Public bug reported: This report is for Ubuntu 12.04.4. I observe the problem with wget, git and maybe other utilities. wget helped me to understand this problem. I guess wget is not troublemaker, but there is a problem in somepart related to DNS.
There is some problem (or change) with OpenDNS that I use and that change has impact to SSL related services. Lets, try to download a certificate with wget: $ wget -d https://www.digicert.com/CACerts/DigiCertSHA2ExtendedValidationServerCA.crt DEBUG output created by Wget 1.13.4 on linux-gnu. URI encoding = `UTF-8' --2014-04-24 13:26:04-- https://www.digicert.com/CACerts/DigiCertSHA2ExtendedValidationServerCA.crt Resolving www.digicert.com (www.digicert.com)... ::ffff:67.215.65.132, 64.78.193.234 Caching www.digicert.com => ::ffff:67.215.65.132 64.78.193.234 Connecting to www.digicert.com (www.digicert.com)|::ffff:67.215.65.132|:443... connected. Created socket 3. Releasing 0x08ca17d8 (new refcount 1). Initiating SSL handshake. Handshake successful; connected socket 3 to SSL handle 0x08ca1968 certificate: subject: /C=US/ST=California/L=San Francisco/O=OpenDNS, Inc./CN=*.opendns.com issuer: /C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA ERROR: no certificate subject alternative name matches requested host name `www.digicert.com'. To connect to www.digicert.com insecurely, use `--no-check-certificate'. Closed 3/SSL 0x08ca1968 Notice, that wget tries to download certificate from IPv6 address ::ffff:67.215.65.132; I don't have IPv6 connectivity... Let's try to get DNS details about www.digicert.com, I use OpenDNS server: $ host -a www.digicert.com 208.67.222.222 Trying "www.digicert.com" Using domain server: Name: 208.67.222.222 Address: 208.67.222.222#53 Aliases: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17002 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.digicert.com. IN ANY ;; ANSWER SECTION: www.digicert.com. 95 IN A 64.78.193.234 www.digicert.com. 0 IN AAAA ::ffff:67.215.65.132 Received 78 bytes from 208.67.222.222#53 in 62 ms $ host -t A www.digicert.com 208.67.222.222 Using domain server: Name: 208.67.222.222 Address: 208.67.222.222#53 Aliases: www.digicert.com has address 64.78.193.234 $ host -t AAAA www.digicert.com 208.67.222.222 Using domain server: Name: 208.67.222.222 Address: 208.67.222.222#53 Aliases: www.digicert.com has no AAAA record >From these examples, I assume that record 0 IN AAAA returned by OpenDNS server is not valid and should be ignored. For some reason, wget (and git) tries to use AAAA record to download certificate... ** Affects: wget (Ubuntu) Importance: Undecided Status: New ** Description changed: This report is for Ubuntu 12.04.4. I observe the problem with wget, git and maybe other utilities. wget helped me to understand this problem. I guess wget is not troublemaker, but there is a problem in somepart related to DNS. There is some problem (or change) with OpenDNS that I use and that change has impact to SSL related services. Lets, try to download a certificate with wget: $ wget -d https://www.digicert.com/CACerts/DigiCertSHA2ExtendedValidationServerCA.crt DEBUG output created by Wget 1.13.4 on linux-gnu. URI encoding = `UTF-8' --2014-04-24 13:26:04-- https://www.digicert.com/CACerts/DigiCertSHA2ExtendedValidationServerCA.crt Resolving www.digicert.com (www.digicert.com)... ::ffff:67.215.65.132, 64.78.193.234 Caching www.digicert.com => ::ffff:67.215.65.132 64.78.193.234 Connecting to www.digicert.com (www.digicert.com)|::ffff:67.215.65.132|:443... connected. Created socket 3. Releasing 0x08ca17d8 (new refcount 1). Initiating SSL handshake. Handshake successful; connected socket 3 to SSL handle 0x08ca1968 certificate: - subject: /C=US/ST=California/L=San Francisco/O=OpenDNS, Inc./CN=*.opendns.com - issuer: /C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA + subject: /C=US/ST=California/L=San Francisco/O=OpenDNS, Inc./CN=*.opendns.com + issuer: /C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA ERROR: no certificate subject alternative name matches - requested host name `www.digicert.com'. + requested host name `www.digicert.com'. To connect to www.digicert.com insecurely, use `--no-check-certificate'. Closed 3/SSL 0x08ca1968 Notice, that wget tries to download certificate from IPv6 address ::ffff:67.215.65.132; I don't have IPv6 connectivity... Let's try to get DNS details about www.digicert.com, I use OpenDNS server: $ host -a www.digicert.com 208.67.222.222 Trying "www.digicert.com" Using domain server: Name: 208.67.222.222 Address: 208.67.222.222#53 - Aliases: + Aliases: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17002 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.digicert.com. IN ANY ;; ANSWER SECTION: www.digicert.com. 95 IN A 64.78.193.234 www.digicert.com. 0 IN AAAA ::ffff:67.215.65.132 Received 78 bytes from 208.67.222.222#53 in 62 ms $ host -t A www.digicert.com 208.67.222.222 Using domain server: Name: 208.67.222.222 Address: 208.67.222.222#53 - Aliases: + Aliases: www.digicert.com has address 64.78.193.234 $ host -t AAAA www.digicert.com 208.67.222.222 Using domain server: Name: 208.67.222.222 Address: 208.67.222.222#53 - Aliases: + Aliases: www.digicert.com has no AAAA record - From these examples, I assume that record 0 AAAA returned by OpenDNS + From these examples, I assume that record 0 IN AAAA returned by OpenDNS server is not valid and should be ignored. For some reason, wget (and git) tries to use AAAA record to download certificate... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1312127 Title: wget tries to get certificate from wrong server To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wget/+bug/1312127/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs