Forum Bugs

Certificate expiration

terence
Docker file:

FROM debian:latest

RUN apt update && apt install wget -y
RUN wget https://www.princexml.com/download/prince_12.2-1_debian9.1_amd64.deb


Result:

Step 3/3 : RUN wget https://www.princexml.com/download/prince_12.2-1_debian9.1_amd64.deb
---> Running in 07df4392cb5a
--2020-06-01 17:44:44-- https://www.princexml.com/download/prince_12.2-1_debian9.1_amd64.deb
Resolving www.princexml.com (www.princexml.com)... 50.116.12.169
Connecting to www.princexml.com (www.princexml.com)|50.116.12.169|:443... connected.
ERROR: The certificate of 'www.princexml.com' is not trusted.
ERROR: The certificate of 'www.princexml.com' has expired.

It work in ubuntu image.
mikeday
An old root certificate has expired:

https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020

Please update your system to ensure that it has a recent copy of the relevant root certificates.
beaugunderson
The issue seems to persist after running `update-ca-certificates`, we had to modify our production instances to pass `--insecure` for the time being.

Related information here:

https://superuser.com/questions/1556491/getting-ssl-certificate-error-on-valid-certificate-when-accessing-via-curl
amhails
We ran into this one too.

I think this is an issue with gnutls, which provides SSL support for wget (by default).

Issue has apparently been fixed but will take a while to find its way out to distributions
(https://gitlab.com/gnutls/gnutls/-/issues/1008)

In the meantime, I found a couple of workarounds (that don't involve using the insecure option)
* remove the AddTrust_External_Root certificate from your store
* use curl -O instead

mikeday
We have updated our SSL certificate since it was due to expire soon anyway, I hope that helps.