Certificate error when downloading from github

[alexjj]

I had to use --no-check-certificate to run the script due to the error:

WARNING: certificate common name *.a.ssl.fastly.net' doesn't match requested host nameraw.github.com'.

[thegyppo]

Hey Alex, we're aware of this issue. Happens with some hosts that can't validate the certificate for some reason.

It's highly likely we won't be building a fix into the script since we're technically bypassing the security option without prompting the user. Or we may have an option where the user can type Y to bypass or something like that.

[alexjj]

The important thing is you know about it, so that's good.

On 7 February 2013 04:11, Stuart McKeown [email protected] wrote:

Hey Alex, we're aware of this issue. Happens with some hosts that can't
validate the certificate for some reason.

It's highly likely we won't be building a fix into the script since we're
technically bypassing the security option without prompting the user. Or we
may have an option where the user can type Y to bypass or something like
that.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/4#issuecomment-13220845.

Alex Johnstone

[ponny]

What distro are you using? Perhaps this is the issue: https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=903756

If they don't get a fix in soon enough, I might have to switch the script url back to curl.

[alexjj]

Ubuntu 11.10. I also used it on 12.04 and it was fine.

On 7 February 2013 13:08, John Sherwood [email protected] wrote:

What distro are you using? Perhaps this is the issue:
https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=903756

If they don't get a fix in soon enough, I might have to switch the script
url back to curl.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/4#issuecomment-13234985.

Alex Johnstone

[fny]

It's highly likely we won't be building a fix into the script since we're technically bypassing the security option without prompting the user. Or we may have an option where the user can type Y to bypass or something like that.

👍 to a yes option. The security concern seems moot given the current implementation of require_download:

...
wget --no-check-certificate -q --no-check-certificate -O - $3 | tar -xzf -
# Two --no-check-certificates?!
...

Possible Fixes for Wget Issues

1. Make sure you have the root certificate authorities installed. Debian-based distros can use: sudo apt-get install ca-certificates. Note that the benchmark scripts dependencies requires the openssl package which in turn will install ca-certificates as a suggested package.
   Alternatively, the CURL guys also have a certificate bundle you can install that they've made from Mozilla:

   pushd /usr/ssl/certs
   curl http://curl.haxx.se/ca/cacert.pem | awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1}     {print > "cert" n ".pem"}'
   c_rehash

2. If that doesn't work, it may be a bug in your distro's wget release. There are several bug reports related to the issue.
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=409938
   https://bugzilla.redhat.com/show_bug.cgi?id=674186
   https://bugzilla.redhat.com/show_bug.cgi?id=736445
   https://bugzilla.redhat.com/show_bug.cgi?id=903756

   The bug originally showed up in wget v1.10.2 and should have been corrected in v1.13