by - (2 comments)

On a Debian Wheezy (7.4) system I tried to directly download one of my Nagios plugins (check_smart) with wget but got the following error:

wget -V | grep "GNU Wget"
GNU Wget 1.13.4 built on linux-gnu.

wget https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl

--2014-03-25 08:30:35--  https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.31.17.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.31.17.133|:443... connected.
GnuTLS: A TLS warning alert has been received.
Unable to establish SSL connection.

I remember this was working fine a couple of weeks ago. For a better comparison I launched the same command on a Debian Squeeze (6.0.9):

wget -V | grep "GNU Wget"
GNU Wget 1.12 built on linux-gnu.

wget https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl

--2014-03-25 08:37:01--  https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl
Resolving raw.githubusercontent.com... 185.31.17.133
Connecting to raw.githubusercontent.com|185.31.17.133|:443... connected.
ERROR: certificate common name "www.github.com" doesn't match requested host name "raw.githubusercontent.com".
To connect to raw.githubusercontent.com insecurely, use '--no-check-certificate'.

The download also failed with the older wget on Debian Squeeze but this time the error message was more helpful: The certificate doesn't match the hostname/URL.
Github does indeed use the SSL certificate for the CN "www.github.com" for the URL "raw.githubusercontent.com". 
That's a clear misconfiguration on the github server side. Hello github admins, please check and fix that...

Update March 31st 2014: Github uses *.githuberusercontent.com as SubjectAltName in the certificate. So the cert is alright. See comment at the end of this page

As suggested in the wget 1.12 output, the parameter "--no-check-certificate" can be used to ignore the SSL error and proceed with the download:

wget --no-check-certificate https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl
--2014-03-25 08:42:28--  https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl
Resolving raw.githubusercontent.com... 185.31.16.133
Connecting to raw.githubusercontent.com|185.31.16.133|:443... connected.
WARNING: certificate common name "www.github.com" doesn't match requested host name "raw.githubusercontent.com".
HTTP request sent, awaiting response... 200 OK
Length: 15236 (15K) [text/plain]
Saving to: "check_smart.pl"

100%[========================================>] 15,236      --.-K/s   in 0.03s  

2014-03-25 08:42:28 (532 KB/s) - "check_smart.pl" saved [15236/15236]

But trying this with the newer wget 1.13.4 on Debian Wheezy still fails:

wget --no-check-certificate https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl
--2014-03-25 08:43:29--  https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.31.17.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.31.17.133|:443... connected.
GnuTLS: A TLS warning alert has been received.
Unable to establish SSL connection.

This is due to the open Debian bug #738625 which hopefully will be fixed soon.

As a workaround, curl can be used:

curl -o check_smart.pl https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 15236  100 15236    0     0  69277      0 --:--:-- --:--:-- --:--:--  100k

Update April 28th 2014:
After recent patch installations (and Debian 7.5), wget now works correctly again (1.13.4-3+deb7u1).

 

Add a comment

Show form to leave a comment

Comments (newest first):

Claudio Kuenzler from Geneva, Switzerland wrote on Mar 29th, 2014:
Hi praseodym. Yes, youre right. So the issue seems to be purely wget. Thanks :)

praseodym wrote on Mar 29th, 2014:
Actually the GitHub SSL certificate has subjectAltName *.githubusercontent.com set, so the cert is all fine.


Go to Homepage home
Linux Howtos how to's
Monitoring Plugins monitoring plugins
Links links

Valid HTML 4.01 Transitional
Valid CSS!
[Valid RSS]

6938 Days
until Death of Computers
Why?