#611 closed defect (bug) (wontfix)
Add ^wordpress.org SSL cert for clients that do not support subject alt names
Reported by: | BrianLayman | Owned by: | |
---|---|---|---|
Milestone: | Priority: | low | |
Component: | SSL | Keywords: | |
Cc: |
Description
Summary: Some clients, specifically older releases of wget, do not support alternative DNS names in certificates. A recent change to wordpress.org forcing https may cause Linux scripts to throw errors.
Details:
I've got scripts that forcibly maintain clean WP installs by going out and grabbing http://wordpress.org/latest.zip and installing it.
Within the last couple days the wordpress.org site changed to redirect that request to https://wordpress.org/latest.zip.
The certificate on wordpress.org is explicitly for *.wordpress.org, but does have an alternative name for wordpress.org.
DNS Name=*.wordpress.org
DNS Name=wordpress.org
So this is what I get on my script runs today:
--2014-09-18 08:55:38-- http://wordpress.org/latest.zip
Resolving wordpress.org... 66.155.40.249, 66.155.40.250
Connecting to wordpress.org|66.155.40.249|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://wordpress.org/latest.zip [following]
--2014-09-18 08:55:38-- https://wordpress.org/latest.zip
Connecting to wordpress.org|66.155.40.249|:443... connected.
ERROR: certificate common name *.wordpress.org' doesn't match requested host name
wordpress.org'.
To connect to wordpress.org insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.
unzip: cannot find or open latest.zip, latest.zip.zip or latest.zip.ZIP
The source of the issue for me is that I have "GNU Wget 1.11.4 Red Hat modified" or older on most of the servers I manage. The issue is fixed in 1.12.
I'll update the wget on my servers, but thought this should still be logged for informational purposes, if nothing else.
Thank you to Nacin on the assist in diagnosing the true issue at hand..
Change History (2)
#2
@
10 years ago
Took me a second to update wget so in case it is helpful this is what I ran on my CentOS 5.11 machines. For some reason I had to alias /usr/local/bin/wget
to /usr/bin/wget
even though the former is in my path.
cd ~ wget http://ftp.gnu.org/gnu/wget/wget-1.15.tar.gz yum -y remove wget tar -xzvf wget-1.15.tar.gz cd wget-1.15 ./configure --with-ssl=openssl --prefix=/usr make && make install ln -s /usr/local/bin/wget /usr/bin/wget
I'm glad we've documented this, but I'm not inclined to do anything about this. All modern browsers and even IE6 support SAN + wildcard SSL certs, so the only real-world issue is wget 1.11. I think it was fixed in 1.12.1.