search

ndmitchell / hoogle

Haskell API search engine
http://hoogle.haskell.org/
Other
738 stars 134 forks source link

SSL cert error from wiki.haskell.org in test suite #96

Closed snoyberg closed 9 years ago

snoyberg commented 9 years ago

Not sure if this is something we need to be actually concerned about:

# keyword.htm (for downloads/keyword.htm)
ERROR: cannot verify wiki.haskell.org's certificate, issued by `/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2':
  Unable to locally verify the issuer's authority.
To connect to wiki.haskell.org insecurely, use `--no-check-certificate'.
hoogle: Error when running Shake build system:
* default.hoo
* keyword.hoo
* keyword.txt
* downloads/keyword.htm.cache
* downloads/keyword.htm
user error (Development.Shake.command, system command failed
Command: wget -nv http://www.haskell.org/haskellwiki/Keywords --output-document=downloads/keyword.htm
Exit code: 5
Stderr:
ERROR: cannot verify wiki.haskell.org's certificate, issued by `/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2':
  Unable to locally verify the issuer's authority.
To connect to wiki.haskell.org insecurely, use `--no-check-certificate'.
)
crisoagf commented 9 years ago

In bug #92 I referenced a stackoverflow entry that seems to point that this isn't a hoogle bug, but rather a bug in the way the wiki.haskell.org server is configured.

Long story short, what is apparently happening is that openssl (that wget uses), expects the whole certificate chain for verification to be sent out, but wiki.haskell.org does not send it. Other browsers validate the certificate because they can obtain the intermediate certificates from data in the certificate (which is a de facto behaviour, but does not have to happen, hence the openssl guys consider this isn't a bug in openssl, but a missing feature).

Using the openssl command from the stackoverflow solution on www.haskell.org works (the whole certificate chain is sent out), but on wiki.haskell.org doesn't. Is there anyway the person responsible for this could be pinged to check out if this is really the problem?

apeyroux commented 9 years ago

There is a workaround?

ndmitchell commented 9 years ago

I think adding --no-check-certificate is probably the easiest way to go.

ndmitchell commented 9 years ago

I've added --no-check-certificate, and released 4.2.38, which works around the issue for me. I'd still encourage someone to explain to the Haskell wiki guys how they got it wrong, so it can be fixed in future. I'm not keen on the lack of certificate checking, but given the new codebase (https://github.com/ndmitchell/hogle/) doesn't use wget, it's not worth worrying about too much.