fideloper/Vaprobash

Elasticsearch script has certificate error.

jfountain opened this issue · 4 comments

Running the elasticsearch install script fails due to certificate error on a Ubuntu 12.04 LTS vagrant box.

wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.4.4.deb
--2015-03-17 14:08:33--  https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.4.4.deb
Resolving download.elasticsearch.org (download.elasticsearch.org)... 54.225.133.195, 54.243.77.158, 54.225.64.161, ...
Connecting to download.elasticsearch.org (download.elasticsearch.org)|54.225.133.195|:443... connected.
ERROR: no certificate subject alternative name matches
    requested host name `download.elasticsearch.org'.
To connect to download.elasticsearch.org insecurely, use `--no-check-certificate'.

This may be due to the elasticesearch company , elasticsearch.org, rebranding itself to elastic.co recently. I can get around this by adding a --no-check-certificate in the wget in the script but I wanted to verify with others before sending in a pull request.

Is it working now? I just went to that URL and got no warnings in the browser. Perhaps they quickly updated/renewned their SSL cert.

Working fine in my browser (most recent chrome on mac) but seems to still be an issue with wget.

Just tried this a second ago.

wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.4.4.deb
--2015-03-17 15:44:03--  https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.4.4.deb
Resolving download.elasticsearch.org (download.elasticsearch.org)... 54.225.64.161, 54.243.77.158, 54.225.133.195, ...
Connecting to download.elasticsearch.org (download.elasticsearch.org)|54.225.64.161|:443... connected.
ERROR: no certificate subject alternative name matches
    requested host name `download.elasticsearch.org'.
To connect to download.elasticsearch.org insecurely, use `--no-check-certificate'.

I did some digging and it's most likely a bug with older versions of wget. 12.04 has wget with this problem...

http://askubuntu.com/questions/324816/wget-doesnt-accept-googles-certificate
https://bugs.launchpad.net/ubuntu/+source/wget/+bug/733888

And since it's stated in the readme This targets Ubuntu LTS releases, currently 14.04 possibly just close this?

Interesting! I'll take a look in a bit and see if I can dig up anything
also.

Thanks!

On Tue, Mar 17, 2015 at 3:02 PM James Fountain notifications@github.com
wrote:

Working fine in my browser (most recent chrome on mac) but seems to still
be an issue with wget.

Just tried this a second ago.

wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.4.4.deb
--2015-03-17 https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.4.4.deb--2015-03-17 15:44:03-- https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.4.4.deb
Resolving download.elasticsearch.org (download.elasticsearch.org)... 54.225.64.161, 54.243.77.158, 54.225.133.195, ...
Connecting to download.elasticsearch.org (download.elasticsearch.org)|54.225.64.161|:443... connected.
ERROR: no certificate subject alternative name matches
requested host name download.elasticsearch.org'. To connect to download.elasticsearch.org insecurely, use--no-check-certificate'.

I did some digging and it's most likely a bug with older versions of wget.
12.04 has wget with this problem...

http://askubuntu.com/questions/324816/wget-doesnt-accept-googles-certificate
https://bugs.launchpad.net/ubuntu/+source/wget/+bug/733888

And since it's stated in the readme this targets This targets Ubuntu LTS
releases, currently 14.04 possibly just close this?


Reply to this email directly or view it on GitHub
#454 (comment).

Got a suggestion from @drewr at elasticsearch on this....

Jimmy, a little more research here uncovered that your version of wget doesn't support SNI, which is the SSL extension that allows web servers to support vhosts with different certs (which we use). So, you could upgrade your wget, but an easier solution would be to switch from download.elasticsearch.org to download.elastic.co. The latter is the default cert handed over in the initial handshake.

I changed this in my fork and will put in a pull request.