getnonfreefonts: tug.org certificate errors
Tom Kacvinsky
tkacvins at gmail.com
Sun Nov 7 00:31:50 CET 2021
On Sat, Nov 6, 2021 at 6:50 PM Tom Kacvinsky <tkacvins at gmail.com> wrote:
>
>
> On Sat, Nov 6, 2021 at 6:22 PM Karl Berry <karl at freefriends.org> wrote:
>
>> | Resolving www.tug.org... 94.23.251.76
>> | Connecting to www.tug.org|94.23.251.76|:443... connected.
>> | ERROR: The certificate of 'www.tug.org' is not trusted.
>> | ERROR: The certificate of 'www.tug.org' has expired.
>> | ! Error: Can't execute wget.
>>
>> To the best of my knowledge, the certificates on the user's machine have
>> to be updated. It's a network-wide issue, not related to tug.org or
>> getnonfreefonts.
>>
>> Here is a brief description and some further references:
>> https://savannah.nongnu.org/forum/forum.php?forum_id=10054
>
>
> I tried building the latest wget with the latest OpenSSL 1.1.1,
> with the appropriate flags already set in the wget openssl support
> code. That is, X509_VERIFY_PARAM_set_flags is called with the param
> X509_V_FLAG_TRUSTED_FIRST. but this did not take. I now get this
> instead:
>
> SSL_INIT
>
> Resolving www.tug.org (www.tug.org)... 94.23.251.76
>
> Connecting to www.tug.org (www.tug.org)|94.23.251.76|:443... connected.
>
> ERROR: The certificate of 'www.tug.org' is not trusted.
>
> ERROR: The certificate of 'www.tug.org' has expired.
>
>
> So the OpenSSL docs on how to work around this seems to be emitting
>
> bogons. Will look at it some more because it seems for this use case,
>
> the weak link is the client code (in this case, wget),
>
>
> Tom
>
I made an oopsie in my configure of wget - I was still using GnuTLS instead
of OpenSSL.
Now I have it configured with OpenSSL and get something a _little_ better
athena:~ tjk$ sudo getnonfreefonts --sys
--2021-11-06 19:11:33--
https://www.tug.org/~kotucha/getnonfreefonts/getfont.pl
Resolving www.tug.org (www.tug.org)... 94.23.251.76
Connecting to www.tug.org (www.tug.org)|94.23.251.76|:443... connected.
ERROR: cannot verify www.tug.org's certificate, issued by 'CN=R3,O=Let\'s
Encrypt,C=US':
Unable to locally verify the issuer's authority.
To connect to www.tug.org insecurely, use `--no-check-certificate'.
! Error: Can't execute wget.
I am not sure how I can change the certificate chain that is used by
OpenSSL as I don't think
it uses the macOS system certificate chain.
Tom
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://tug.org/pipermail/tex-live/attachments/20211106/9dfe0bcf/attachment.html>
More information about the tex-live
mailing list.