get-fonts.sh fails with "curl: (60) SSL certificate problem: certificate has expired"

[mnalis]

Reported issue on https://t.me/OpenStreetMapDev/7266 when following tutorial at https://switch2osm.org/serving-tiles/manually-building-a-tile-server-ubuntu-22-04-lts/

Expected behavior

scripts/get-fonts.sh finishes successfully and downloads needed fonts and unpacks/installs them.

Actual behavior

curl returns error curl: (60) SSL certificate problem: certificate has expired and script aborts.
It seems to be related to downloading hanazono.zip

Screenshots with links illustrating the problem

Ideally remote site would fix certificates and keep them in order, or other more reliable font source should be used, or (worst case) --insecure might be used to allow curl to download the fonts.

[mnalis]

I've reported it to osdn.net at https://osdn.net/projects/support/ticket/48489, hopefully they'll fix it

[mmd-osm]

osdn.dl.osdn.net certificate has been updated in the meantime. The new "not before validity date" is Mon, 17 Jul 2023 01:48:41 GMT.

[hholzgra]

It's failing again for me today:

curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.se/docs/sslcerts.html

maybe we should add the -k / --insecure option to that one specific curl call?

[hholzgra]

Or, given that this download takes over half an hour at ca.16KB/s: host a copy of this somewhere else?

[mnalis]

Given that the following problems have been going on for months (at least):

• network speed issues
• repeating server certificate issues
• failure to even to respond to such serious issues reported in their ticketing system

I too think it would be prudent to host needed files somewhere else (preferably before it collapses completely).

The certificate problems are back for me too: (click to expand)

% wget -S 'https://osdn.net/frs/redir.php?f=hanazono-font%2F68253%2Fhanazono-20170904.zip'
--2023-10-18 18:06:34--  https://osdn.net/frs/redir.php?f=hanazono-font%2F68253%2Fhanazono-20170904.zip
Resolving osdn.net (osdn.net)... 54.212.190.218, 52.35.241.6
Connecting to osdn.net (osdn.net)|54.212.190.218|:443... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 302 Found
  Date: Wed, 18 Oct 2023 16:06:35 GMT
  Content-Type: text/html; charset=UTF-8
  Content-Length: 0
  Connection: keep-alive
  Server: Apache/2.4.25 (Debian)
  Strict-Transport-Security: max-age=31536000
  Location: https://osdn.dl.osdn.net/hanazono-font/68253/hanazono-20170904.zip
Location: https://osdn.dl.osdn.net/hanazono-font/68253/hanazono-20170904.zip [following]
--2023-10-18 18:06:35--  https://osdn.dl.osdn.net/hanazono-font/68253/hanazono-20170904.zip
Resolving osdn.dl.osdn.net (osdn.dl.osdn.net)... 44.227.127.205, 54.184.171.155
Connecting to osdn.dl.osdn.net (osdn.dl.osdn.net)|44.227.127.205|:443... connected.
ERROR: The certificate of ‘osdn.dl.osdn.net’ is not trusted.
ERROR: The certificate of ‘osdn.dl.osdn.net’ has expired.
The certificate has expired

openssl s_client -connect 44.227.127.205:443 -servername osdn.dl.osdn.net -verify 5
verify depth is 5
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = osdn.dl.osdn.net
verify error:num=10:certificate has expired
notAfter=Oct 15 01:48:40 2023 GMT
verify return:1
depth=0 CN = osdn.dl.osdn.net
notAfter=Oct 15 01:48:40 2023 GMT
verify return:1
---
Certificate chain
 0 s:CN = osdn.dl.osdn.net
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jul 17 01:48:41 2023 GMT; NotAfter: Oct 15 01:48:40 2023 GMT
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFFjCCA/6gAwIBAgISA56jmwFNmPB9A2i9k+80VDKjMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzA3MTcwMTQ4NDFaFw0yMzEwMTUwMTQ4NDBaMBsxGTAXBgNVBAMT
EG9zZG4uZGwub3Nkbi5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDDqcDdPrplj/YRKy6BmcHO/eEIFtYxn2aunHhr1N2XNOA9EUpeU/UcW38YnH/o
/CQk0bRF5Vx2ElOoMraW04rbOYcU4C9TGV/sye8tJc6x732/LNUAu4QToJtar1MN
c6SUf3GxFRADXw2ri3B0MJsKs5VEqycdgjw1pXxh7XuBDWZvbrTSUrIot19Lv0I8
Ikhxw3jBRrX/DZFtQy08TH6phwLnxqfUYonp30tHJfa3fErmHTJgWnyFjhQbH4vE
ngHQseAqjTBvwEQjsStZQGtDCyoZThGXYiJvfO/Nzp8s/ho4YMJcTg2mvIVI1+xA
Hyd6HBVGNEn/cI5+Pf3ViBHZAgMBAAGjggI7MIICNzAOBgNVHQ8BAf8EBAMCBaAw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYD
VR0OBBYEFLg+qxNWzdX6LSNfQ829fPt7V3OPMB8GA1UdIwQYMBaAFBQusxe3WFbL
rlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDov
L3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5v
cmcvMEQGA1UdEQQ9MDuCD29zZG4uZGwub3Nkbi5qcIIQb3Nkbi5kbC5vc2RuLm5l
dIIWb3Nkbi5kbC5zb3VyY2Vmb3JnZS5qcDATBgNVHSAEDDAKMAgGBmeBDAECATCC
AQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AHoyjFTYty22IOo44FIe6YQWcDIThU07
0ivBOlejUutSAAABiWHABtQAAAQDAEcwRQIhAO3YgdOoX0SWGnffMrhRU1NnGLar
tiQD8hK7Y8dOc/rqAiAb/wtV7qLutV5PYdQwcFrWdXJmNqI91hNM0Z8M/E1BQAB2
AOg+0No+9QY1MudXKLyJa8kD08vREWvs62nhd31tBr1uAAABiWHABsMAAAQDAEcw
RQIgE0l86vsQ1agngWcMQH2ZsrDoXna1Eba3a8T8rDrkBggCIQCaJ++XrKn0r7GI
yGvVnY8xrMQMn4Ol5b8EUjmIXQ69VjANBgkqhkiG9w0BAQsFAAOCAQEAP5ITDGYl
ER4iZ1SjzlYbt0X2OKCh/au8kY9AEOW9/MlULcAi4jUuwcKx3ZVxYeCdJ1gDjwiO
5Ne5buMG1B/ObuUVfAI5Qj8qp2eyFlOsKz7a5w4lNP2fFR2yGJ0Z8L8qRBCJbzm0
EGfXd/XXSTGjZHCMQ+aHhj6YNUbyGk8ujbesE8P2FEnx71U4Zl+EFshL6M/9RwVG
Wk8o9mlxSR/0UM6US01onaBWF05igasWDKzJvrNRYVYHEPT/1Ys8NnjOgDr8DPPh
k1/CQA0yyHAAhgO6glySI/WoNoq8HDy9bwxNxFplkN9kGuf7M7uE2jr3ntKCOC98
peind9bP0wuD+w==
-----END CERTIFICATE-----
subject=CN = osdn.dl.osdn.net
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 4704 bytes and written 448 bytes
Verification error: certificate has expired
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: BB4701CCCC2D30CCE000F7A3BC30431FBE46B459AE0E915904237B8531B61398
    Session-ID-ctx:
    Master-Key: FA4EBF56694C6B8830DBB8943BB7EEDCBBC6759C67B8B563977E5D4FBB7BA55B6C57327335C139822E3BEC7F66AA40C6
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - c7 56 26 bb 13 06 61 04-c1 3e df 3b 3e 72 eb 12   .V&...a..>.;>r..
    0010 - c6 55 a8 ef 9a 52 d0 d1-73 6a 71 88 84 5c 99 e7   .U...R..sjq..\..
    0020 - aa 41 8b e3 09 e5 27 a9-d7 dc c6 c1 35 04 c7 3b   .A....'.....5..;
    0030 - d2 5a f4 b5 dd 8b 8b 8f-30 73 7b d3 ac 11 95 95   .Z......0s{.....
    0040 - 3b 0e 67 e5 c2 db 86 18-c8 2f 1c b8 91 95 55 ed   ;.g....../....U.
    0050 - 94 1d ae 9a 17 51 65 14-49 8d 85 1d 0c 37 d7 07   .....Qe.I....7..
    0060 - 9d 45 9d e6 3f f7 b2 4b-ef f8 16 6d 9e f5 ee 91   .E..?..K...m....
    0070 - ac 4c bf 53 74 c4 ef 69-9f 6e 2e e6 24 fa 6e 03   .L.St..i.n..$.n.
    0080 - 37 89 8f f8 d4 00 45 45-51 f3 cd 22 ad ae 89 61   7.....EEQ.."...a
    0090 - 85 46 88 ec 36 8a fd f5-95 39 22 5e 71 47 f0 86   .F..6....9"^qG..
    00a0 - a7 9f 39 98 68 77 06 dc-90 a5 25 fe 41 d3 60 8f   ..9.hw....%.A.`.
    00b0 - fb 10 1b e3 24 66 52 32-97 30 1e 85 11 7e 45 6f   ....$fR2.0...~Eo
    00c0 - ac ce c9 86 9c 3c 71 78-3a 8c a5 34 c2 d1 61 cb   .....<qx:..4..a.

    Start Time: 1697645507
    Timeout   : 7200 (sec)
    Verify return code: 10 (certificate has expired)
    Extended master secret: no
---

Also several of IPs offered fail to connect, and those that do connect often fail due to timeout, have certificate errors, or in best case are horribly slow (single-digit kBps). In addition, the ticketing system often timeouts too.

[imagico]

I am not opposed to changing the source of the fonts but i wonder if picking a random mirror just moves the problem slightly until it strikes again (when this hoster becomes unreliable). We had essentially the same problem with the Natural Earth files already.

There are options worth considering IMO:

• having fallbacks for obtaining the font files in the script
• getting the OSMF to mirror the font files as part of their deployment of the style - see also Possible improvements of OSMF style deployment to better serve our goal of providing mapper feedback #4827 (comment)
• or both

[mnalis]

Sure, self-hosting needed font files seems ideal (as I liked it in that other issue). However, I'd still go with quick pragmatical applying of #4887 in the meantime, as analysis paralysis is detrimental to everyone. It's trivial to review, and it is just one click to apply. Can we?

Those with enough rights can work on implementing self-hosting. If I can help with that too, I'd be glad to try. Let me know.