<div dir="ltr"><div dir="ltr"><font color="#000000" style="background-color:rgb(255,255,255)" face="monospace"><br></font></div><font color="#000000" style="background-color:rgb(255,255,255)" face="monospace"><br></font><div class="gmail_quote"><div dir="ltr" class="gmail_attr"><font color="#000000" style="background-color:rgb(255,255,255)" face="monospace">On Sat, Nov 6, 2021 at 6:22 PM Karl Berry <<a href="mailto:karl@freefriends.org">karl@freefriends.org</a>> wrote:<br></font></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><font color="#000000" style="background-color:rgb(255,255,255)" face="monospace">     | Resolving www.tug.org... 94.23.251.76<br>
     | Connecting to <a href="http://www.tug.org" rel="noreferrer" target="_blank">www.tug.org</a>|94.23.251.76|:443... connected.<br>
     | ERROR: The certificate of '<a href="http://www.tug.org" rel="noreferrer" target="_blank">www.tug.org</a>' is not trusted.<br>
     | ERROR: The certificate of '<a href="http://www.tug.org" rel="noreferrer" target="_blank">www.tug.org</a>' has expired.<br>
     | ! Error: Can't execute wget.<br>
<br>
To the best of my knowledge, the certificates on the user's machine have<br>
to be updated. It's a network-wide issue, not related to <a href="http://tug.org" rel="noreferrer" target="_blank">tug.org</a> or<br>
getnonfreefonts.<br>
<br>
Here is a brief description and some further references:<br>
<a href="https://savannah.nongnu.org/forum/forum.php?forum_id=10054" rel="noreferrer" target="_blank">https://savannah.nongnu.org/forum/forum.php?forum_id=10054</a></font></blockquote><div><font color="#000000" style="background-color:rgb(255,255,255)" face="monospace"><br></font></div><div><font color="#000000" style="background-color:rgb(255,255,255)" face="monospace">I tried building the latest wget with the latest OpenSSL 1.1.1,</font></div><div><font color="#000000" style="background-color:rgb(255,255,255)" face="monospace">with the </font><span style="color:rgb(0,0,0);font-family:monospace">appropriate flags already set in the wget openssl support</span></div><div><span style="color:rgb(0,0,0);font-family:monospace">code.  That </span><font color="#000000" style="font-family:monospace">is, X509_VERIFY_PARAM_set_flags is called with </font><span style="font-family:monospace;color:rgb(0,0,0)">the param</span></div><div><span style="color:rgb(0,0,0);font-variant-ligatures:no-common-ligatures"><font face="monospace">X509_V_FLAG_TRUSTED_FIRST. but this did not take.  I now get </font></span><span style="font-family:monospace;color:rgb(0,0,0);font-variant-ligatures:no-common-ligatures">this</span></div><div><span style="font-family:monospace;color:rgb(0,0,0);font-variant-ligatures:no-common-ligatures">instead:</span></div><div><span style="color:rgb(0,0,0);font-variant-ligatures:no-common-ligatures"><font face="monospace"><br></font></span></div><div>





<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><font face="monospace">SSL_INIT</font></span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><font face="monospace">Resolving <a href="http://www.tug.org">www.tug.org</a> (<a href="http://www.tug.org">www.tug.org</a>)... 94.23.251.76</font></span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><font face="monospace">Connecting to <a href="http://www.tug.org">www.tug.org</a> (<a href="http://www.tug.org">www.tug.org</a>)|94.23.251.76|:443... connected.</font></span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><font face="monospace">ERROR: The certificate of '<a href="http://www.tug.org">www.tug.org</a>' is not trusted.</font></span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><font face="monospace">ERROR: The certificate of '<a href="http://www.tug.org">www.tug.org</a>' has expired.</font></span></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><font face="monospace"><br></font></span></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><font face="monospace">So the OpenSSL docs on how to work around this seems to be emitting</font></span></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><font face="monospace">bogons.  Will look at it some more because it seems for this use case,</font></span></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><font face="monospace">the weak link is the client code (in this case, wget),</font></span></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><font face="monospace"><br></font></span></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><font face="monospace">Tom</font></span></p></div><div><span style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0);font-family:Menlo;font-size:11px"><br></span></div></div></div>