Ticket 9143

Summary: wget of https://download.schedmd.com/slurm/slurm-20.02.3.tar.bz2 fails with 'expired certificate'
Product: Slurm Reporter: S Senator <sts>
Component: OtherAssignee: Tim Wickberg <tim>
Status: RESOLVED INFOGIVEN QA Contact:
Severity: 4 - Minor Issue    
Priority: ---    
Version: 20.02.3   
Hardware: Linux   
OS: Linux   
Site: LANL Alineos Sites: ---
Atos/Eviden Sites: --- Confidential Site: ---
Coreweave sites: --- Cray Sites: ---
DS9 clusters: --- HPCnow Sites: ---
HPE Sites: --- IBM Sites: ---
NOAA SIte: --- OCF Sites: ---
Recursion Pharma Sites: --- SFW Sites: ---
SNIC sites: --- Linux Distro: ---
Machine Name: CLE Version:
Version Fixed: Target Release: ---
DevPrio: --- Emory-Cloud Sites: ---

Description S Senator 2020-06-02 10:43:48 MDT 
We have an automated Makefile that is performing:
  wget -4 https://download.schedmd.com/slurm/slurm-20.02.3.tar.bz2
which fails, as below. Using the direct in-browser, human-driven web link does not generate this error. This appears to have started happening sometime in the past week.

---
727% wget -4 --no-check-certificate https://download.schedmd.com/slurm/slurm-20.02.3.tar.bz2
--2020-06-02 10:35:40--  https://download.schedmd.com/slurm/slurm-20.02.3.tar.bz2
Resolving download.schedmd.com (download.schedmd.com)... 71.19.154.210
Connecting to download.schedmd.com (download.schedmd.com)|71.19.154.210|:443... connected.
WARNING: The certificate of ‘download.schedmd.com’ is not trusted.
WARNING: The certificate of ‘download.schedmd.com’ has expired.
HTTP request sent, awaiting response... 200 OK
Length: 6330257 (6.0M) [application/x-bzip2]
Saving to: ‘slurm-20.02.3.tar.bz2.1’

slurm-20.02.3.tar.bz2.1         100%[====================================================>]   6.04M  7.43MB/s    in 0.8s    

2020-06-02 10:35:41 (7.43 MB/s) - ‘slurm-20.02.3.tar.bz2.1’ saved [6330257/6330257]

728% wget -4 https://download.schedmd.com/slurm/slurm-20.02.3.tar.bz2
--2020-06-02 10:38:07--  https://download.schedmd.com/slurm/slurm-20.02.3.tar.bz2
Resolving download.schedmd.com (download.schedmd.com)... 71.19.154.210
Connecting to download.schedmd.com (download.schedmd.com)|71.19.154.210|:443... connected.
ERROR: The certificate of ‘download.schedmd.com’ is not trusted.
ERROR: The certificate of ‘download.schedmd.com’ has expired.
729% date
Tue 02 Jun 2020 10:38:19 AM MDT
---
Comment 2 Tim Wickberg 2020-06-02 12:54:26 MDT 
Sorry about that, part of the intermediate certificate chain had expired on May 30th. (https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020)

Most web browsers don't rely on the intermediate chain we present, but instead resolved the chain through a different path. So downloading through the browser wouldn't throw an error, while wget - which was using the presented intermediate chain - did.

I've updated our intermediate bundles with a revised chain, and we should have no issues until our own certificate expires next February. (Which is a date we track internally, and will break both wget and everyone's web browser if we overlook. :) )

Thanks for letting us know.

cheers,
- Tim
Comment 3 S Senator 2020-06-02 12:55:51 MDT 
Thank you for the quick resolution. Happy June.