Making WordPress.org

Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#611 closed defect (bug) (wontfix)

Add ^wordpress.org SSL cert for clients that do not support subject alt names

Reported by: brianlayman's profile BrianLayman Owned by:
Milestone: Priority: low
Component: SSL Keywords:
Cc:

Description

Summary: Some clients, specifically older releases of wget, do not support alternative DNS names in certificates. A recent change to wordpress.org forcing https may cause Linux scripts to throw errors.

Details:
I've got scripts that forcibly maintain clean WP installs by going out and grabbing http://wordpress.org/latest.zip and installing it.
Within the last couple days the wordpress.org site changed to redirect that request to https://wordpress.org/latest.zip.
The certificate on wordpress.org is explicitly for *.wordpress.org, but does have an alternative name for wordpress.org.
DNS Name=*.wordpress.org
DNS Name=wordpress.org

So this is what I get on my script runs today:
--2014-09-18 08:55:38-- http://wordpress.org/latest.zip
Resolving wordpress.org... 66.155.40.249, 66.155.40.250
Connecting to wordpress.org|66.155.40.249|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://wordpress.org/latest.zip [following]
--2014-09-18 08:55:38-- https://wordpress.org/latest.zip
Connecting to wordpress.org|66.155.40.249|:443... connected.
ERROR: certificate common name *.wordpress.org' doesn't match requested host name wordpress.org'.
To connect to wordpress.org insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.
unzip: cannot find or open latest.zip, latest.zip.zip or latest.zip.ZIP

The source of the issue for me is that I have "GNU Wget 1.11.4 Red Hat modified" or older on most of the servers I manage. The issue is fixed in 1.12.

I'll update the wget on my servers, but thought this should still be logged for informational purposes, if nothing else.

Thank you to Nacin on the assist in diagnosing the true issue at hand..

Change History (2)

#1 @nacin
10 years ago

  • Resolution set to wontfix
  • Status changed from new to closed

I'm glad we've documented this, but I'm not inclined to do anything about this. All modern browsers and even IE6 support SAN + wildcard SSL certs, so the only real-world issue is wget 1.11. I think it was fixed in 1.12.1.

#2 @doublesharp
10 years ago

Took me a second to update wget so in case it is helpful this is what I ran on my CentOS 5.11 machines. For some reason I had to alias /usr/local/bin/wget to /usr/bin/wget even though the former is in my path.

cd ~
wget http://ftp.gnu.org/gnu/wget/wget-1.15.tar.gz
yum -y remove wget
tar -xzvf wget-1.15.tar.gz
cd wget-1.15
./configure --with-ssl=openssl --prefix=/usr
make && make install
ln -s /usr/local/bin/wget /usr/bin/wget
Last edited 10 years ago by doublesharp (previous) (diff)
Note: See TracTickets for help on using tickets.