4

If I go to this URL https://solarpaces2014.pse.de/typo3/fileadmin/template/images/banner.jpg go looking for the ssl certificates, then I see a valid (wildcard) certificate for our domain pse.de.

If I go tho this URL https://85.214.107.230/img/common/globe.png (same IP) then the browser complains that a) the certificate is expired and b) that it is self signed. Thats ok, that's the certificate for the plesk admin site and nobody but our admin uses this site anyway.

If I fecth these file with curl this happens:

$ curl https://solarpaces2014.pse.de/typo3/fileadmin/template/images/banner.jpg > /dev/null 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 90217  100 90217    0     0  16960      0  0:00:05  0:00:05 --:--:--  319k

$ curl https://85.214.107.230/img/common/globe.png > /dev/null 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
....

curl is happy with the first certificate and complains about the second one, as expected.

However, when I do the same with wget:

$ wget https://solarpaces2014.pse.de/typo3/fileadmin/template/images/banner.jpg -O /dev/null 
--2014-08-13 15:20:44--  https://solarpaces2014.pse.de/typo3/fileadmin/template/images/banner.jpg
Resolving solarpaces2014.pse.de... 85.214.107.230
Connecting to solarpaces2014.pse.de|85.214.107.230|:443... connected.
ERROR: cannot verify solarpaces2014.pse.de’s certificate, issued by “/C=US/ST=Virginia/L=Herndon/O=Parallels/OU=Parallels Panel/CN=Parallels Panel/emailAddress=info@parallels.com”:
  Self-signed certificate encountered.
ERROR: certificate common name “Parallels Panel” doesn’t match requested host name “solarpaces2014.pse.de”.
To connect to solarpaces2014.pse.de insecurely, use ‘--no-check-certificate’.

Why on earth is wget fetching the wrong certificate? Is this an wget issue or is there a problem with our apache configuration?

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
Pablo
  • 169
  • 1
  • 2
  • 12
  • 3
    Let me quote "Qualys": This site works only in browsers with SNI support. https://www.ssllabs.com/ssltest/analyze.html?d=solarpaces2014.pse.de&hideResults=on&ignoreMismatch=on – Deer Hunter Aug 13 '14 at 13:29
  • Thanks, after a few google searchs I found out that debian's 6 version of `wget` lacks SNI support, hence this behaviour. – Pablo Aug 13 '14 at 13:46
  • [Administration panels are off topic](http://serverfault.com/help/on-topic). [Even the presence of an administration panel on a system,](http://meta.serverfault.com/q/6538/118258) because they [take over the systems in strange and non-standard ways, making it difficult or even impossible for actual system administrators to manage the servers normally](http://meta.serverfault.com/a/3924/118258), and tend to indicate low-quality questions from *users* with insufficient knowledge for this site. – HopelessN00b Feb 25 '15 at 08:14
  • I haven't noticed that my topic was closed as off-topic. Sorry about that, at that time it seemed to fit here. Which Stackexchange site would be more appropriate for this kind of questions? – Pablo Oct 03 '15 at 01:47

1 Answers1

2

A quick search shows that support for TLS server name indication (SNI), which is what you need in your case, was introduced in wget release 1.14.

Curl included SNI support quite a bit earlier.

For instance RHEL/CentOS 6 include wget version 1.12 and Debian wheezy 1.13 so I expect they don't support SNI yet.

HBruijn
  • 72,524
  • 21
  • 127
  • 192