v0.12.6: WGET does not trust certificate when doing download

[BobCochran]

When attempting to download file node-v0.12.6.tar.gz using wget as a standard user on Mac OS X 10.10.4 I get this error:
Downloads gbwk$ wget https://nodejs.org/dist/v0.12.6/node-v0.12.6.tar.gz
--2015-07-04 10:03:50-- https://nodejs.org/dist/v0.12.6/node-v0.12.6.tar.gz
Resolving nodejs.org... 165.225.133.150
Connecting to nodejs.org|165.225.133.150|:443... connected.
ERROR: The certificate of 'nodejs.org' is not trusted.
ERROR: The certificate of 'nodejs.org' hasn't got a known issuer.

I've never had this happen in many downloads from nodejs.org in the past. To download through wget, I now need to use --no-check-certificate for both the tarball and the SHASUMS.txt.asc file.

[thefourtheye]

I just tried, it works fine. Why don't you try again now?

[BobCochran]

Thanks for responding to this. wget-ing the node sources under the latest Mac OS Yosemite update (to 10.10.4) does not work, exactly described above. I just retried it. I had compiled wget as a standard user on the Mac, since wget is not provided in Mac OS by default. I think curl is but not wget. Perhaps if I recompile and reinstall wget, it will work.

wget-ing the node sources on one of my other boxes which runs CentOS Linux 6.5 works just fine. Completely as expected.

I will try recompiling and reinstalling wget on OS X to see what happens. Perhaps there have been significant changes to openssl that affect wget, and my version needs to be updated and reinstalled.

[thefourtheye]

@BobCochran Looks like you may have to update your CA certificates, to get wget working. But I don't own a MAC machine, so I can't be of much help here. Sorry :(

[BobCochran]

I recompiled gnutls and wget to the latest versions, and added the nodejs.org certificate to my OS X login keychain. Still no luck. Firefox will download node-v0.12.6.tar.gz without complaint. Evidently I need to do better research here. Thank you for your help with this. I will update this ticket as I research more, but since I can download via Firefox and I can successfully download with wget on a popular Linux distro, I don't need to waste your time on this.

[karthik-rangarajan]

@BobCochran If you install wget via brew, it works fine on OS/X. I just tried on Yosemite via wget, and it's working fine.

[BobCochran]

@karthik-rangarajan Thank you for your help. Everything with my standard user install of wget worked fine, until just recently. The thing that changed is that I installed OS X 10.10.4, Xcode, and XCode Command Line Tools (all as updates, of course) in one swoop last week. So I think something in those updates is affecting wget. There could be some change to openssl made by Apple.

However your comment could be an important clue for me -- I will check to see what "./configure" options brew uses for wget, and try to recompile using those. I only compiled with the --prefix option because I prefer working as a standard user. Perhaps I need to recompile gnutls with particular options as well. I'm at wget version 1.16.3 and gnutls 3.3.15.

[misterdjules]

@BobCochran Were you using HTTP instead of HTTPS before to download Node.js with wget?

[BobCochran]

I always right click on the download URL seen on the Nodejs download page, then "copy link location" to the clipboard, then paste that into the wget command on the terminal. So I'm using whichever protocol the Node website itself specifies for downloads.

Bob

On Jul 6, 2015, at 1:23 PM, Julien Gilli notifications@github.com wrote:

@BobCochran Were you using HTTP instead of HTTPS before to download Node.js with wget?

—
Reply to this email directly or view it on GitHub.

[misterdjules]

@BobCochran Thank you for the clarification 👍

The default protocol for downloads on nodejs.org was changed recently from HTTP to HTTPS. The certificates are signed with a certificate authority that should be trusted by most browsers and SSL/TLS clients. On my OSX setup, wget looks for trusted root certificates in /usr/local/etc/openssl/cert.pem:

$ sudo dtrace -n 'syscall::open*:entry /pid == $target/ { printf("file: %s\n", copyinstr(arg0)) } ' -c 'wget --quiet https://nodejs.org/dist/v0.12.6/node-v0.12.6.tar.gz'
dtrace: description 'syscall::open*:entry ' matched 4 probes
CPU     ID                    FUNCTION:NAME
  0    946              open_nocancel:entry file: /usr/local/etc/wgetrc

  0    946              open_nocancel:entry file: /etc/localtime

dtrace: error on enabled probe ID 4 (ID 160: syscall::open:entry): invalid address (0x10259b592) in action #1 at DIF offset 24
  0    946              open_nocancel:entry file: /usr/local/etc/openssl/cert.pem

  4    946              open_nocancel:entry file: /usr/share/zoneinfo/UTC

  6    946              open_nocancel:entry file: node-v0.12.6.tar.gz.9

whereas curl for instance reads the system's keychain.

On my OSX machine, the root certificate authority's certificate is both in my keychain and in /usr/local/etc/openssl/cert.pem, so downloading with wget and curl works.

Would you mind running the following command:

sudo dtrace -n 'syscall::open*:entry /pid == $target/ { printf("file: %s\n", copyinstr(arg0)) } ' -c 'wget --quiet https://nodejs.org/dist/v0.12.6/node-v0.12.6.tar.gz'

to see where wget looks for trusted root certificates on your machine? Make sure that the file exists. If it exists, it might be outdated. The version of OpenSSL installed on my system is:

$ openssl version
OpenSSL 0.9.8za 5 Jun 2014
$

What is the OpenSSL version currently installed on your system?

If you can't find a version of OpenSSL or GnuTLS that comes with the root certificate used to sign nodejs.org's certificate, you can download it from Thawte's website. Obviously, that's not a great user experience and I would expect other users to run into this problem. We might need to make some changes to the download process in the future if that's too cumbersome for a significant number of users.

[BobCochran]

Julien, thank you very much for helping me with this, it is much
appreciated.

It looks like back in January, I compiled a version of openssl without
knowing how to tell it where to find the certificates:

$ openssl version
OpenSSL 1.0.2 22 Jan 2015

That OpenSSL lives in ~/local/bin.

...so when I run sudo dtrace... (using ~/local/bin/wget) as you request I
get this output:

dtrace: description 'syscall::open*:entry ' matched 7 probes
CPU     ID                    FUNCTION:NAME
  0    151                       open:entry file: /dev/urandom

  0    937              open_nocancel:entry file:
/Users/gbwk/local/etc/wgetrc

  0    937              open_nocancel:entry file: /etc/localtime

  0    937              open_nocancel:entry file: /etc/ssl/certs

  0    937              open_nocancel:entry file: /etc/.mdns_debug

I can see that on my system, /etc/ssl and /etc/ssl/certs does not exist. So
it looks like the problem is me! I've tripped all over myself with this.
I'm so non-experienced with openssl that I'm not sure of my next steps. I'm
not afraid of recompiling openssl and gnutls and wget with new options, I'm
just not sure which options will work.

Thanks

Bob

On Mon, Jul 6, 2015 at 3:06 PM, Julien Gilli notifications@github.com
wrote:

@BobCochran https://github.com/BobCochran Thank you for the
clarification [image: 👍]

The default protocol for downloads on nodejs.org was changed recently
from HTTP to HTTPS nodejs/nodejs.org#127. The
certificates are signed with a certificate authority that should be trusted
by most browsers and SSL/TLS clients. On my OSX setup, wget looks for
trusted root certificates in /usr/local/etc/openssl/cert.pem:

$ sudo dtrace -n 'syscall::open_:entry /pid == $target/ { printf("file: %s\n", copyinstr(arg0)) } ' -c 'wget --quiet https://nodejs.org/dist/v0.12.6/node-v0.12.6.tar.gz'
dtrace: description 'syscall::open_:entry ' matched 4 probes
CPU ID FUNCTION:NAME
0 946 open_nocancel:entry file: /usr/local/etc/wgetrc

0 946 open_nocancel:entry file: /etc/localtime

dtrace: error on enabled probe ID 4 (ID 160: syscall::open:entry): invalid address (0x10259b592) in action #1 at DIF offset 24
0 946 open_nocancel:entry file: /usr/local/etc/openssl/cert.pem

4 946 open_nocancel:entry file: /usr/share/zoneinfo/UTC

6 946 open_nocancel:entry file: node-v0.12.6.tar.gz.9

whereas curl for instance reads the system's keychain.

On my OSX machine, the root certificate authority's certificate is both in
my keychain and in /usr/local/etc/openssl/cert.pem, so downloading with
wget and curl works.

Would you mind running the following command:

sudo dtrace -n 'syscall::open*:entry /pid == $target/ { printf("file:
%s\n", copyinstr(arg0)) } ' -c 'wget --quiet
https://nodejs.org/dist/v0.12.6/node-v0.12.6.tar.gz'

to see where wget looks for trusted root certificates on your machine?
Make sure that the file exists. If it exists, it might be outdated. The
version of OpenSSL installed on my system is:

$ openssl version
OpenSSL 0.9.8za 5 Jun 2014
$

What is the OpenSSL version currently installed on your system?

If you can't find a version of OpenSSL or GnuTLS that comes with the root
certificate used to sign nodejs.org's certificate, you can download it
from Thawte's website
https://www.thawte.com/roots/thawte_Primary_Root_CA.pem. Obviously,
that's not a great user experience and I would expect other users to run
into this problem. We might need to make some changes to the download
process in the future if that's too cumbersome for a significant number of
users.

—
Reply to this email directly or view it on GitHub
#25629 (comment).

[misterdjules]

Thank you @BobCochran for the info 👍

I would suggest to install either GnuTLS or OpenSSL from brew. Software distribution systems (such as Linux distributions or brew) usually take care of providing a reasonable initial trusted certificates store.

In the case of brew, It generates a trusted certificates store from the system's keychain when installing OpenSSL. It does the same when installing GnuTLS.

Please let us know if that helps :)

[jasnell]

Closing this as it does not appear to be an issue with node.