Making WordPress.org

Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#611 closed defect (wontfix)

Add ^wordpress.org SSL cert for clients that do not support subject alt names

Reported by: BrianLayman Owned by:
Milestone: Priority: low
Component: SSL Keywords:


Summary: Some clients, specifically older releases of wget, do not support alternative DNS names in certificates. A recent change to wordpress.org forcing https may cause Linux scripts to throw errors.

I've got scripts that forcibly maintain clean WP installs by going out and grabbing http://wordpress.org/latest.zip and installing it.
Within the last couple days the wordpress.org site changed to redirect that request to https://wordpress.org/latest.zip.
The certificate on wordpress.org is explicitly for *.wordpress.org, but does have an alternative name for wordpress.org.
DNS Name=*.wordpress.org
DNS Name=wordpress.org

So this is what I get on my script runs today:
--2014-09-18 08:55:38-- http://wordpress.org/latest.zip
Resolving wordpress.org...,
Connecting to wordpress.org||:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://wordpress.org/latest.zip [following]
--2014-09-18 08:55:38-- https://wordpress.org/latest.zip
Connecting to wordpress.org||:443... connected.
ERROR: certificate common name *.wordpress.org' doesn't match requested host name wordpress.org'.
To connect to wordpress.org insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.
unzip: cannot find or open latest.zip, latest.zip.zip or latest.zip.ZIP

The source of the issue for me is that I have "GNU Wget 1.11.4 Red Hat modified" or older on most of the servers I manage. The issue is fixed in 1.12.

I'll update the wget on my servers, but thought this should still be logged for informational purposes, if nothing else.

Thank you to Nacin on the assist in diagnosing the true issue at hand..

Change History (2)

#1 @nacin
3 years ago

  • Resolution set to wontfix
  • Status changed from new to closed

I'm glad we've documented this, but I'm not inclined to do anything about this. All modern browsers and even IE6 support SAN + wildcard SSL certs, so the only real-world issue is wget 1.11. I think it was fixed in 1.12.1.

#2 @doublesharp
3 years ago

Took me a second to update wget so in case it is helpful this is what I ran on my CentOS 5.11 machines. For some reason I had to alias /usr/local/bin/wget to /usr/bin/wget even though the former is in my path.

cd ~
wget http://ftp.gnu.org/gnu/wget/wget-1.15.tar.gz
yum -y remove wget
tar -xzvf wget-1.15.tar.gz
cd wget-1.15
./configure --with-ssl=openssl --prefix=/usr
make && make install
ln -s /usr/local/bin/wget /usr/bin/wget
Last edited 3 years ago by doublesharp (previous) (diff)
Note: See TracTickets for help on using tickets.