When GitHub and wget on Debian Wheezy bite each other (TLS warning alert)

Written by - 2 comments

Published on - Listed in Linux Internet Git


On a Debian Wheezy (7.4) system I tried to directly download one of my Nagios plugins (check_smart) with wget but got the following error:

wget -V | grep "GNU Wget"
GNU Wget 1.13.4 built on linux-gnu.

wget https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl

--2014-03-25 08:30:35--  https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.31.17.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.31.17.133|:443... connected.
GnuTLS: A TLS warning alert has been received.
Unable to establish SSL connection.

I remember this was working fine a couple of weeks ago. For a better comparison I launched the same command on a Debian Squeeze (6.0.9):

wget -V | grep "GNU Wget"
GNU Wget 1.12 built on linux-gnu.

wget https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl

--2014-03-25 08:37:01--  https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl
Resolving raw.githubusercontent.com... 185.31.17.133
Connecting to raw.githubusercontent.com|185.31.17.133|:443... connected.
ERROR: certificate common name "www.github.com" doesn't match requested host name "raw.githubusercontent.com".
To connect to raw.githubusercontent.com insecurely, use '--no-check-certificate'.

The download also failed with the older wget on Debian Squeeze but this time the error message was more helpful: The certificate doesn't match the hostname/URL.
Github does indeed use the SSL certificate for the CN "www.github.com" for the URL "raw.githubusercontent.com". 
That's a clear misconfiguration on the github server side. Hello github admins, please check and fix that...

Update March 31st 2014: Github uses *.githuberusercontent.com as SubjectAltName in the certificate. So the cert is alright. See comment at the end of this page

As suggested in the wget 1.12 output, the parameter "--no-check-certificate" can be used to ignore the SSL error and proceed with the download:

wget --no-check-certificate https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl
--2014-03-25 08:42:28--  https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl
Resolving raw.githubusercontent.com... 185.31.16.133
Connecting to raw.githubusercontent.com|185.31.16.133|:443... connected.
WARNING: certificate common name "www.github.com" doesn't match requested host name "raw.githubusercontent.com".
HTTP request sent, awaiting response... 200 OK
Length: 15236 (15K) [text/plain]
Saving to: "check_smart.pl"

100%[========================================>] 15,236      --.-K/s   in 0.03s  

2014-03-25 08:42:28 (532 KB/s) - "check_smart.pl" saved [15236/15236]

But trying this with the newer wget 1.13.4 on Debian Wheezy still fails:

wget --no-check-certificate https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl
--2014-03-25 08:43:29--  https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.31.17.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.31.17.133|:443... connected.
GnuTLS: A TLS warning alert has been received.
Unable to establish SSL connection.

This is due to the open Debian bug #738625 which hopefully will be fixed soon.

As a workaround, curl can be used:

curl -o check_smart.pl https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 15236  100 15236    0     0  69277      0 --:--:-- --:--:-- --:--:--  100k

Update April 28th 2014:
After recent patch installations (and Debian 7.5), wget now works correctly again (1.13.4-3+deb7u1).


Add a comment

Show form to leave a comment

Comments (newest first)

Claudio Kuenzler from Geneva, Switzerland wrote on Mar 29th, 2014:

Hi praseodym. Yes, youre right. So the issue seems to be purely wget. Thanks :)


praseodym from wrote on Mar 29th, 2014:

Actually the GitHub SSL certificate has subjectAltName *.githubusercontent.com set, so the cert is all fine.