-
Notifications
You must be signed in to change notification settings - Fork 691
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bootstrap.sh fails when using wget, due to a certificate issue #1796
Comments
A somewhat naive question: why isn't the certificate trusted? Chrome doesn't give me much info about the certificate, more than it's issued by GlobalSign. |
The certificate IS signed by CA, in this case, GlobalSign. They issued us a wildcard certificate as an OSS project - but it is not 'trusted' in the sense it does not have identity validation of the haskell.org domain (i.e. they did not directly verify the registrant as the representative for the organization, which typically requires physical correspondence and possibly paperwork on behalf of Haskell.org.) Ideally, what we would actually have is an EV wildcard certificate, which would essentially offer the highest degree of identity verification on behalf of us, while still allowing us to have multiple domains secured by HTTPS at our discretion. Unfortunately those are going to run us anywhere from a few hundred to a thousand dollars a year (USD) or more, depending on the CA you go with. |
I'll also note that in this case, the fact |
I'm leaning towards |
Fixed by 4167869. |
@TravisCardwell What version of wget are you using? I think this is a wget bug:
|
I am using wget as packaged for Debian stable: https://packages.debian.org/wheezy/wget The current version is based on 1.13.4, but SNI support appears to have been backported: http://metadata.ftp-master.debian.org/changelogs//main/w/wget/wget_1.13.4-3+deb7u1_changelog |
Interesting. When I google, I do see at least one case where that version of wget still fails when 1.14 works: Hexxeh/rpi-update#65 (comment) @TravisCardwell Sorry to trouble you, but would you be willing to build wget 1.14 from source just to see if it works for you with hackage? If not I'll need to create a debian vm so I can reproduce it. |
@dagit No problem. I just booted a minimal VM and did some tests. With wget 1.14 built from source, I got the same error. I was going to install curl to do that test as well, and I noticed that the installation pulls ca-certificates as well! Aborting the curl installation, I installed The real issue is that ca-certificates was not installed. While |
@TravisCardwell you mean reverting the use of |
Sounds like a bug in Debian then - |
@tibbe The presence of |
I've reverted this patch. If anyone wants to file a bug report for Debian, feel free to do so. |
@23Skidoo I have emailed the |
…icate as seen in issue haskell/cabal#1796
…icate as seen in issue haskell/cabal#1796
Old wget on Travis (Ubuntu 12.04) has some bugs checking certificates, see e.g.: haskell/cabal#1796
When using
bootstrap.sh
to install cabal-install, andwget
is used to fetch packages, the installation fails with the following error message:Inspection of the https://hackage.haskell.org/ certificate with Firefox confirms that identity information is not trusted.
The issue was introduced in 41d52be (Bootstrap over HTTPS.).
Systems with
curl
installed do not have this error, ascurl
does not complain about the certificate.I can think of two ways to resolve this issue without reverting to HTTP. One is to replace the https://hackage.haskell.org/ certificate with one that is trusted. Alternatively, the
--no-check-certificate
option can be added to thewget
command, instructing it to ignore the error.Test environment:
The text was updated successfully, but these errors were encountered: