[solved] [wget] certificate problem - still apparent

Problems with packages? Post here, using [tags] of the package name.

[solved] [wget] certificate problem - still apparent

Postby keithspg » Wed Jan 25, 2023 12:07 am

I notice this with wget when I try to go to a https site on armv7. I have no issues on aarch64. Both use the same version of wget 1.21.3-1. I posted to the wget mailing list to see if I could figure out how to help, but this is beyond my capabilities. In the mean time, up till recently, I had a patch that I could apply that allowed wget to use a certificate, but no more.
aarch64:
$this->bbcode_second_pass_code('', '# wget --force-html --spider --connect-timeout=1 --timeout=10 --tries=2 https://www.google.com
Spider mode enabled. Check if remote file exists.
--2023-01-24 17:43:24-- https://www.google.com/
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving www.google.com (www.google.com)... 142.250.190.132, 2607:f8b0:4009:802::2004
Connecting to www.google.com (www.google.com)|142.250.190.132|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Remote file exists and could contain further links,
but recursion is disabled -- not retrieving.
# pacman -Q | grep wget
wget 1.21.3-1
')
armv7
$this->bbcode_second_pass_code('', '# wget --force-html --spider --connect-timeout=1 --timeout=10 --tries=2 https://www.google.com
Spider mode enabled. Check if remote file exists.
--2023-01-24 17:42:38-- https://www.google.com/
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving www.google.com (www.google.com)... 142.250.190.132, 2607:f8b0:4009:802::2004
Connecting to www.google.com (www.google.com)|142.250.190.132|:443... connected.
The certificate has not yet been activated
The certificate has expired
# pacman -Q | grep wget
wget 1.21.3-1')
The time shows as synced on both machines. Back in June 2022, the wget group responded saying there is some sort of 64 bit 32 bit time mismatch in one of the libraries wget uses.
$this->bbcode_second_pass_code('', 'So it will be some glitch between wget sources, wget configure scripts, and Arch toolchain (compiler and libc). It's also possible that toolchains there default to a different ABI with variables (int, time_t, long int, etc.) of different size.')
Back in June, If I used this patch and built wget, I was able to interact with https sites, though this patch was identified as 'works but wrong'
$this->bbcode_second_pass_code('', 'diff -ru wget-1.21.3.org/src/gnutls.c wget-1.21.3/src/gnutls.c
--- wget-1.21.3.org/src/gnutls.c 2022-02-26 15:47:42.000000000 +0100
+++ wget-1.21.3/src/gnutls.c 2022-06-21 20:51:40.244552644 +0200
@@ -1085,7 +1085,7 @@
logprintf (LOG_NOTQUIET, _("The certificate has not yet been activated\n"));
success = false;
}
- if (now >= gnutls_x509_crt_get_expiration_time (cert))
+ if (now >= (unsigned long) gnutls_x509_crt_get_expiration_time (cert))
{
logprintf (LOG_NOTQUIET, _("The certificate has expired\n"));
success = false;')
If I build today with this patch, I get 6 failed tests so I need to build it without running the tests (comment this section of the PKGBUILD) and when I install the resulting binary, wget still does not work with https:
$this->bbcode_second_pass_code('', '# wget --force-html --spider --connect-timeout=1 --timeout=10 --tries=2 https://www.google.com
Spider mode enabled. Check if remote file exists.
--2023-01-24 18:44:56-- https://www.google.com/
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving www.google.com (www.google.com)... 142.250.190.36, 2607:f8b0:4009:802::2004
Connecting to www.google.com (www.google.com)|142.250.190.36|:443... connected.
The certificate has not yet been activated
')
With his patch, I get 'not yet been activated' with the default package, I got this *and* 'expired'...

Confused
Last edited by keithspg on Thu Feb 16, 2023 11:20 pm, edited 1 time in total.
keithspg
 
Posts: 221
Joined: Mon Feb 23, 2015 4:14 pm

Re: [wget] certificate problem - still apparent

Postby MastaG » Thu Jan 26, 2023 5:23 pm

MastaG
 
Posts: 10
Joined: Tue Jan 03, 2023 10:36 pm

Re: [wget] certificate problem - still apparent

Postby keithspg » Tue Jan 31, 2023 1:50 pm

@MastaG Thanks for looking into this. I just checked and I am already running this version of gnutls. I am up to date on all packages including these:
$this->bbcode_second_pass_code('', '
wget 1.21.3-1
gnutls 3.7.8-4
')
I still get this on armv7:
$this->bbcode_second_pass_code('', '# wget --force-html --spider --connect-timeout=1 --timeout=10 --tries=2 https://www.google.com
Spider mode enabled. Check if remote file exists.
--2023-01-31 07:49:04-- https://www.google.com/
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving www.google.com (www.google.com)... 142.250.191.132, 2607:f8b0:4009:802::2004
Connecting to www.google.com (www.google.com)|142.250.191.132|:443... connected.
The certificate has not yet been activated
The certificate has expired
')
keithspg
 
Posts: 221
Joined: Mon Feb 23, 2015 4:14 pm

Re: [wget] certificate problem - still apparent

Postby keithspg » Wed Feb 01, 2023 3:44 am

gnutls just updated again and still apparent:
$this->bbcode_second_pass_code('', '# wget --force-html --spider --connect-timeout=1 --timeout=10 --tries=2 https://www.google.com
Spider mode enabled. Check if remote file exists.
--2023-01-31 21:39:21-- https://www.google.com/
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving www.google.com (www.google.com)... 142.250.191.132, 2607:f8b0:4009:802::2004
Connecting to www.google.com (www.google.com)|142.250.191.132|:443... connected.
The certificate has not yet been activated
The certificate has expired')
versions:
$this->bbcode_second_pass_code('', '
ca-certificates 20220905-1
ca-certificates-mozilla 3.87-1
ca-certificates-utils 20220905-1
glibc 2.35-5.1
gnutls 3.7.8-5
util-linux 2.38.1-1
util-linux-libs 2.38.1-1
wget 1.21.3-1
')
keithspg
 
Posts: 221
Joined: Mon Feb 23, 2015 4:14 pm

Re: [wget] certificate problem - still apparent

Postby keithspg » Wed Feb 01, 2023 2:08 pm

Also, wget will not build on aarch64 nor armv7 with the default PKGBUILD file referred to here:
https://archlinuxarm.org/packages/armv7h/wget
to get it to build a package, you must comment out the tests as a number fail and the package is not created. On armv7 it is this
$this->bbcode_second_pass_code('', '============================================================================
Testsuite summary for wget 1.21.3
============================================================================
# TOTAL: 94
# PASS: 82
# SKIP: 1
# XFAIL: 0
# FAIL: 11
# XPASS: 0
# ERROR: 0
')
The failed tests on armv7h are:
$this->bbcode_second_pass_code('', 'FAIL: Test-ftp-iri.px
FAIL: Test-ftp-iri-fallback.px
FAIL: Test-ftp-iri-recursive.px
FAIL: Test-ftp-iri-disabled.px
FAIL: Test-iri-disabled.px
FAIL: Test-iri-list.px
FAIL: Test-https-pfs.px
FAIL: Test-https-tlsv1.px
FAIL: Test-https-tlsv1x.px
FAIL: Test-https-crl.px
FAIL: Test-https-clientcert.px')
on aarch64, there are fewer FAILs, but it still does not build a package due to failed tests. To build the package on either architecture, I commented out the tests and tried the patch I listed above and that is where I am now.
keithspg
 
Posts: 221
Joined: Mon Feb 23, 2015 4:14 pm

Re: [wget] certificate problem - still apparent

Postby MastaG » Tue Feb 07, 2023 7:43 pm

Well they didn't merge the request.
So the repo still has a broken build of wget for armv7.
Just use the PKGBUILD from the merge request and build it yourself.
It just adds -D_TIME_BITS=64 -D_FILE_OFFSET_BITS=64 to the cflags.
This shouldn't break for aarch64 .

I don't think the maintainers take archlinux arm serious any longer.
Non of the merge requests get reviewed or whatsover.
Imo you just can't maintain a distribution for a specific architecture that's mostly based around niche products (SBCs etc) and expect all upstream packages to be fully compatible.
Exceptions have to be made.
MastaG
 
Posts: 10
Joined: Tue Jan 03, 2023 10:36 pm

Re: [wget] certificate problem - still apparent

Postby solskogen » Tue Feb 07, 2023 8:57 pm

The thing that make me sad is that a lot of people are trying to help, but there's no response :(
solskogen
 
Posts: 161
Joined: Mon Nov 18, 2013 10:41 am

Re: [wget] certificate problem - still apparent

Postby keithspg » Tue Feb 14, 2023 7:01 pm

Just to make sure I understand: do nothing to wget, but add the one flag to the PKGBUILD for gnutls, build gnutls and install it and it should work?

Keith
keithspg
 
Posts: 221
Joined: Mon Feb 23, 2015 4:14 pm

Re: [wget] certificate problem - still apparent

Postby keithspg » Thu Feb 16, 2023 6:23 am

I confirm that this fixes armv7 wget on rpi.
$this->bbcode_second_pass_code('', '# wget --force-html --spider --connect-timeout=1 --timeout=10 --tries=2 https://www.google.com
Spider mode enabled. Check if remote file exists.
--2023-02-16 00:22:28-- https://www.google.com/
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving www.google.com (www.google.com)... 142.250.190.4, 2607:f8b0:4009:802::2004
Connecting to www.google.com (www.google.com)|142.250.190.4|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Remote file exists and could contain further links,
but recursion is disabled -- not retrieving.

')
Thanks for the help. Now, hopefully, it gets into the repos...
keithspg
 
Posts: 221
Joined: Mon Feb 23, 2015 4:14 pm

Re: [wget] certificate problem - still apparent

Postby solskogen » Thu Feb 16, 2023 8:27 am

It should be there now!
solskogen
 
Posts: 161
Joined: Mon Nov 18, 2013 10:41 am

Next

Return to Packages

Who is online

Users browsing this forum: No registered users and 8 guests