Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update repo URLs to luarocks.org instead of rocks.moonscript.org #488

Merged
merged 1 commit into from Jan 25, 2016
Merged

Update repo URLs to luarocks.org instead of rocks.moonscript.org #488

merged 1 commit into from Jan 25, 2016

Conversation

jcgoble3
Copy link
Contributor

Previously, this used an old URL and downloaded over HTTP, in cleartext. This commit updates to the URL that the old one redirects to, and changes to HTTPS encryption for security. HTTPS is currently impossible on rocks.moonscript.org because the security certificate for that domain expired in May 2015.

See posts on the lua-l mailing list tonight (not yet visible in the lua-l archives) for more context.

@jcgoble3
Update repo URLs to luarocks.org instead of rocks.moonscript.org
6f52c02 
Previously, this used an old URL and downloaded over HTTP, in cleartext. This commit updates to the URL that the old one redirects to, and changes to HTTPS encryption for security. HTTPS is currently impossible on rocks.moonscript.org because the security certificate for that domain expired in May 2015.
@jcgoble3
Copy link
Contributor Author

The Travis CI build is incorrectly failing the HTTPS certificate check. A check of the certificate through Firefox shows that it is still valid, so this is a bug on Travis's end. Appveyor is not throwing certificate errors.

@jcgoble3
Copy link
Contributor Author

A quick hack to fix this would be to pass the --no-check-certificate option to wget, but that's insecure. Of course, the previous version of the script was just as insecure, since it used HTTP instead of HTTPS.

@jcgoble3
Copy link
Contributor Author

After looking closer, the certificate issuer being reported by wget in the Travis CI build does NOT match what I get when I visit the site in Firefox. Something may be fishy here, and thus I would strongly recommend against the --no-check-certificate hack.

It's also worth noting that possible issues like this are one reason why HTTPS is a good idea.

@ignacio
Copy link
Contributor

ignacio commented Jan 22, 2016

Can you try installing the ca-certificates package?
Add this to the .travis.yml file:

addons:
  apt:
    packages:
    - ca-certificates

and try again.

@jcgoble3
Copy link
Contributor Author

Done, and didn't solve the issue. As I said above, the certificate issuer listed in the Travis build log does not match the issuer on the certificate I receive when visiting the site through Firefox. It sounds like something's intercepting the request or something like that. At this point I would recommend contacting Travis CI for support, because I'm pretty sure the problem is on their end.

@ignacio
Copy link
Contributor

ignacio commented Jan 24, 2016

I'm no security expert but I don't think we're dealing with a man-in-the-middle attack or something like that. It seems that luarocks.org is presenting a different certificate when accessed with a browser (issued to luarocks.org) but presenting the old one (issued to rocks.moonscript.org) when accessed with wget or curl.

Maybe @leafo can shed some light on why this happens.

@siffiejoe
Copy link
Contributor

The problem is not wget or curl. Both work fine with https://luarocks.org/. The problem is right here in the test script.

@siffiejoe
Copy link
Contributor

testing.bat also contains the old URL, btw., but it doesn't use https.

@jcgoble3
Copy link
Contributor Author

@siffiejoe Yet my pull request already changes that to "https://luarocks.org" (and in testing.bat), so I don't know what's really going on here.

@siffiejoe
Copy link
Contributor

Right, it also says luarocks.org in the test output. Sorry for the noise ...

@ignacio
Copy link
Contributor

ignacio commented Jan 25, 2016

@siffiejoe can you post the output of wget with luarocks.org? My copy of wget (1.11.4) does not work. I get the certificate issued to rocks.moonscript.org

C:\Users\ignacio>d:\luarocks-2.3.0-win32\win32\tools\wget https://luarocks.org
SYSTEM_WGETRC = c:/progra~1/wget/etc/wgetrc
syswgetrc = c:/progra~1/wget/etc/wgetrc
--2016-01-24 21:55:21--  https://luarocks.org/
Resolving luarocks.org... 45.33.61.132
Connecting to luarocks.org|45.33.61.132|:443... connected.
ERROR: cannot verify luarocks.org's certificate, issued by `/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA':
  Unable to locally verify the issuer's authority.
ERROR: certificate common name `rocks.moonscript.org' doesn't match requested host name `luarocks.org'.
To connect to luarocks.org insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.

@siffiejoe
Copy link
Contributor

Sure.

siffiejoe@Merkur:~ :) LANGUAGE=en_US.UTF8 wget -c https://luarocks.org/
--2016-01-25 02:01:28--  https://luarocks.org/
Resolving luarocks.org (luarocks.org)... 45.33.61.132
Connecting to luarocks.org (luarocks.org)|45.33.61.132|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9932 (9,7K) [text/html]
Saving to: ‘index.html’

index.html                        100%[===============================================================>]   9,70K  --.-KB/s   in 0s     

2016-01-25 02:01:29 (97,3 MB/s) - ‘index.html’ saved [9932/9932]

siffiejoe@Merkur:~ :) LANGUAGE=en_US.UTF8 wget --version
GNU Wget 1.16.1 built on linux-gnu.

+digest +https +ipv6 +iri +large-file +nls +ntlm +opie -psl +ssl/openssl 

Wgetrc: 
    /etc/wgetrc (system)
Locale: 
    /usr/share/locale 
Compile: 
    gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc" 
    -DLOCALEDIR="/usr/share/locale" -I. -I../../src -I../lib 
    -I../../lib -D_FORTIFY_SOURCE=2 -I/usr/include -I/usr/include/uuid 
    -DHAVE_LIBSSL -DNDEBUG -g -O2 -fPIE -fstack-protector-strong 
    -Wformat -Werror=format-security -DNO_SSLv2 -D_FILE_OFFSET_BITS=64 
    -g -Wall 
Link: 
    gcc -I/usr/include/uuid -DHAVE_LIBSSL -DNDEBUG -g -O2 -fPIE 
    -fstack-protector-strong -Wformat -Werror=format-security 
    -DNO_SSLv2 -D_FILE_OFFSET_BITS=64 -g -Wall -Wl,-Bsymbolic-functions 
    -fPIE -pie -Wl,-z,relro -Wl,-z,now -L/usr/lib -lpcre -luuid -lssl 
    -lcrypto -L/usr/lib/x86_64-linux-gnu -lz -lidn ftp-opie.o openssl.o 
    http-ntlm.o ../lib/libgnu.a 

Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://www.gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Originally written by Hrvoje Niksic <hniksic@xemacs.org>.
Please send bug reports and questions to <bug-wget@gnu.org>.
siffiejoe@Merkur:~ :)

@ignacio
Copy link
Contributor

ignacio commented Jan 25, 2016

Thank you. Can you post the output of openssl s_client -host luarocks.org -port 443 -prexit -showcerts ?

@daurnimator
Copy link
Member

Thank you. Can you post the output of openssl s_client -host luarocks.org -port 443 -prexit -showcerts ?

I see an expired cert.

$ openssl s_client -host luarocks.org -port 443 -prexit -showcerts
CONNECTED(00000003)
depth=2 C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network, OU = http://www.usertrust.com, CN = UTN-USERFirst-Hardware
verify return:1
depth=1 C = FR, O = GANDI SAS, CN = Gandi Standard SSL CA
verify return:1
depth=0 OU = Domain Control Validated, OU = Gandi Standard SSL, CN = rocks.moonscript.org
verify error:num=10:certificate has expired
notAfter=May 23 23:59:59 2015 GMT
verify return:1
depth=0 OU = Domain Control Validated, OU = Gandi Standard SSL, CN = rocks.moonscript.org
notAfter=May 23 23:59:59 2015 GMT
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=rocks.moonscript.org
   i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
-----BEGIN CERTIFICATE-----
MIIE9DCCA9ygAwIBAgIQavCJKZjI6P9hKlp/osHXvzANBgkqhkiG9w0BAQUFADBB
MQswCQYDVQQGEwJGUjESMBAGA1UEChMJR0FOREkgU0FTMR4wHAYDVQQDExVHYW5k
aSBTdGFuZGFyZCBTU0wgQ0EwHhcNMTQwNTIzMDAwMDAwWhcNMTUwNTIzMjM1OTU5
WjBfMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQxGzAZBgNVBAsT
EkdhbmRpIFN0YW5kYXJkIFNTTDEdMBsGA1UEAxMUcm9ja3MubW9vbnNjcmlwdC5v
cmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDooOO1dN6KMHOfc892
Y8bzKrruiCq0YK5Um3J8xSiQDt3SdqVc064k9KauOYGGCnhb8N86DMBe3t8CXULS
p7kJgFa/EyQ7C6WjlBOZBe+Zcx9Hly0cqGvaKKwcG6EgH4ZRwLDdZfOl33D99wmC
ybih7gMmCRSST+VlP+Mu5eA1W/tsJC7WR+M+s2AOwZnp+fbHHTRDJAocbYTzHlf4
cxII97Spzn9ck7xuWOsEUiZE5e+pC0fgeDU2VwE/N8Dh2YOK6S8XpWbBG4rCg4Ev
wIQY6E3VtClm+tfwbz9KE8oOxwogqk0gKwOeS7wXy1cNIy26Gtp4Gw2doOkgnZpt
4HelAgMBAAGjggHIMIIBxDAfBgNVHSMEGDAWgBS2qP+iqC/Qps1LsWjz51AQMad5
ITAdBgNVHQ4EFgQUfEZ4j0JPFXo0i26spmcf3yXNxzAwDgYDVR0PAQH/BAQDAgWg
MAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGAG
A1UdIARZMFcwSwYLKwYBBAGyMQECAhowPDA6BggrBgEFBQcCARYuaHR0cDovL3d3
dy5nYW5kaS5uZXQvY29udHJhY3RzL2ZyL3NzbC9jcHMvcGRmLzAIBgZngQwBAgEw
PAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5nYW5kaS5uZXQvR2FuZGlTdGFu
ZGFyZFNTTENBLmNybDBqBggrBgEFBQcBAQReMFwwNwYIKwYBBQUHMAKGK2h0dHA6
Ly9jcnQuZ2FuZGkubmV0L0dhbmRpU3RhbmRhcmRTU0xDQS5jcnQwIQYIKwYBBQUH
MAGGFWh0dHA6Ly9vY3NwLmdhbmRpLm5ldDA5BgNVHREEMjAwghRyb2Nrcy5tb29u
c2NyaXB0Lm9yZ4IYd3d3LnJvY2tzLm1vb25zY3JpcHQub3JnMA0GCSqGSIb3DQEB
BQUAA4IBAQBFsMDLhSAtTlmewajtzCAhjCXrcuSDEWeutv5/LjAJoXL030/S2IN3
Lse072i29r9DalgILzzdrGWbxMADvKkg7Liwzcnbn10F1z6YsOaSUuaqtWtzzf7y
ChwRFqjmLEt3RplQv+S6ljOTzbH32+TfYC/VvQ6L99OxpO1lNa8JXvFIeC9G1+k7
j1e3dUllpjxkicf2+qQJo/tZSNco0oQIQrdXNat3BhSK8MxF7XeAfz8QkZVBSq+p
Dj7XiNDnDtMuzTnp1jg7JUW8xlO6/9nFtg2wqGFvPBifFlbvVysexJRWSKX3EQ0b
rV8js/hSvQ3ZEkhEja06LPHJbdykp1EE
-----END CERTIFICATE-----
 1 s:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
   i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
-----BEGIN CERTIFICATE-----
MIIEozCCA4ugAwIBAgIQWrYdrB5NogYUx1U9Pamy3DANBgkqhkiG9w0BAQUFADCB
lzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug
Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho
dHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xHzAdBgNVBAMTFlVUTi1VU0VSRmlyc3Qt
SGFyZHdhcmUwHhcNMDgxMDIzMDAwMDAwWhcNMjAwNTMwMTA0ODM4WjBBMQswCQYD
VQQGEwJGUjESMBAGA1UEChMJR0FOREkgU0FTMR4wHAYDVQQDExVHYW5kaSBTdGFu
ZGFyZCBTU0wgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2VD2l
2w0ieFBqWiOJP5eh1AcaqVgIm6AVwzK2t/HouaVvrTf2bnEbtHUtSF6fxhWqge/l
xIiVijpsd8y1zWXkZ+VzyVBSlMEnST6ga0EWQbaUmUGuPsviBkYJ6U2+yUxVqRh+
pt9u/UqyzGxO2chQFZOz8unjwmqtOtX7w3lQnyV5KbJHZHwgPuIITZMpFLY0bs9x
Rn52EPT9bKoB0sIG3pKDzFiQLpLeHmW3Yy89sutwjEzgvhWd3sFNVvgLxo4HuV3f
lfB7QB8aLNecK0t29Fn1Q8EsZhCenmaWYJ0cdBtOGFwIsG5symkaAum7ynjvZi7j
Mv1BXJV0gU302v5LAgMBAAGjggE+MIIBOjAfBgNVHSMEGDAWgBShcl8mGyiYQ5Vd
BzfVhZadS9LDRTAdBgNVHQ4EFgQUtqj/oqgv0KbNS7Fo8+dQEDGneSEwDgYDVR0P
AQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwGAYDVR0gBBEwDzANBgsrBgEE
AbIxAQICGjBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8vY3JsLnVzZXJ0cnVzdC5j
b20vVVROLVVTRVJGaXJzdC1IYXJkd2FyZS5jcmwwdAYIKwYBBQUHAQEEaDBmMD0G
CCsGAQUFBzAChjFodHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVVROQWRkVHJ1c3RT
ZXJ2ZXJfQ0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3Qu
Y29tMA0GCSqGSIb3DQEBBQUAA4IBAQAZU78DPZvia1r9ukkfT+zhxoI5PNIDBA+r
ez6CqYUQH/TeMq9YP/9w8zAdly1MmuLsDD4ULS+YSJ2uFmqsLUKqtWSkcLvrc5R7
RkznehR2W0wdhKEgdB8uS1xwiNy99xk97VkN4j8m4pyspDyVHPi+jAOu8OWcTbzH
m1gAv6+t+jducW0YNA7B6mr4Dd9pVFYV8iiz/qRj7MUEZGC7/irw9IehsK69quQv
4wMLL2ZfhaQye0btJQzn8bfnGf1gul+Hd96YB5bkXupjfajeVdphXDyQg0MEBzzd
8/ifBlIK3se2e4/hEfcEejX/arxbx1BJCHBvlEPNnsdw8dvQbdqP
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=rocks.moonscript.org
issuer=/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3141 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: D2806934A8801F1C6D03C1BAC71EC392A88E661DC2C3DAD5CD208DA754DD3B22
    Session-ID-ctx: 
    Master-Key: CC7E3175A2E1B5EB7560A4821047FB8CC9A1624786D77275155DADA9D2E16D56626228C4E6754C59C20FEA7CB93B68AE
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 31 76 7d fb d7 ec e7 27-7a a7 c2 05 76 d1 e7 03   1v}....'z...v...
    0010 - 6f 15 8a f6 7f ca 2d 5a-18 26 f6 4c 66 9b 47 4a   o.....-Z.&.Lf.GJ
    0020 - 7b 5c f0 03 d1 2e ab f8-c4 48 c2 da e3 2a d1 cb   {\.......H...*..
    0030 - b0 3e ce 9a 37 ae dd ce-84 68 68 5a d7 cf bd 91   .>..7....hhZ....
    0040 - c4 be 4d a2 fb 4b 90 46-e5 57 f4 fd 43 40 53 f1   ..M..K.F.W..C@S.
    0050 - 49 77 26 84 7c ff b6 39-34 67 99 d2 81 a1 ab 7e   Iw&.|..94g.....~
    0060 - 9c f3 ff ac e8 4a 00 f0-00 99 6f 7d 95 b7 5e 36   .....J....o}..^6
    0070 - da 24 56 a4 1a 90 7d 04-1a 89 ff b0 d3 bb 4b 06   .$V...}.......K.
    0080 - 43 f0 5c 21 e2 02 21 63-2e ec 92 45 ba cf 6d a1   C.\!..!c...E..m.
    0090 - b0 f1 83 a1 c3 bb 2d 18-a2 2c d9 bf 83 fa 97 41   ......-..,.....A
    00a0 - 25 1f 16 ff 33 84 81 46-bb e1 da 57 c0 0f 16 9e   %...3..F...W....

    Start Time: 1453684199
    Timeout   : 300 (sec)
    Verify return code: 10 (certificate has expired)
---

@ignacio
Copy link
Contributor

ignacio commented Jan 25, 2016

Thanks @daurnimator that's what I get, also when using wget. I'm curious why does it work for @siffiejoe ??

@siffiejoe
Copy link
Contributor

Mine looks similar to @daurnimator's:

siffiejoe@Merkur:~ :) openssl s_client -host luarocks.org -port 443 -prexit -showcerts
CONNECTED(00000003)
depth=1 C = FR, O = GANDI SAS, CN = Gandi Standard SSL CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=rocks.moonscript.org
   i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
-----BEGIN CERTIFICATE-----
MIIE9DCCA9ygAwIBAgIQavCJKZjI6P9hKlp/osHXvzANBgkqhkiG9w0BAQUFADBB
MQswCQYDVQQGEwJGUjESMBAGA1UEChMJR0FOREkgU0FTMR4wHAYDVQQDExVHYW5k
aSBTdGFuZGFyZCBTU0wgQ0EwHhcNMTQwNTIzMDAwMDAwWhcNMTUwNTIzMjM1OTU5
WjBfMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQxGzAZBgNVBAsT
EkdhbmRpIFN0YW5kYXJkIFNTTDEdMBsGA1UEAxMUcm9ja3MubW9vbnNjcmlwdC5v
cmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDooOO1dN6KMHOfc892
Y8bzKrruiCq0YK5Um3J8xSiQDt3SdqVc064k9KauOYGGCnhb8N86DMBe3t8CXULS
p7kJgFa/EyQ7C6WjlBOZBe+Zcx9Hly0cqGvaKKwcG6EgH4ZRwLDdZfOl33D99wmC
ybih7gMmCRSST+VlP+Mu5eA1W/tsJC7WR+M+s2AOwZnp+fbHHTRDJAocbYTzHlf4
cxII97Spzn9ck7xuWOsEUiZE5e+pC0fgeDU2VwE/N8Dh2YOK6S8XpWbBG4rCg4Ev
wIQY6E3VtClm+tfwbz9KE8oOxwogqk0gKwOeS7wXy1cNIy26Gtp4Gw2doOkgnZpt
4HelAgMBAAGjggHIMIIBxDAfBgNVHSMEGDAWgBS2qP+iqC/Qps1LsWjz51AQMad5
ITAdBgNVHQ4EFgQUfEZ4j0JPFXo0i26spmcf3yXNxzAwDgYDVR0PAQH/BAQDAgWg
MAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGAG
A1UdIARZMFcwSwYLKwYBBAGyMQECAhowPDA6BggrBgEFBQcCARYuaHR0cDovL3d3
dy5nYW5kaS5uZXQvY29udHJhY3RzL2ZyL3NzbC9jcHMvcGRmLzAIBgZngQwBAgEw
PAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5nYW5kaS5uZXQvR2FuZGlTdGFu
ZGFyZFNTTENBLmNybDBqBggrBgEFBQcBAQReMFwwNwYIKwYBBQUHMAKGK2h0dHA6
Ly9jcnQuZ2FuZGkubmV0L0dhbmRpU3RhbmRhcmRTU0xDQS5jcnQwIQYIKwYBBQUH
MAGGFWh0dHA6Ly9vY3NwLmdhbmRpLm5ldDA5BgNVHREEMjAwghRyb2Nrcy5tb29u
c2NyaXB0Lm9yZ4IYd3d3LnJvY2tzLm1vb25zY3JpcHQub3JnMA0GCSqGSIb3DQEB
BQUAA4IBAQBFsMDLhSAtTlmewajtzCAhjCXrcuSDEWeutv5/LjAJoXL030/S2IN3
Lse072i29r9DalgILzzdrGWbxMADvKkg7Liwzcnbn10F1z6YsOaSUuaqtWtzzf7y
ChwRFqjmLEt3RplQv+S6ljOTzbH32+TfYC/VvQ6L99OxpO1lNa8JXvFIeC9G1+k7
j1e3dUllpjxkicf2+qQJo/tZSNco0oQIQrdXNat3BhSK8MxF7XeAfz8QkZVBSq+p
Dj7XiNDnDtMuzTnp1jg7JUW8xlO6/9nFtg2wqGFvPBifFlbvVysexJRWSKX3EQ0b
rV8js/hSvQ3ZEkhEja06LPHJbdykp1EE
-----END CERTIFICATE-----
 1 s:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
   i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
-----BEGIN CERTIFICATE-----
MIIEozCCA4ugAwIBAgIQWrYdrB5NogYUx1U9Pamy3DANBgkqhkiG9w0BAQUFADCB
lzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug
Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho
dHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xHzAdBgNVBAMTFlVUTi1VU0VSRmlyc3Qt
SGFyZHdhcmUwHhcNMDgxMDIzMDAwMDAwWhcNMjAwNTMwMTA0ODM4WjBBMQswCQYD
VQQGEwJGUjESMBAGA1UEChMJR0FOREkgU0FTMR4wHAYDVQQDExVHYW5kaSBTdGFu
ZGFyZCBTU0wgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2VD2l
2w0ieFBqWiOJP5eh1AcaqVgIm6AVwzK2t/HouaVvrTf2bnEbtHUtSF6fxhWqge/l
xIiVijpsd8y1zWXkZ+VzyVBSlMEnST6ga0EWQbaUmUGuPsviBkYJ6U2+yUxVqRh+
pt9u/UqyzGxO2chQFZOz8unjwmqtOtX7w3lQnyV5KbJHZHwgPuIITZMpFLY0bs9x
Rn52EPT9bKoB0sIG3pKDzFiQLpLeHmW3Yy89sutwjEzgvhWd3sFNVvgLxo4HuV3f
lfB7QB8aLNecK0t29Fn1Q8EsZhCenmaWYJ0cdBtOGFwIsG5symkaAum7ynjvZi7j
Mv1BXJV0gU302v5LAgMBAAGjggE+MIIBOjAfBgNVHSMEGDAWgBShcl8mGyiYQ5Vd
BzfVhZadS9LDRTAdBgNVHQ4EFgQUtqj/oqgv0KbNS7Fo8+dQEDGneSEwDgYDVR0P
AQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwGAYDVR0gBBEwDzANBgsrBgEE
AbIxAQICGjBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8vY3JsLnVzZXJ0cnVzdC5j
b20vVVROLVVTRVJGaXJzdC1IYXJkd2FyZS5jcmwwdAYIKwYBBQUHAQEEaDBmMD0G
CCsGAQUFBzAChjFodHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVVROQWRkVHJ1c3RT
ZXJ2ZXJfQ0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3Qu
Y29tMA0GCSqGSIb3DQEBBQUAA4IBAQAZU78DPZvia1r9ukkfT+zhxoI5PNIDBA+r
ez6CqYUQH/TeMq9YP/9w8zAdly1MmuLsDD4ULS+YSJ2uFmqsLUKqtWSkcLvrc5R7
RkznehR2W0wdhKEgdB8uS1xwiNy99xk97VkN4j8m4pyspDyVHPi+jAOu8OWcTbzH
m1gAv6+t+jducW0YNA7B6mr4Dd9pVFYV8iiz/qRj7MUEZGC7/irw9IehsK69quQv
4wMLL2ZfhaQye0btJQzn8bfnGf1gul+Hd96YB5bkXupjfajeVdphXDyQg0MEBzzd
8/ifBlIK3se2e4/hEfcEejX/arxbx1BJCHBvlEPNnsdw8dvQbdqP
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=rocks.moonscript.org
issuer=/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3141 bytes and written 421 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: BB0DF3D905936C5B30170B74D985FAB9DB5A96C09646B38BDC3E189CF92920D8
    Session-ID-ctx: 
    Master-Key: 4456AFB70DAA331BE3945C30266CB3571B172A3804196C3D0CA7486B13335A2A4360322289D4332C17B111AFC6065889
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 31 76 7d fb d7 ec e7 27-7a a7 c2 05 76 d1 e7 03   1v}....'z...v...
    0010 - 55 fd 3f 77 c7 b4 e9 3b-8e 8a 03 32 ed 06 a3 74   U.?w...;...2...t
    0020 - 4b 2b 73 d2 d0 d3 2d ef-e5 0a 2f c4 95 43 25 a8   K+s...-.../..C%.
    0030 - cc 4c 08 2b 8d c8 09 7d-6a 3f 43 a1 74 88 c4 9a   .L.+...}j?C.t...
    0040 - a0 32 d5 1d dc 85 55 9f-52 61 10 23 42 92 3a 9b   .2....U.Ra.#B.:.
    0050 - 27 54 c8 d8 72 b8 3d 02-f5 35 e2 de 0e db a7 8d   'T..r.=..5......
    0060 - 2c b9 0f a3 ac e9 54 af-60 c5 67 9c 17 05 2f b3   ,.....T.`.g.../.
    0070 - a4 07 dd 7f dd a1 9d 59-f1 ea e9 21 d9 07 fb f3   .......Y...!....
    0080 - 5d b1 c9 ec 2f c4 a0 f1-c4 e4 27 a5 88 1e 15 b4   ].../.....'.....
    0090 - 5d 9a 02 96 3e c3 b9 3b-dc ac 90 e7 89 e6 5b 4b   ]...>..;......[K
    00a0 - 9b 1d 02 1e 63 e8 a6 be-4f 86 ea dc fc 84 fb 56   ....c...O......V

    Start Time: 1453684512
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
closed
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=rocks.moonscript.org
   i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
-----BEGIN CERTIFICATE-----
MIIE9DCCA9ygAwIBAgIQavCJKZjI6P9hKlp/osHXvzANBgkqhkiG9w0BAQUFADBB
MQswCQYDVQQGEwJGUjESMBAGA1UEChMJR0FOREkgU0FTMR4wHAYDVQQDExVHYW5k
aSBTdGFuZGFyZCBTU0wgQ0EwHhcNMTQwNTIzMDAwMDAwWhcNMTUwNTIzMjM1OTU5
WjBfMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQxGzAZBgNVBAsT
EkdhbmRpIFN0YW5kYXJkIFNTTDEdMBsGA1UEAxMUcm9ja3MubW9vbnNjcmlwdC5v
cmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDooOO1dN6KMHOfc892
Y8bzKrruiCq0YK5Um3J8xSiQDt3SdqVc064k9KauOYGGCnhb8N86DMBe3t8CXULS
p7kJgFa/EyQ7C6WjlBOZBe+Zcx9Hly0cqGvaKKwcG6EgH4ZRwLDdZfOl33D99wmC
ybih7gMmCRSST+VlP+Mu5eA1W/tsJC7WR+M+s2AOwZnp+fbHHTRDJAocbYTzHlf4
cxII97Spzn9ck7xuWOsEUiZE5e+pC0fgeDU2VwE/N8Dh2YOK6S8XpWbBG4rCg4Ev
wIQY6E3VtClm+tfwbz9KE8oOxwogqk0gKwOeS7wXy1cNIy26Gtp4Gw2doOkgnZpt
4HelAgMBAAGjggHIMIIBxDAfBgNVHSMEGDAWgBS2qP+iqC/Qps1LsWjz51AQMad5
ITAdBgNVHQ4EFgQUfEZ4j0JPFXo0i26spmcf3yXNxzAwDgYDVR0PAQH/BAQDAgWg
MAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGAG
A1UdIARZMFcwSwYLKwYBBAGyMQECAhowPDA6BggrBgEFBQcCARYuaHR0cDovL3d3
dy5nYW5kaS5uZXQvY29udHJhY3RzL2ZyL3NzbC9jcHMvcGRmLzAIBgZngQwBAgEw
PAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5nYW5kaS5uZXQvR2FuZGlTdGFu
ZGFyZFNTTENBLmNybDBqBggrBgEFBQcBAQReMFwwNwYIKwYBBQUHMAKGK2h0dHA6
Ly9jcnQuZ2FuZGkubmV0L0dhbmRpU3RhbmRhcmRTU0xDQS5jcnQwIQYIKwYBBQUH
MAGGFWh0dHA6Ly9vY3NwLmdhbmRpLm5ldDA5BgNVHREEMjAwghRyb2Nrcy5tb29u
c2NyaXB0Lm9yZ4IYd3d3LnJvY2tzLm1vb25zY3JpcHQub3JnMA0GCSqGSIb3DQEB
BQUAA4IBAQBFsMDLhSAtTlmewajtzCAhjCXrcuSDEWeutv5/LjAJoXL030/S2IN3
Lse072i29r9DalgILzzdrGWbxMADvKkg7Liwzcnbn10F1z6YsOaSUuaqtWtzzf7y
ChwRFqjmLEt3RplQv+S6ljOTzbH32+TfYC/VvQ6L99OxpO1lNa8JXvFIeC9G1+k7
j1e3dUllpjxkicf2+qQJo/tZSNco0oQIQrdXNat3BhSK8MxF7XeAfz8QkZVBSq+p
Dj7XiNDnDtMuzTnp1jg7JUW8xlO6/9nFtg2wqGFvPBifFlbvVysexJRWSKX3EQ0b
rV8js/hSvQ3ZEkhEja06LPHJbdykp1EE
-----END CERTIFICATE-----
 1 s:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
   i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
-----BEGIN CERTIFICATE-----
MIIEozCCA4ugAwIBAgIQWrYdrB5NogYUx1U9Pamy3DANBgkqhkiG9w0BAQUFADCB
lzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug
Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho
dHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xHzAdBgNVBAMTFlVUTi1VU0VSRmlyc3Qt
SGFyZHdhcmUwHhcNMDgxMDIzMDAwMDAwWhcNMjAwNTMwMTA0ODM4WjBBMQswCQYD
VQQGEwJGUjESMBAGA1UEChMJR0FOREkgU0FTMR4wHAYDVQQDExVHYW5kaSBTdGFu
ZGFyZCBTU0wgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2VD2l
2w0ieFBqWiOJP5eh1AcaqVgIm6AVwzK2t/HouaVvrTf2bnEbtHUtSF6fxhWqge/l
xIiVijpsd8y1zWXkZ+VzyVBSlMEnST6ga0EWQbaUmUGuPsviBkYJ6U2+yUxVqRh+
pt9u/UqyzGxO2chQFZOz8unjwmqtOtX7w3lQnyV5KbJHZHwgPuIITZMpFLY0bs9x
Rn52EPT9bKoB0sIG3pKDzFiQLpLeHmW3Yy89sutwjEzgvhWd3sFNVvgLxo4HuV3f
lfB7QB8aLNecK0t29Fn1Q8EsZhCenmaWYJ0cdBtOGFwIsG5symkaAum7ynjvZi7j
Mv1BXJV0gU302v5LAgMBAAGjggE+MIIBOjAfBgNVHSMEGDAWgBShcl8mGyiYQ5Vd
BzfVhZadS9LDRTAdBgNVHQ4EFgQUtqj/oqgv0KbNS7Fo8+dQEDGneSEwDgYDVR0P
AQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwGAYDVR0gBBEwDzANBgsrBgEE
AbIxAQICGjBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8vY3JsLnVzZXJ0cnVzdC5j
b20vVVROLVVTRVJGaXJzdC1IYXJkd2FyZS5jcmwwdAYIKwYBBQUHAQEEaDBmMD0G
CCsGAQUFBzAChjFodHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVVROQWRkVHJ1c3RT
ZXJ2ZXJfQ0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3Qu
Y29tMA0GCSqGSIb3DQEBBQUAA4IBAQAZU78DPZvia1r9ukkfT+zhxoI5PNIDBA+r
ez6CqYUQH/TeMq9YP/9w8zAdly1MmuLsDD4ULS+YSJ2uFmqsLUKqtWSkcLvrc5R7
RkznehR2W0wdhKEgdB8uS1xwiNy99xk97VkN4j8m4pyspDyVHPi+jAOu8OWcTbzH
m1gAv6+t+jducW0YNA7B6mr4Dd9pVFYV8iiz/qRj7MUEZGC7/irw9IehsK69quQv
4wMLL2ZfhaQye0btJQzn8bfnGf1gul+Hd96YB5bkXupjfajeVdphXDyQg0MEBzzd
8/ifBlIK3se2e4/hEfcEejX/arxbx1BJCHBvlEPNnsdw8dvQbdqP
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=rocks.moonscript.org
issuer=/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3172 bytes and written 452 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: BB0DF3D905936C5B30170B74D985FAB9DB5A96C09646B38BDC3E189CF92920D8
    Session-ID-ctx: 
    Master-Key: 4456AFB70DAA331BE3945C30266CB3571B172A3804196C3D0CA7486B13335A2A4360322289D4332C17B111AFC6065889
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 31 76 7d fb d7 ec e7 27-7a a7 c2 05 76 d1 e7 03   1v}....'z...v...
    0010 - 55 fd 3f 77 c7 b4 e9 3b-8e 8a 03 32 ed 06 a3 74   U.?w...;...2...t
    0020 - 4b 2b 73 d2 d0 d3 2d ef-e5 0a 2f c4 95 43 25 a8   K+s...-.../..C%.
    0030 - cc 4c 08 2b 8d c8 09 7d-6a 3f 43 a1 74 88 c4 9a   .L.+...}j?C.t...
    0040 - a0 32 d5 1d dc 85 55 9f-52 61 10 23 42 92 3a 9b   .2....U.Ra.#B.:.
    0050 - 27 54 c8 d8 72 b8 3d 02-f5 35 e2 de 0e db a7 8d   'T..r.=..5......
    0060 - 2c b9 0f a3 ac e9 54 af-60 c5 67 9c 17 05 2f b3   ,.....T.`.g.../.
    0070 - a4 07 dd 7f dd a1 9d 59-f1 ea e9 21 d9 07 fb f3   .......Y...!....
    0080 - 5d b1 c9 ec 2f c4 a0 f1-c4 e4 27 a5 88 1e 15 b4   ].../.....'.....
    0090 - 5d 9a 02 96 3e c3 b9 3b-dc ac 90 e7 89 e6 5b 4b   ]...>..;......[K
    00a0 - 9b 1d 02 1e 63 e8 a6 be-4f 86 ea dc fc 84 fb 56   ....c...O......V

    Start Time: 1453684512
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
siffiejoe@Merkur:~ :)

And I have found a slightly older Ubuntu box (12.04), where I get the error:

siphjand@Appollon:~ :) LANGUAGE=en_US.UTF8 wget -c https://luarocks.org/
--2016-01-25 02:08:06--  https://luarocks.org/
Resolving luarocks.org (luarocks.org)... 45.33.61.132
Connecting to luarocks.org (luarocks.org)|45.33.61.132|:443... connected.
ERROR: cannot verify luarocks.org's certificate, issued by `/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA':
  Issued certificate has expired.
ERROR: no certificate subject alternative name matches
        requested host name `luarocks.org'.
To connect to luarocks.org insecurely, use `--no-check-certificate'.
siphjand@Appollon:~ :( LANGUAGE=en_US.UTF8 wget --version
GNU Wget 1.13.4 built on linux-gnu.

+digest +https +ipv6 +iri +large-file +nls +ntlm +opie +ssl/openssl

Wgetrc:
    /etc/wgetrc (system)
Locale: /usr/share/locale
Compile: gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc"
    -DLOCALEDIR="/usr/share/locale" -I. -I../../src -I../lib
    -I../../lib -D_FORTIFY_SOURCE=2 -Iyes/include -g -O2
    -fstack-protector --param=ssp-buffer-size=4 -Wformat
    -Wformat-security -Werror=format-security -DNO_SSLv2
    -D_FILE_OFFSET_BITS=64 -g -Wall
Link: gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat
    -Wformat-security -Werror=format-security -DNO_SSLv2
    -D_FILE_OFFSET_BITS=64 -g -Wall -Wl,-Bsymbolic-functions
    -Wl,-z,relro -Lyes/lib -lssl -lcrypto -lz -ldl -lz -lidn -lrt
    ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a

Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://www.gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Originally written by Hrvoje Niksic <hniksic@xemacs.org>.
Please send bug reports and questions to <bug-wget@gnu.org>.
siphjand@Appollon:~ :)

@siffiejoe
Copy link
Contributor

Somehow my wget picks up the correct certificate ...

siffiejoe@Merkur:~ :) LANGUAGE=en_US.UTF8 wget -d -c https://luarocks.org/
Setting --continue (continue) to 1
DEBUG output created by Wget 1.16.1 on linux-gnu.

URI encoding = ‘UTF-8’
--2016-01-25 02:23:42--  https://luarocks.org/
Resolving luarocks.org (luarocks.org)... 45.33.61.132
Caching luarocks.org => 45.33.61.132
Connecting to luarocks.org (luarocks.org)|45.33.61.132|:443... connected.
Created socket 3.
Releasing 0x000055ed590ad3d0 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x000055ed590ad640
certificate:
  subject: CN=www.luarocks.org,OU=PositiveSSL,OU=Domain Control Validated
  issuer:  CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
X509 certificate successfully verified and matches host luarocks.org

---request begin---
...

@jcgoble3
Copy link
Contributor Author

Ubuntu 12.04 is what's used by Travis CI, so that seems like a likely cause. Perhaps we need to upgrade wget in the apt section of .travis.yml?

(Side note to @siffiejoe: I love the smiley face as a shell prompt. :) )

@daurnimator
Copy link
Member

Somehow my wget picks up the correct certificate ...

Indeed. mine does too.

The issue appears to be SNI related.
This (with the -servername) works:

$ openssl s_client -host luarocks.org -port 443 -prexit -showcerts -servername luarocks.org

Looks like the server's default host if no SNI is passed is rocks.moonscript.org.

@daurnimator
Copy link
Member

IIRC, luasec does not support SNI (see brunoos/luasec#44) for the https module, so this is quite possibly the issue.

As a workaround, I advise @leafo to make luarocks.org the default cert served for that IP.

@siffiejoe
Copy link
Contributor

In the meantime curl seems to work fine on my 12.04 Ubuntu box:

siphjand@Appollon:~ :) LANGUAGE=en_US.UTF8 curl -f -s -S -L https://luarocks.org/ >index.html
siphjand@Appollon:~ :)

@leafo
Copy link
Contributor

leafo commented Jan 25, 2016

I updated the nginx config on the site to use luarocks.org as the default server.

@mpeterv
Copy link
Contributor

mpeterv commented Jan 25, 2016

Thanks @leafo. The build now passes, the second commit adding ca-certificates is not needed.

@jcgoble3
Copy link
Contributor Author

I'd remove that commit, but I don't know how to revert a commit once it's been pushed. (I'm not very knowledgeable about the advanced aspects of Git.) How do I remove the commit from GitHub?

@mpeterv
Copy link
Contributor

mpeterv commented Jan 25, 2016

@jcgoble3 try git reset --hard HEAD^ to delete commit locally, git push origin --force jcgoble3/url-update to delete it on GItHub.

@jcgoble3
Copy link
Contributor Author

Done, and Travis just threw the same error again. :/

@mpeterv
Copy link
Contributor

mpeterv commented Jan 25, 2016

It just reused the old result. Restarted.

@jcgoble3
Copy link
Contributor Author

Yay! Thank you to @daurnimator for identifying the problem and @leafo for fixing the server. :D

mpeterv added a commit that referenced this pull request Jan 25, 2016
@mpeterv
Merge pull request #488 from jcgoble3/jcgoble3/url-update
102a2be 
Update repo URLs to luarocks.org instead of rocks.moonscript.org
@mpeterv mpeterv merged commit 102a2be into luarocks:master Jan 25, 2016
@ignacio
Copy link
Contributor

ignacio commented Jan 25, 2016

Well thank you all. I've learnt some new stuff about certificates.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@jcgoble3 @ignacio @siffiejoe @daurnimator @leafo @mpeterv