When GitHub and wget on Debian Wheezy bite each other (TLS warning alert)

Written by - 2 comments

Published on - Listed in Linux Internet Git

On a Debian Wheezy (7.4) system I tried to directly download one of my Nagios plugins (check_smart) with wget but got the following error:

wget -V | grep "GNU Wget"
GNU Wget 1.13.4 built on linux-gnu.

wget https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl
--2014-03-25 08:30:35--  https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.31.17.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.31.17.133|:443... connected.
GnuTLS: A TLS warning alert has been received.
Unable to establish SSL connection.

I remember this was working fine a couple of weeks ago. For a better comparison I launched the same command on a Debian Squeeze (6.0.9):

wget -V | grep "GNU Wget"
GNU Wget 1.12 built on linux-gnu.

wget https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl
--2014-03-25 08:37:01--  https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl
Resolving raw.githubusercontent.com... 185.31.17.133
Connecting to raw.githubusercontent.com|185.31.17.133|:443... connected.
ERROR: certificate common name "www.github.com" doesn't match requested host name "raw.githubusercontent.com".
To connect to raw.githubusercontent.com insecurely, use '--no-check-certificate'.

The download also failed with the older wget on Debian Squeeze but this time the error message was more helpful: The certificate doesn't match the hostname/URL.
Github does indeed use the SSL certificate for the CN "www.github.com" for the URL "raw.githubusercontent.com". 
That's a clear misconfiguration on the github server side. Hello github admins, please check and fix that...

Update March 31st 2014: Github uses *.githuberusercontent.com as SubjectAltName in the certificate. So the cert is alright. See comment at the end of this page

As suggested in the wget 1.12 output, the parameter "--no-check-certificate" can be used to ignore the SSL error and proceed with the download:

wget --no-check-certificate https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl
--2014-03-25 08:42:28--  https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl
Resolving raw.githubusercontent.com... 185.31.16.133
Connecting to raw.githubusercontent.com|185.31.16.133|:443... connected.
WARNING: certificate common name "www.github.com" doesn't match requested host name "raw.githubusercontent.com".
HTTP request sent, awaiting response... 200 OK
Length: 15236 (15K) [text/plain]
Saving to: "check_smart.pl"

100%[========================================>] 15,236      --.-K/s   in 0.03s  

2014-03-25 08:42:28 (532 KB/s) - "check_smart.pl" saved [15236/15236]

But trying this with the newer wget 1.13.4 on Debian Wheezy still fails:

wget --no-check-certificate https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl
--2014-03-25 08:43:29--  https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.31.17.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.31.17.133|:443... connected.
GnuTLS: A TLS warning alert has been received.
Unable to establish SSL connection.

This is due to the open Debian bug #738625 which hopefully will be fixed soon.

As a workaround, curl can be used:

curl -o check_smart.pl https://raw.githubusercontent.com/Napsty/check_smart/master/check_smart.pl
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 15236  100 15236    0     0  69277      0 --:--:-- --:--:-- --:--:--  100k

Update April 28th 2014:
After recent patch installations (and Debian 7.5), wget now works correctly again (1.13.4-3+deb7u1).


Add a comment

Show form to leave a comment

Comments (newest first)

Claudio Kuenzler from Geneva, Switzerland wrote on Mar 29th, 2014:

Hi praseodym. Yes, youre right. So the issue seems to be purely wget. Thanks :)

praseodym from wrote on Mar 29th, 2014:

Actually the GitHub SSL certificate has subjectAltName *.githubusercontent.com set, so the cert is all fine.

RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Office   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder