ERROR: The certificate of ‘www.php.net’ is not trusted.

php / php-src

The PHP Interpreter

https://www.php.net

Other

38.03k stars 7.73k forks source link

ERROR: The certificate of ‘www.php.net’ is not trusted. #11346

Closed timnolte closed 1 year ago

timnolte commented 1 year ago

Description

This issue is causing all of my OpenLiteSpeed Docker image builds to fail, for all of the latest PHP versions.

https://github.com/ndigitals/ols-dockerfiles/actions/runs/5116680015

I didn't have this issue 2 weeks ago.

https://github.com/ndigitals/ols-dockerfiles/actions/runs/4976046846

The following code:

wget https://www.php.net/distributions/php-8.0.28.tar.gz

Resulted in this output:

--2023-05-29 22:12:45--  https://www.php.net/distributions/php-8.0.28.tar.gz
Resolving www.php.net (www.php.net)... 185.85.0.29, 2a02:cb40:200::1ad
Connecting to www.php.net (www.php.net)|185.85.0.29|:443... connected.
ERROR: The certificate of ‘www.php.net’ is not trusted.

But I expected this output instead:

Successful download of archive.

PHP Version

PHP 8.0.28, PHP 8.1.19, PHP 8.2.6

Operating System

Debian 11

damianwadley commented 1 year ago

➡️ https://github.com/php/web-php/issues

Cert was issued last year and it looks fine to me. Neither Chrome nor wget (Ubuntu 22.04) have a problem with it. Doesn't seem to be anything wrong on that end.

timnolte commented 1 year ago

This is a legitimate issue with 2 different environments. There is certainly an issue. These builds ran without issue 2 weeks ago, there have been no changes and now they are failing. I also just tried on my local Debian 11 system with wget and they are failing.

timnolte commented 1 year ago

According to SSL Labs there is an OCSP Stapling error. I'm not sure if this is what's causing problems for wget.

https://www.ssllabs.com/ssltest/analyze.html?d=www.php.net&s=185.85.0.29&hideResults=on

OCSP STAPLING ERROR: OCSP response expired on Mon May 29 17:26:12 UTC 2023

damianwadley commented 1 year ago

185.85.0.29 is the Myra service (they do DDoS protection and the like) and not our own servers so a stapling issue might be on them. Or not - I don't know the setup. Either way,

This might be fixed within a day or two naturally, but you can send an email to systems@php to point it out now.

timnolte commented 1 year ago

@damianwadley is think some inquiry or analysis needs to be done with Myra because all of a sudden today, without changing anything on my end a wget from Debian is all of a sudden working. Looking at the SSL Labs results now show the OCSP Stapling is now no longer showing as expired.

https://www.ssllabs.com/ssltest/analyze.html?d=www.php.net&s=185.85.0.29&hideResults=on&latest

damianwadley commented 1 year ago

Sure, someone could check up on what happened. Maybe a cronjob didn't run. Maybe someone forgot. Who knows?

Either way, evidently it's been fixed. Not sure why you're so surprised about it "suddenly" working, or why you thought something needed to change "on your end"...