wget says The certificate has expired

This forum is for discussion about general software issues.

Re: wget says The certificate has expired

Postby keithspg » Tue Jun 28, 2022 1:03 pm

Well, I dug a bit deeper. Strange that the PKGBUILD does not build properly on any Arch ARM architecture (armv7 or aarch64). When I fire up a fresh RPi image, wget works as expected. Do not know what is wrong, but it does not seem to be right...

$this->bbcode_second_pass_code('', 'pi@raspberrypi:~ $ wget --force-html --spider --connect-timeout=1 --timeout=10 --tries=2 https://www.google.com/
Spider mode enabled. Check if remote file exists.
--2022-06-28 13:59:39-- https://www.google.com/
Resolving www.google.com (www.google.com)... 142.250.190.100, 2607:f8b0:4009:805::2004
Connecting to www.google.com (www.google.com)|142.250.190.100|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Remote file exists and could contain further links,
but recursion is disabled -- not retrieving.

pi@raspberrypi:~ $ uname -a
Linux raspberrypi 5.15.32-v7+ #1538 SMP Thu Mar 31 19:38:48 BST 2022 armv7l GNU/Linux')

hopefully a dev will see this.
keithspg
 
Posts: 221
Joined: Mon Feb 23, 2015 4:14 pm

Re: wget says The certificate has expired

Postby keithspg » Wed Jun 29, 2022 1:19 am

@graysky Do you have any ideas why wget does not build properly from the PKGBUILD on any arch arm and specifically the armv7?
I just built it on RPiOS on armv7 and it builds fine and has no test errors. When I replace the binary on my running armv7 image from with the binary I built on RPiOS (/usr/bin/wget) and add a soft link to libpcre.so.3, ( $this->bbcode_second_pass_code('', 'ln -s /usr/lib/libpcre.so /usr/lib/libpcre.so.3')) I am able to get the command I am running to complete:
$this->bbcode_second_pass_code('', '# wget --force-html --spider --connect-timeout=1 --timeout=10 --tries=2 https://www.google.com/
Spider mode enabled. Check if remote file exists.
--2022-06-28 20:07:31-- https://www.google.com/
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving www.google.com (www.google.com)... 142.251.32.4, 2607:f8b0:4009:806::2004
Connecting to www.google.com (www.google.com)|142.251.32.4|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Remote file exists and could contain further links,
but recursion is disabled -- not retrieving.')
With the default Arch version of wget it says $this->bbcode_second_pass_code('', 'The certificate has expired')
I looked at the build requirements in the PKGBUILD and it all seems to be the same between Arch Arm and RPiOS. To build it complete on RPiOS and have it pass all the tests, I had to install these packages on RPiOS:
$this->bbcode_second_pass_code('', 'sudo apt install debhelper pkg-config gettext texinfo libidn2-0-dev uuid-dev libpsl-dev libpcre3-dev automake libssl-dev dh-strip-nondeterminism')

Keith
keithspg
 
Posts: 221
Joined: Mon Feb 23, 2015 4:14 pm

[wget] will not compile from PKGBUILD

Postby keithspg » Fri Jul 01, 2022 2:50 pm

I posted this a couple other places around here on arch arm and ran around chasing strings for a couple weeks. There seems to be a deeper library or gcc issue or something on RPi armv7 than the patch posted here: https://archlinuxarm.org/forum/viewtopic.php?f=57&t=16070#p69628. Wget keeps saying the certificates are invalid on armv7 though they are totally fine. The clock is set and synced but if I issue a wget command:
$this->bbcode_second_pass_code('', 'wget --force-html --spider --connect-timeout=1 --timeout=10 --tries=2 https://www.google.com/')
I get $this->bbcode_second_pass_code('', 'certificate has expired') instead of $this->bbcode_second_pass_code('', 'HTTP request sent, awaiting response... 200 OK')
A poster was able to make a patch that casts teh time as 64 bit for the build of wget and it no longer exhibits this error, but neither of us in that thread feel this is the 'right answer'
I did a bit of digging and when I make a clean RPiOS armv7 image and build wget on that image from source using the Arch build flags, it builds correctly, passes all tests and works properly when inserted onto the running Arch Arm armv7 image as well as on the RPiOS image. I did notice that when ./configure is run with the latest wget repo, it deals with the 64 bit time differently between Arch ARM compared to RPiOS when it is configured.
If you add the armv7 architecture to the PKGBUILD (like many packages brought across from x86_64 Arch) and run 'makepkg', you will see what happens. It will not build the package unless all the tests are passed. On x86 and on armv7 RPiOS, it passes all tests. On Arch ARM aarch64 it fails 6 tests and on arch armv7 it fails 11. If I can help more, please let me know.

Keith
keithspg
 
Posts: 221
Joined: Mon Feb 23, 2015 4:14 pm

Re: [wget] will not compile from PKGBUILD

Postby keithspg » Wed Jul 27, 2022 10:12 pm

Is this the wrong forum? Do I need to provide more info? This problem results in a wget binary which will not 'get' an https web page. The time comparison is invalid and wget will not 'get' the w. This failure is apparent on armv7h and not on aarch64. Neither Arch Arm architectures will build the default PKGBUILD. When I try to compile, a number of tests are not passed and makepkg will not create the package. I have an arch and RPiOS build environment set up and can provide feedback and test solutions. On my build rig, I am using the linux-rpi kernel. Is that a problem? I have never failed to build any otehr package with this kernel. How can I resolve this problem?

Gearhead
keithspg
 
Posts: 221
Joined: Mon Feb 23, 2015 4:14 pm

Re: wget says The certificate has expired

Postby ChliHug » Thu Aug 04, 2022 4:48 pm

Uhm. Is wget built with _TIME_BITS=64 while gnutls is defaulting to 32 bits?

This seems like a potential security issue.

I added --disable-year2038 to the wget configure and that fixed the issue as well.
ChliHug
 
Posts: 1
Joined: Thu Aug 04, 2022 4:18 pm

Re: [wget] will not compile from PKGBUILD

Postby Mettacrawler » Fri Aug 05, 2022 11:31 pm

This worked for me.
$this->bbcode_second_pass_code('', '$ diff -u wget/PKGBUILD PKGBUILD
--- wget/PKGBUILD 2022-03-23 19:51:47.000000000 -0400
+++ PKGBUILD 2022-08-05 19:29:03.246308215 -0400
@@ -6,7 +6,7 @@
pkgrel=1
pkgdesc='Network utility to retrieve files from the Web'
url='https://www.gnu.org/software/wget/wget.html'
-arch=('x86_64')
+arch=('armv7h')
license=('GPL3')
depends=('glibc' 'zlib' 'gnutls' 'libidn2' 'libidn2.so' 'util-linux-libs' 'libuuid.so'
'libpsl' 'libpsl.so' 'pcre2' 'nettle' 'libnettle.so')
@@ -40,7 +40,8 @@
--sysconfdir=/etc \
--disable-rpath \
--enable-nls \
- --with-ssl=gnutls
+ --with-ssl=gnutls \
+ --disable-year2038
make
}
')
I did not patch the wget gnutls.c
Mettacrawler
 
Posts: 56
Joined: Sun Mar 18, 2018 7:19 pm

Re: wget says The certificate has expired

Postby zebul666 » Thu Aug 11, 2022 12:51 am

Yes. It is related to time_t using _TIME_BITS=64 for wget but the latter is not defined when building gnutls.

I rebuilt gnutls (3.7.7) with $this->bbcode_second_pass_code('', '-D_TIME_BITS=64 -D_FILE_OFFSET_BITS=64') and it's ok. (you have to disable check(); make check fails)
and wget does not see expired certificate anymore on armv7h

I don't know if there is a way to patch wget to fix the different size of time_t between wget and gnutls functions. But that would be more of a hack. gnutls better be build with those options
Attachments
0001-Build-with-_TIME_BITS-64.patch
(1.66 KiB) Downloaded 376 times
zebul666
 
Posts: 48
Joined: Fri Jul 10, 2015 4:55 pm

Re: wget says The certificate has expired

Postby bittin » Wed Aug 31, 2022 11:20 am

Have this problem too :(
bittin
 
Posts: 16
Joined: Wed Dec 02, 2020 2:59 pm

Re: [wget] will not compile from PKGBUILD

Postby infrareddude » Fri Sep 02, 2022 11:24 pm

Dropped in to say I have the same issue and none of these configure options or gnutls.c code changes seem to work for me. I suspect wget was picking up system gnutls lib installed? It still failed, I had to compile wget with openssl to get it to work.

However, the problem is bigger than wget. Browsing the web (in X) is completely broken. No https sites will load no matter what.
infrareddude
 
Posts: 5
Joined: Fri Sep 02, 2022 11:22 pm

Re: wget says The certificate has expired

Postby infrareddude » Fri Sep 02, 2022 11:25 pm

Dropped in to say I have the same issue and none of these configure options or gnutls.c code changes seem to work for me. I suspect wget was picking up system gnutls lib installed? It still failed, I had to compile wget with openssl to get it to work.

However, the problem is bigger than wget. Browsing the web (in X) is completely broken. No https sites will load no matter what.
infrareddude
 
Posts: 5
Joined: Fri Sep 02, 2022 11:22 pm

PreviousNext

Return to General

Who is online

Users browsing this forum: No registered users and 5 guests