getnonfreefonts: tug.org certificate errors
tkacvins at gmail.com
Sun Nov 7 00:31:50 CET 2021
On Sat, Nov 6, 2021 at 6:50 PM Tom Kacvinsky <tkacvins at gmail.com> wrote:
> On Sat, Nov 6, 2021 at 6:22 PM Karl Berry <karl at freefriends.org> wrote:
>> | Resolving www.tug.org... 22.214.171.124
>> | Connecting to www.tug.org|126.96.36.199|:443... connected.
>> | ERROR: The certificate of 'www.tug.org' is not trusted.
>> | ERROR: The certificate of 'www.tug.org' has expired.
>> | ! Error: Can't execute wget.
>> To the best of my knowledge, the certificates on the user's machine have
>> to be updated. It's a network-wide issue, not related to tug.org or
>> Here is a brief description and some further references:
> I tried building the latest wget with the latest OpenSSL 1.1.1,
> with the appropriate flags already set in the wget openssl support
> code. That is, X509_VERIFY_PARAM_set_flags is called with the param
> X509_V_FLAG_TRUSTED_FIRST. but this did not take. I now get this
> Resolving www.tug.org (www.tug.org)... 188.8.131.52
> Connecting to www.tug.org (www.tug.org)|184.108.40.206|:443... connected.
> ERROR: The certificate of 'www.tug.org' is not trusted.
> ERROR: The certificate of 'www.tug.org' has expired.
> So the OpenSSL docs on how to work around this seems to be emitting
> bogons. Will look at it some more because it seems for this use case,
> the weak link is the client code (in this case, wget),
I made an oopsie in my configure of wget - I was still using GnuTLS instead
Now I have it configured with OpenSSL and get something a _little_ better
athena:~ tjk$ sudo getnonfreefonts --sys
Resolving www.tug.org (www.tug.org)... 220.127.116.11
Connecting to www.tug.org (www.tug.org)|18.104.22.168|:443... connected.
ERROR: cannot verify www.tug.org's certificate, issued by 'CN=R3,O=Let\'s
Unable to locally verify the issuer's authority.
To connect to www.tug.org insecurely, use `--no-check-certificate'.
! Error: Can't execute wget.
I am not sure how I can change the certificate chain that is used by
OpenSSL as I don't think
it uses the macOS system certificate chain.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the tex-live