getnonfreefonts: tug.org certificate errors

Tom Kacvinsky tkacvins at gmail.com
Sun Nov 7 02:26:38 CET 2021 

On Sat, Nov 6, 2021 at 7:31 PM Tom Kacvinsky <tkacvins at gmail.com> wrote:

>
> On Sat, Nov 6, 2021 at 6:50 PM Tom Kacvinsky <tkacvins at gmail.com> wrote:
>
>>
>>
>> On Sat, Nov 6, 2021 at 6:22 PM Karl Berry <karl at freefriends.org> wrote:
>>
>>>      | Resolving www.tug.org... 94.23.251.76
>>>      | Connecting to www.tug.org|94.23.251.76|:443... connected.
>>>      | ERROR: The certificate of 'www.tug.org' is not trusted.
>>>      | ERROR: The certificate of 'www.tug.org' has expired.
>>>      | ! Error: Can't execute wget.
>>>
>>> To the best of my knowledge, the certificates on the user's machine have
>>> to be updated. It's a network-wide issue, not related to tug.org or
>>> getnonfreefonts.
>>>
>>> Here is a brief description and some further references:
>>> https://savannah.nongnu.org/forum/forum.php?forum_id=10054
>>
>>
>> I tried building the latest wget with the latest OpenSSL 1.1.1,
>> with the appropriate flags already set in the wget openssl support
>> code.  That is, X509_VERIFY_PARAM_set_flags is called with the param
>> X509_V_FLAG_TRUSTED_FIRST. but this did not take.  I now get this
>> instead:
>>
>> SSL_INIT
>>
>> Resolving www.tug.org (www.tug.org)... 94.23.251.76
>>
>> Connecting to www.tug.org (www.tug.org)|94.23.251.76|:443... connected.
>>
>> ERROR: The certificate of 'www.tug.org' is not trusted.
>>
>> ERROR: The certificate of 'www.tug.org' has expired.
>>
>>
>> So the OpenSSL docs on how to work around this seems to be emitting
>>
>> bogons.  Will look at it some more because it seems for this use case,
>>
>> the weak link is the client code (in this case, wget),
>>
>>
>> Tom
>>
>
> I made an oopsie in my configure of wget - I was still using GnuTLS
> instead of OpenSSL.
> Now I have it configured with OpenSSL and get something a _little_ better
>
> athena:~ tjk$ sudo getnonfreefonts --sys
>
> --2021-11-06 19:11:33--
> https://www.tug.org/~kotucha/getnonfreefonts/getfont.pl
>
> Resolving www.tug.org (www.tug.org)... 94.23.251.76
>
> Connecting to www.tug.org (www.tug.org)|94.23.251.76|:443... connected.
>
> ERROR: cannot verify www.tug.org's certificate, issued by 'CN=R3,O=Let\'s
> Encrypt,C=US':
>
>   Unable to locally verify the issuer's authority.
>
> To connect to www.tug.org insecurely, use `--no-check-certificate'.
> ! Error: Can't execute wget.
>
> I am not sure how I can change the certificate chain that is used by
> OpenSSL as I don't think
> it uses the macOS system certificate chain.
>

OK, so I got something to work with wget, but it is very hack (at least on
macOS).  What I found most
interesting is that the system curl on macOS doesn't have this problem.
This seems to be a debacle.

Tom
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://tug.org/pipermail/tex-live/attachments/20211106/d7b04c13/attachment-0001.html>

More information about the tex-live mailing list.