When updating realplayer (came out today) wget fails to download the source when it is called by portage due to a security problem. I resolved The problem by downloading the file from the same source using firefox. Reproducible: Always Steps to Reproduce: 1.emerge -u realplayer or emerge -u world 2. 3. Actual Results: >>> emerge (3 of 10) media-video/realplayer-10.0.6 to / >>> Downloading https://helixcommunity.org/download.php/1589/RealPlayer-10.0.6.776-20050915.i586.rpm --16:55:46-- https://helixcommunity.org/download.php/1589/RealPlayer-10.0.6.776-20050915.i586.rpm => `/usr/portage/distfiles/RealPlayer-10.0.6.776-20050915.i586.rpm' Resolving helixcommunity.org... 207.188.25.135 Connecting to helixcommunity.org|207.188.25.135|:443... connected. ERROR: Certificate verification error for helixcommunity.org: unable to get local issuer certificate To connect to helixcommunity.org insecurely, use `--no-check-certificate'. Unable to establish SSL connection. !!! Couldn't download RealPlayer-10.0.6.776-20050915.i586.rpm. Aborting. Expected Results: Downloaded RealPlayer-10.0.6.776-20050915.i586.rpm and happily installed it. emerge info Portage 2.0.53_rc3 (default-linux/x86/2005.0, gcc-3.4.4, glibc-2.3.5-r1, 2.6.12-nitro5 i686) ================================================================= System uname: 2.6.12-nitro5 i686 AMD Athlon(tm) XP 2500+ Gentoo Base System version 1.12.0_pre8 distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.4 [enabled] dev-lang/python: 2.3.5, 2.4.2 sys-apps/sandbox: 1.2.13 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.20 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=athlon-xp -O3 -pipe -funroll-loops" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib/mozilla/defaults/pref /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/texmf/web2c /etc/env.d" CXXFLAGS="-march=athlon-xp -O3 -pipe -funroll-loops" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache distlocks sfperms strict" GENTOO_MIRRORS="ftp://gentoo.chem.wisc.edu/gentoo/ http://mirror.datapipe.net/gentoo http://gentoo.chem.wisc.edu/gentoo/ ftp://ftp.ussg.iu.edu/pub/linux/gentoo ftp://130.207.108.134/pub/gentoo http://mirror.datapipe.net/gentoo http://gentoo.mirrors.tds.net/gentoo ftp://130.207.108.136/pub/gentoo ftp://130.207.108.135/pub/gentoo http://gentoo.mirrors.easynews.com/linux/gentoo/" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 3dnow 3ds X a52 aac aim alsa ansi apache2 apm arts artworkextra async atlas audiofile avantgo avi bash-completion beepmp bitmap-fonts blender-game calendar cddb cdparanoia cdr cdrom cgi chroot clanJavaScript clanVoice codecs cpdflib crypt css cups curl devfs26 dga dhcp directfb divx4linux dts dv dvd dvdr dvdread dvdrw editor edl eds emboss encode erandom esd ethereal evo evo2 evolution exif fam fame festival ffmpeg firefox flac flash fmod foomaticdb fortran fpx freetts freetype freetype-version-1 ftp gb gcj gd gif gimp gimpprint gkrellm glut gnokii gnome gphoto2 gpm gs gsm gstreamer gtk gtk+ gtk2 guile hald howl icq ieee1394 image imagekits imagemagick imap imlib ipv6 j2ee jabber java javascript joystick jp2 jpeg jpeg2k junit kadu-modules kadu-voice kde koffice-plugin lcms ldap libcaca libg++ libsamplerate libwww live lm_sensors lzo lzw lzw-tiff mad mapeditor maps matroska mikmod mime ming mjpeg mmx mng monkey motif mozdevelop mozilla mozsvg mp3 mpeg mplayer mppe-mppc msn music mysql nas ncurses network nls nptl nvidia objc ogg oggvorbis openal opengl oscar oss pam pda pdf pdfkit pdflib perl php png python qt quicktime readline real samba sasl scanner sdl slang soundtouch speedo speex spell sse ssl svg svga tcltk tcpd tetex tiff transcode truetype truetype-fonts type1 type1-fonts usb v4l v4l2 vorbis win32codecs wmf xine xinerama xml xml2 xmms xpm xscreensaver xv xvid xvmc yahoo zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS
*** This bug has been marked as a duplicate of 101457 ***
(In reply to comment #0, and duplicate status) I don't believe this, and bugs 110734, 107317 are exactly duplicates of 101457. However, if 101457 is resolved in a manner suggested by many comments, resolution of 101457 may affectively make this "bug" go away too. Examining the certificate used by the https server at helixcommunity.org, it is signed by Equifax_Secure_Global_eBusiness_CA-1, which is a commercial CA I believe. So helixcommunity.org's cert is in fact not a self-signed certificate if I got this right. In fact, downloading from Equifax.com Equifax_Secure_Global_eBusiness_CA-1 and adding it to my local indexed OpenSSL cert store enabled the RealPlayer to be downloaded and emerged just fine, with wget operating in it's default mode which is to verify the certs. I was thinking it would be nice to have the ebuild push the required CA cert down to the client and have wget use this CA cert temporarily to verify the https server cert. In this manner, the security of using https in the first place would remain largely uncompromised assuming the CA cert comes from a trusted source. (Gentoo.org server) But, I suppose the MD5 sums provide enough validation of package authenticicy anyways, so perhaps this is all uncessary and the proposed resolution of 101457 of having wget simply skip validation of the server cert is sufficient. Therefore, I'm not questioning this being marked as a dup. :) Y'all are probably thinking I've wasted your time - I occasionally deal with security at work and I believe trust is going to become very important to software distribution in the not-so-distant future. Apologize for being a Gentoo newbie and not understanding the trust and package verification system.