[Bug 1312127] Re: wget tries to get certificate from wrong server

Simon Déziel 1312127 at bugs.launchpad.net
Thu Apr 24 16:09:11 UTC 2014 

You should try using a different resolver (like Google DNS, 8.8.8.8 and
8.8.4.4) or tell wget to use IPv4 only with the "-4" flag.

** Changed in: wget (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to wget in Ubuntu.
https://bugs.launchpad.net/bugs/1312127

Title:
  wget tries to get certificate from wrong server

Status in “wget” package in Ubuntu:
  Invalid

Bug description:
  This report is for Ubuntu 12.04.4. I observe the problem with wget,
  git and maybe other utilities.  wget helped me to understand this
  problem. I guess wget is not troublemaker, but there is a problem in
  somepart related to DNS.

  There is some problem (or change) with OpenDNS that I use and that
  change has impact to SSL related services. Lets, try to download a
  certificate with wget:

  $ wget -d
  https://www.digicert.com/CACerts/DigiCertSHA2ExtendedValidationServerCA.crt

  DEBUG output created by Wget 1.13.4 on linux-gnu.

  URI encoding = `UTF-8'
  --2014-04-24 13:26:04--  https://www.digicert.com/CACerts/DigiCertSHA2ExtendedValidationServerCA.crt
  Resolving www.digicert.com (www.digicert.com)... ::ffff:67.215.65.132, 64.78.193.234
  Caching www.digicert.com => ::ffff:67.215.65.132 64.78.193.234
  Connecting to www.digicert.com (www.digicert.com)|::ffff:67.215.65.132|:443... connected.
  Created socket 3.
  Releasing 0x08ca17d8 (new refcount 1).
  Initiating SSL handshake.
  Handshake successful; connected socket 3 to SSL handle 0x08ca1968
  certificate:
    subject: /C=US/ST=California/L=San Francisco/O=OpenDNS, Inc./CN=*.opendns.com
    issuer:  /C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
  ERROR: no certificate subject alternative name matches
   requested host name `www.digicert.com'.
  To connect to www.digicert.com insecurely, use `--no-check-certificate'.
  Closed 3/SSL 0x08ca1968

  Notice, that wget tries to download certificate from IPv6 address
  ::ffff:67.215.65.132; I don't have IPv6 connectivity...

  Let's try to get DNS details about www.digicert.com, I use OpenDNS
  server:

  $ host -a www.digicert.com 208.67.222.222
  Trying "www.digicert.com"
  Using domain server:
  Name: 208.67.222.222
  Address: 208.67.222.222#53
  Aliases:

  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17002
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

  ;; QUESTION SECTION:
  ;www.digicert.com.		IN	ANY

  ;; ANSWER SECTION:
  www.digicert.com.	95	IN	A	64.78.193.234
  www.digicert.com.	0	IN	AAAA	::ffff:67.215.65.132

  Received 78 bytes from 208.67.222.222#53 in 62 ms

  $ host -t A www.digicert.com 208.67.222.222
  Using domain server:
  Name: 208.67.222.222
  Address: 208.67.222.222#53
  Aliases:

  www.digicert.com has address 64.78.193.234

  $ host -t AAAA www.digicert.com 208.67.222.222
  Using domain server:
  Name: 208.67.222.222
  Address: 208.67.222.222#53
  Aliases:

  www.digicert.com has no AAAA record

  From these examples, I assume that record 0 IN AAAA returned by
  OpenDNS server is not valid and should be ignored. For some reason,
  wget (and git) tries to use AAAA record to download certificate...

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/wget/+bug/1312127/+subscriptions

More information about the foundations-bugs mailing list