<div dir="ltr"><div dir="ltr"></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Nov 6, 2021 at 6:50 PM Tom Kacvinsky <<a href="mailto:tkacvins@gmail.com" target="_blank">tkacvins@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><font color="#000000" style="background-color:rgb(255,255,255)" face="monospace"><br></font></div><font color="#000000" style="background-color:rgb(255,255,255)" face="monospace"><br></font><div class="gmail_quote"><div dir="ltr" class="gmail_attr"><font color="#000000" style="background-color:rgb(255,255,255)" face="monospace">On Sat, Nov 6, 2021 at 6:22 PM Karl Berry <<a href="mailto:karl@freefriends.org" target="_blank">karl@freefriends.org</a>> wrote:<br></font></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><font color="#000000" style="background-color:rgb(255,255,255)" face="monospace">     | Resolving www.tug.org... 94.23.251.76<br>
     | Connecting to <a href="http://www.tug.org" rel="noreferrer" target="_blank">www.tug.org</a>|94.23.251.76|:443... connected.<br>
     | ERROR: The certificate of '<a href="http://www.tug.org" rel="noreferrer" target="_blank">www.tug.org</a>' is not trusted.<br>
     | ERROR: The certificate of '<a href="http://www.tug.org" rel="noreferrer" target="_blank">www.tug.org</a>' has expired.<br>
     | ! Error: Can't execute wget.<br>
<br>
To the best of my knowledge, the certificates on the user's machine have<br>
to be updated. It's a network-wide issue, not related to <a href="http://tug.org" rel="noreferrer" target="_blank">tug.org</a> or<br>
getnonfreefonts.<br>
<br>
Here is a brief description and some further references:<br>
<a href="https://savannah.nongnu.org/forum/forum.php?forum_id=10054" rel="noreferrer" target="_blank">https://savannah.nongnu.org/forum/forum.php?forum_id=10054</a></font></blockquote><div><font color="#000000" style="background-color:rgb(255,255,255)" face="monospace"><br></font></div><div><font color="#000000" style="background-color:rgb(255,255,255)" face="monospace">I tried building the latest wget with the latest OpenSSL 1.1.1,</font></div><div><font color="#000000" style="background-color:rgb(255,255,255)" face="monospace">with the </font><span style="color:rgb(0,0,0);font-family:monospace">appropriate flags already set in the wget openssl support</span></div><div><span style="color:rgb(0,0,0);font-family:monospace">code.  That </span><font color="#000000" style="font-family:monospace">is, X509_VERIFY_PARAM_set_flags is called with </font><span style="font-family:monospace;color:rgb(0,0,0)">the param</span></div><div><span style="color:rgb(0,0,0);font-variant-ligatures:no-common-ligatures"><font face="monospace">X509_V_FLAG_TRUSTED_FIRST. but this did not take.  I now get </font></span><span style="font-family:monospace;color:rgb(0,0,0);font-variant-ligatures:no-common-ligatures">this</span></div><div><span style="font-family:monospace;color:rgb(0,0,0);font-variant-ligatures:no-common-ligatures">instead:</span></div><div><span style="color:rgb(0,0,0);font-variant-ligatures:no-common-ligatures"><font face="monospace"><br></font></span></div><div>





<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">SSL_INIT</font></span></p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">Resolving <a href="http://www.tug.org" target="_blank">www.tug.org</a> (<a href="http://www.tug.org" target="_blank">www.tug.org</a>)... 94.23.251.76</font></span></p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">Connecting to <a href="http://www.tug.org" target="_blank">www.tug.org</a> (<a href="http://www.tug.org" target="_blank">www.tug.org</a>)|94.23.251.76|:443... connected.</font></span></p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">ERROR: The certificate of '<a href="http://www.tug.org" target="_blank">www.tug.org</a>' is not trusted.</font></span></p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">ERROR: The certificate of '<a href="http://www.tug.org" target="_blank">www.tug.org</a>' has expired.</font></span></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace"><br></font></span></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">So the OpenSSL docs on how to work around this seems to be emitting</font></span></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">bogons.  Will look at it some more because it seems for this use case,</font></span></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">the weak link is the client code (in this case, wget),</font></span></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace"><br></font></span></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">Tom</font></span></p></div></div></div></blockquote><div><br></div><div>I made an oopsie in my configure of wget - I was still using GnuTLS instead of OpenSSL.</div><div>Now I have it configured with OpenSSL and get something a _little_ better</div><div><br></div>





<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">athena:~ tjk$ sudo getnonfreefonts --sys</span></p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">--2021-11-06 19:11:33--<span>  </span><a href="https://www.tug.org/~kotucha/getnonfreefonts/getfont.pl" target="_blank">https://www.tug.org/~kotucha/getnonfreefonts/getfont.pl</a></span></p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">Resolving <a href="http://www.tug.org" target="_blank">www.tug.org</a> (<a href="http://www.tug.org" target="_blank">www.tug.org</a>)... 94.23.251.76</span></p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">Connecting to <a href="http://www.tug.org" target="_blank">www.tug.org</a> (<a href="http://www.tug.org" target="_blank">www.tug.org</a>)|94.23.251.76|:443... connected.</span></p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">ERROR: cannot verify <a href="http://www.tug.org" target="_blank">www.tug.org</a>'s certificate, issued by 'CN=R3,O=Let\'s Encrypt,C=US':</span></p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><span>  </span>Unable to locally verify the issuer's authority.</span></p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">To connect to <a href="http://www.tug.org" target="_blank">www.tug.org</a> insecurely, use `--no-check-certificate'.</span></p>
<div><span style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0);font-family:Menlo;font-size:11px">! Error: Can't execute wget.</span></div><div><br></div><div>I am not sure how I can change the certificate chain that is used by OpenSSL as I don't think</div><div>it uses the macOS system certificate chain.</div><div><br></div><div>Tom</div><div> </div></div></div>