Wget certbot-auto error


#1

I get a fatal error running the wget of certbot-auto

host:~# wget https://dl.eff.org/certbot-auto
–2016-05-18 19:07:56-- https://dl.eff.org/certbot-auto
Resolving dl.eff.org… 173.239.79.196
Connecting to dl.eff.org|173.239.79.196|:443… connected.
ERROR: certificate common name “lb5.eff.org” doesn’t match requested host name “dl.eff.org”.
To connect to dl.eff.org insecurely, use ‘–no-check-certificate’.

Any help appreciated
(running Debian 6.0.10 Squeeze)

Thanks


#2

Older wget versions, prior to wget 1.13 do not support a basic feature of modern x509 certificates called “Subject Alternative Name” or SAN. The certificate presented by the server you contacted lists many names for that server, of which dl.eff.org is one, but your older wget looks only at the “common name” which is set to lb5.eff.org

You may be able to upgrade wget, and if so I recommend that, as SAN is now very widely used on the Internet and you may run into other problems without it. I do not know if an upgrade for Squeeze is available. Otherwise, you can try replacing the name “dl.eff.org” with “lb5.eff.org” but I can’t be sure if that will work.

(Also you could switch off the check, as wget itself says, but that would incur a small risk that bad people intercept your request and so is a last resort)


#3

I’ll see if we can get that certificate re-issued with “dl.eff.org” in the Common Name field.


#4

This should work on Debian squeeze now.


#5

It does indeed work now. Thanks. Will try the rest of the process now.


#6

Further issues (possibly squeeze related?)

ran sudo ./certbot-auto --verbose --apache

failed with this output

ca-certificates is already the newest version.
gcc is already the newest version.
libssl-dev is already the newest version.
python-dev is already the newest version.
python is already the newest version.
The following extra packages will be installed:
python-pkg-resources python-setuptools
Suggested packages:
augeas-tools python-distribute python-distribute-doc
Recommended packages:
python-pip
The following NEW packages will be installed:
augeas-lenses dialog libaugeas0 libffi-dev python-pkg-resources python-setuptools python-virtualenv
0 upgraded, 7 newly installed, 0 to remove and 0 not upgraded.
Need to get 2,441 kB of archives.
After this operation, 6,001 kB of additional disk space will be used.
Do you want to continue [Y/n]?
WARNING: The following packages cannot be authenticated!
augeas-lenses dialog libaugeas0 libffi-dev python-pkg-resources python-setuptools python-virtualenv
Install these packages without verification [y/N]? N


#7

That’s not related to certbot. certbot installs debian packages using apt-get, and some of those seem to have invalid signatures. This could be related to an outdated keyring or any number of things (including a MitM messing with the files, but that’s unlikely). Squeeze also stopped receiving updates earlier this year, so I’m not sure if that could just be a side-effect of that (maybe some signing key expired? I’m not familiar with how Debian handles these things). Try a regular apt-get update && apt-get upgrade, or try any of the other solutions that turn up when you search for that error in general (unrelated to certbot). Or even better: switch to a more recent debian release. :smile:


#8

D’OH! my bad. Yes these errors are due to the (now) unsupported nature of Squeeze. Believe me, I understand I need to update but due to the (perhaps unwisely) modified procmail system I’m running it’s going to be a huge effort which I why I keep putting it off.

Thanks for the quick reply, I guess I need to bite the bullet finally and update.