#5198 webmin.com download server ssl cert needs wildcard
Hi,
The SSL cert for download.webmin.com is too restrictive so https:// fails (http:// ok)
d.
wget https://download.webmin.com/download/virtualmin/wbm-virtual-server-6.03.gpl-1.noarch.rpm
--2018-09-29 08:56:05-- https://download.webmin.com/download/virtualmin/wbm-virtual-server-6.03.gpl-1.noarch.rpm
Resolving download.webmin.com... 108.60.199.109, 104.207.151.13
Connecting to download.webmin.com|108.60.199.109|:443... connected.
ERROR: cannot verify download.webmin.com's certificate, issued by /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3':
Unable to locally verify the issuer's authority.
ERROR: certificate common namejamie.cloud.virtualmin.com' doesn't match requested host name download.webmin.com'.
To connect to download.webmin.com insecurely, use--no-check-certificate'.
Unable to establish SSL connection.
Looks like your HTTPS client doesn't have the Let's Encrypt SSL CA in it's repository?
Jamie,
the output was from a command line on the server (using wget)
the cert was issued for 'jamie.cloud.virtualmin.com' but hasn't got 'jamie.cloud.virtualmin.com' in it.
The use of a wildcard virtualmin.com' would solve this issue.
regards
d.*
Wait, actually I diagnosed it wrong - what version of the
wgetcommand are you running? It looks like it doesn't support SNI, causing the wrong cert to be selected.version 1.14-15.el7_4.1
Vendor CentOS
Architecture x86_64
Installed 18/03/2018 10:19
checked with firefox and it gets the appropriate cert.
d.
Right, the bug is in the
wgetcommand.We saw this on the software.virtualmin.com servers, and just updating the CA fixed it for wget. Some clients won't complain, because I guess they already recognize the Let's Encrypt cert, but wget was failing.
Maybe try making sure you have the latest Let's Encrypt CA? (If you update it on download.webmin.com, it should sync automatically to the mirror server within an hour.)