Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: wget skip certificate check #1114

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

CorruptedPixl
Copy link

The cisco website doesnt have a valid certificate so the wget commands need --no-check-certificate added.
Pure documentation change

The cisco website doesnt have a valid certificate so the wget commands need --no-check-certificate added.
@trex-bot
Copy link

Checked SHA: d805856
Status: SUCCESS ✔️
Link to job: http://81.218.86.50:8080/job/trex_build/828/

@hhaim
Copy link
Contributor

hhaim commented Mar 3, 2024

@CorruptedPixl the certificate is ok, your linux machine is not up to date, you can check it using a browser

@CorruptedPixl
Copy link
Author

Thanks for the heads up. It seems the CA just can't be verified the newest Ubuntu LTS release yet. Works fine in a browser.
Is it worth adding a note in the docs until this is fixed?

@Civil
Copy link
Contributor

Civil commented Mar 29, 2024

the certificate is ok, your linux machine is not up to date, you can check it using a browser

I'm on OSX latest (and I have linux machines) that all reports NET::ERR_CERT_AUTHORITY_INVALID

And log from openssl s_client: https://gist.github.com/Civil/1ae889e7b3729f51244e34de4528c312

Also, report from ssllabs, most important extracts:

CONNECTED(00000005)
depth=0 C=US, ST=California, L=San Jose, O=Cisco Systems Inc., CN=trex-tgn.cisco.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C=US, ST=California, L=San Jose, O=Cisco Systems Inc., CN=trex-tgn.cisco.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C=US, ST=California, L=San Jose, O=Cisco Systems Inc., CN=trex-tgn.cisco.com
verify return:1
---
Certificate chain
 0 s:C=US, ST=California, L=San Jose, O=Cisco Systems Inc., CN=trex-tgn.cisco.com
   i:C=US, O=IdenTrust, OU=HydrantID Trusted Certificate Service, CN=HydrantID Server CA O1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec  5 12:00:57 2023 GMT; NotAfter: Dec  4 11:59:57 2024 GMT
---

and:

SSL handshake has read 2362 bytes and written 452 bytes
Verification error: unable to verify the first certificate

Also, here is ssllabs report: https://www.ssllabs.com/ssltest/analyze.html?d=trex-tgn.cisco.com

It also mentions that the certificate chain is incomplete (alongside other potential issues, like allowing RC4 as a cipher).

@Civil
Copy link
Contributor

Civil commented Mar 31, 2024

What worries me is what is reported in Server header:

Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fip

If that is true and not masked, that also means that you should upgrade before CentOS 7 is phased out (June 30, 2024). Also a smaller problem that OpenSSL 1.0.2 doesn't support TLS 1.3 as far as I remember and RedHat never backported that part from 1.1.0+.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants