When github and wget on Debian Wheezy bite each other..

Written by - 2 comments

Published on - Listed in Linux Internet

On a Debian Wheezy (7.4) system I tried to directly download one of my Nagios plugins (check_smart) with wget but got the following error:

wget -V | grep "GNU Wget"
GNU Wget 1.13.4 built on linux-gnu.

wget https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl
--2014-03-25 08:30:35--  https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.31.17.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.31.17.133|:443... connected.
GnuTLS: A TLS warning alert has been received.
Unable to establish SSL connection.

I remember this was working fine a couple of weeks ago. For a better comparison I launched the same command on a Debian Squeeze (6.0.9):

wget -V | grep "GNU Wget"
GNU Wget 1.12 built on linux-gnu.

wget https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl
--2014-03-25 08:37:01--  https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl
Resolving raw.githubusercontent.com... 185.31.17.133
Connecting to raw.githubusercontent.com|185.31.17.133|:443... connected.
ERROR: certificate common name "www.github.com" doesn't match requested host name "raw.githubusercontent.com".
To connect to raw.githubusercontent.com insecurely, use '--no-check-certificate'.

The download also failed with the older wget on Debian Squeeze but this time the error message was more helpful: The certificate doesn't match the hostname/URL.
Github does indeed use the SSL certificate for the CN "www.github.com" for the URL "raw.githubusercontent.com". 
That's a clear misconfiguration on the github server side. Hello github admins, please check and fix that...
Update March 31st 2014: Github uses *.githuberusercontent.com as SubjectAltName in the certificate. So the cert is alright. See comment at the end of this page

As suggested in the wget 1.12 output, the parameter "--no-check-certificate" can be used to ignore the SSL error and proceed with the download:

wget --no-check-certificate https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl
--2014-03-25 08:42:28--  https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl
Resolving raw.githubusercontent.com... 185.31.16.133
Connecting to raw.githubusercontent.com|185.31.16.133|:443... connected.
WARNING: certificate common name "www.github.com" doesn't match requested host name "raw.githubusercontent.com".
HTTP request sent, awaiting response... 200 OK
Length: 15236 (15K) [text/plain]
Saving to: "check_smart.pl"

100%[========================================>] 15,236      --.-K/s   in 0.03s  

2014-03-25 08:42:28 (532 KB/s) - "check_smart.pl" saved [15236/15236]

But trying this with the newer wget 1.13.4 on Debian Wheezy still fails:

wget --no-check-certificate https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl
--2014-03-25 08:43:29--  https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.31.17.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.31.17.133|:443... connected.
GnuTLS: A TLS warning alert has been received.
Unable to establish SSL connection.

This is due to the open Debian bug #738625 which hopefully will be fixed soon.

As a workaround, curl can be used:

curl -o check_smart.pl https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 15236  100 15236    0     0  69277      0 --:--:-- --:--:-- --:--:--  100k

Update April 28th 2014:
After recent patch installations (and Debian 7.5), wget now works correctly again (1.13.4-3+deb7u1).


Add a comment

Show form to leave a comment

Comments (newest first)

Claudio Kuenzler from Geneva, Switzerland wrote on Mar 29th, 2014:

Hi praseodym. Yes, youre right. So the issue seems to be purely wget. Thanks :)

praseodym from wrote on Mar 29th, 2014:

Actually the GitHub SSL certificate has subjectAltName *.githubusercontent.com set, so the cert is all fine.

Blog Tags:

AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Icingaweb Icingaweb2 Influx Internet Java KVM Kibana Kodi Kubernetes LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder