Skip to content

/ youtube-dl

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

certificate consern #1460

Open
msliczniak opened this issue Sep 19, 2013 · 5 comments
Open

certificate consern #1460

msliczniak opened this issue Sep 19, 2013 · 5 comments

Comments

@msliczniak
Copy link

@msliczniak msliczniak commented Sep 19, 2013

$ wget https://yt-dl.org/downloads/2013.09.17/youtube-dl -O youtube-dl-bin.py
--2013-09-19 16:42:22-- https://yt-dl.org/downloads/2013.09.17/youtube-dl
Resolving yt-dl.org (yt-dl.org)... 95.143.172.170, 2001:1a50:11:0:5f:8f:acaa:177
Connecting to yt-dl.org (yt-dl.org)|95.143.172.170|:443... connected.
ERROR: cannot verify yt-dl.org's certificate, issued by /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA': Unable to locally verify the issuer's authority. ERROR: no certificate subject alternative name matches requested host nameyt-dl.org'.
To connect to yt-dl.org insecurely, use `--no-check-certificate'.

$ wget --version
GNU Wget 1.13.4 built on freebsd8.3.

+digest +https +ipv6 +iri +large-file +nls +ntlm +opie +ssl/openssl
@phihag
Copy link
Contributor

@phihag phihag commented Sep 21, 2013

The root CA is StartCom, which your system doesn't trust. I'll look into alternative certificates. We picked StartCom because it is simple, free and widely distributed.
@ocisly
Copy link
Contributor

@ocisly ocisly commented May 26, 2014

@phihag is this still an issue since the switch to GlobalSign?
@msliczniak
Copy link
Author

@msliczniak msliczniak commented Jun 5, 2014

Yes still an issue with wget, curl works:

$ wget https://yt-dl.org/downloads/2014.06.04/youtube-dl -O youtube-dl
--2014-06-05 12:47:58-- https://yt-dl.org/downloads/2014.06.04/youtube-dl
Resolving yt-dl.org (yt-dl.org)... 95.143.172.170, 2001:1a50:11:0:5f:8f:acaa:177
Connecting to yt-dl.org (yt-dl.org)|95.143.172.170|:443... connected.
ERROR: cannot verify yt-dl.org's certificate, issued by /C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2': Unable to locally verify the issuer's authority. ERROR: no certificate subject alternative name matches requested host nameyt-dl.org'.
To connect to yt-dl.org insecurely, use `--no-check-certificate'.

Do you use a CDN possibly? I converted the crt bundle that curl uses into a directory of pem files ( http://www.bsdtips.org/index.php/Split_PEM_certs ) with the names hashed appropriately, used --ca-directory= to point wget at it, and even verified with truss the the correct pem file is opened and read, yet it still fails with the above error. So check your SAN and CN in your cert?
@msliczniak
Copy link
Author

@msliczniak msliczniak commented Jun 5, 2014

Here's an example showing success for this very https url:

$ wget --verbose --ca-directory=pwd/pem '#1460' -O 1460.wget
--2014-06-05 14:00:12-- #1460
Resolving github.com (github.com)... 192.30.252.129
Connecting to github.com (github.com)|192.30.252.129|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 45586 (45K) [text/html]
Saving to: `1460.wget'

100%[======================================>] 45,586 --.-K/s in 0.04s

2014-06-05 14:00:12 (1.03 MB/s) - `1460.wget' saved [45586/45586]

$ grep 'Yes still an' 1460.wget

Yes still an issue with wget, curl works:
@mpenkov
Copy link

@mpenkov mpenkov commented Aug 4, 2018

It's been a while... @msliczniak Could you please confirm that this is still an issue?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
@phihag @mpenkov @ocisly @msliczniak
You can’t perform that action at this time.