HPKP might be broken
Very often when trying to access a link on Github.com, wget2 refuses to download the file due to HPKP Public Key pinning mismatch,
Here is the output of wget2:
22.103935.800 name=progress value=none invert=0
22.103935.800 Reading /home/thedoctor/.local/etc/wget/wget2rc
22.103935.800 name=hsts-file value=~/.local/var/lib/wget/wget-hsts invert=0
22.103935.800 Expanded value = /home/thedoctor/.local/var/lib/wget/wget-hsts
22.103935.800 name=ocsp-file value=~/.local/var/lib/wget/wget-ocsp invert=0
22.103935.800 Expanded value = /home/thedoctor/.local/var/lib/wget/wget-ocsp
22.103935.800 name=hpkp-file value=~/.local/var/lib/wget/wget-hpkp invert=0
22.103935.800 Expanded value = /home/thedoctor/.local/var/lib/wget/wget-hpkp
22.103935.800 name=tls-session-file value=~/.local/var/lib/wget/wget-session invert=0
22.103935.800 Expanded value = /home/thedoctor/.local/var/lib/wget/wget-session
22.103935.800 name=content-disposition value=on invert=0
22.103935.800 name=progress value=bar invert=0
22.103935.800 name=progress value=none invert=0
22.103935.800 Local URI encoding = 'UTF-8'
22.103935.800 Input URI encoding = 'UTF-8'
22.103935.800 Fetched HSTS data from '/home/thedoctor/.local/var/lib/wget/wget-hsts'
22.103935.800 Fetched HPKP data from '/home/thedoctor/.local/var/lib/wget/wget-hpkp'
22.103935.800 add TLS session data for github-cloud.s3.amazonaws.com (maxage=1482410548, size=2822)
22.103935.800 add TLS session data for ftp.mozilla.org (maxage=64800, size=3797)
22.103935.800 add TLS session data for files.pythonhosted.org (maxage=64800, size=6677)
22.103935.800 add TLS session data for pypi.python.org (maxage=64800, size=4461)
22.103935.800 add TLS session data for raw.githubusercontent.com (maxage=64800, size=4149)
22.103935.800 Fetched TLS session data from '/home/thedoctor/.local/var/lib/wget/wget-session'
22.103935.800 add OCSP host ftp.mozilla.org (maxage=1506072963)
22.103935.800 Fetched OCSP hosts from '/home/thedoctor/.local/var/lib/wget/wget-ocsp_hosts'
22.103935.800 add OCSP cert 3b9ff6dc11f896b162603d29360be64e69f834e9b37a057a5b84cd54e58e7c8b (maxage=1506072963,valid=1)
22.103935.800 add OCSP cert 154c433c491929c5ef686e838e323664a00e6a0d822ccc958fb4dab03e49a08f (maxage=1506072963,valid=1)
22.103935.800 Fetched OCSP fingerprints from '/home/thedoctor/.local/var/lib/wget/wget-ocsp'
22.103935.800 *url = https://github.com/roddhjav/pass-update/releases/download/v2.0/pass-update-2.0.tar.gz
22.103935.800 *3 https://github.com/roddhjav/pass-update/releases/download/v2.0/pass-update-2.0.tar.gz
22.103935.800 local filename = 'pass-update-2.0.tar.gz'
22.103935.800 host_add_job: job fname pass-update-2.0.tar.gz
22.103935.800 host_add_job: 0x5644c2900e80 https://github.com/roddhjav/pass-update/releases/download/v2.0/pass-update-2.0.tar.gz
22.103935.800 host_add_job: qsize 1 host-qsize=1
22.103935.800 queue_size: qsize=1
22.103935.800 queue_size: qsize=1
22.103935.800 queue_size: qsize=1
22.103935.800 [0] action=1 pending=0 host=0x0
22.103935.800 qsize=1 blocked=0
22.103935.800 pause=-1506069575800
22.103935.801 dequeue job https://github.com/roddhjav/pass-update/releases/download/v2.0/pass-update-2.0.tar.gz
22.103935.801 resolving github.com:443...
22.103935.802 has 192.30.253.112:443
22.103935.802 has 192.30.253.113:443
22.103935.802 Add dns cache entry github.com
22.103935.802 trying 192.30.253.112:443...
22.103935.802 GnuTLS init
22.103935.865 Certificates loaded: 160
22.103935.865 GnuTLS init done
22.103935.865 TLS False Start requested
22.103935.865 ALPN offering h2
22.103935.865 ALPN offering http/1.1
ERROR: Pubkey pinning mismatch!
22.103936.103 gnutls_handshake: (-43) Error in the certificate.
22.103936.103 ALPN: Server accepted protocol 'http/1.1'
----
Certificate info [0]:
Valid since: Thu Mar 10 01:00:00 2016
Expires: Thu May 17 14:00:00 2018
Fingerprint: b890fabe8bb63625899e1e0049814797
Serial number: b890fabe8bb63625899e1e0049814797
Public key: RSA, Medium (2048 bits)
Version: #3
DN:
Issuer's DN: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 Extended Validation Server CA
Issuer's OID: 2.5.4.6
Issuer's UID: 2.5.4.6
Certificate info [1]:
Valid since: Tue Oct 22 14:00:00 2013
Expires: Sun Oct 22 14:00:00 2028
Fingerprint: 253ea87bf67d57241524f00e457768ac
Serial number: 253ea87bf67d57241524f00e457768ac
Public key: RSA, Medium (2048 bits)
Version: #3
DN: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 Extended Validation Server CA
Issuer's DN: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV Root CA
Issuer's OID: 2.5.4.6
Issuer's UID: 2.5.4.6
----
Ephemeral ECDH using curve (null)
Key Exchange: ECDHE-RSA
Protocol: TLS1.2
Certificate Type: X.509
Compression: NULL
Cipher: NULL
MAC: MAC-NULL
----
22.103936.104 closing connection
22.103936.104 Failed to connect (-6)
22.103936.104 host_final_failure: qsize=0
22.103936.104 host_increase_failure: github.com failures=1
22.103936.104 [0] action=3 pending=1 host=0x5644c2902cf0
22.103936.104 released job https://github.com/roddhjav/pass-update/releases/download/v2.0/pass-update-2.0.tar.gz
22.103936.104 [0] action=1 pending=0 host=0x0
22.103936.104 qsize=1 blocked=1
22.103936.104 main: wake up
22.103936.104 main: done
22.103936.104 Successfully updated '/home/thedoctor/.local/var/lib/wget/wget-session'.
22.103936.104 Saved 5 TLS session entries into '/home/thedoctor/.local/var/lib/wget/wget-session'
22.103936.104 Successfully updated '/home/thedoctor/.local/var/lib/wget/wget-ocsp_hosts'.
22.103936.104 Saved OCSP hosts to '/home/thedoctor/.local/var/lib/wget/wget-ocsp_hosts'
22.103936.104 Successfully updated '/home/thedoctor/.local/var/lib/wget/wget-ocsp'.
22.103936.104 Saved OCSP fingerprints to '/home/thedoctor/.local/var/lib/wget/wget-ocsp'
22.103936.104 blacklist https://github.com/roddhjav/pass-update/releases/download/v2.0/pass-update-2.0.tar.gz
As you can see, there was a pubkey pinning mismatch. However, here is the relevant block in my .wget-hpkp
github.com 1 1501768713 5184000
*sha256 WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=
*sha256 RRM1dGqnDFsCJXBTHky16vi1obOlCgFFn/yOhI/y+ho=
*sha256 k2v657xBsOVe1PQRwOsHsw3bsGT2VzIqz5K+59sNQws=
*sha256 K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q=
*sha256 IQBnNBEiFuhj+8x6X8XLgh01V9Ic5/V3IRQLNFFc7v4=
*sha256 iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0=
*sha256 LvRiGEjRqfzurezaWuj8Wie2gyHMrW5Q06LspMnox7A=
And here is the header that github.com is currently sending:
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
Public-Key-Pins: max-age=5184000; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="RRM1dGqnDFsCJXBTHky16vi1obOlCgFFn/yOhI/y+ho="; pin-sha256="k2v657xBsOVe1PQRwOsHsw3bsGT2VzIqz5K+59sNQws="; pin-sha256="K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q="; pin-sha256="IQBnNBEiFuhj+8x6X8XLgh01V9Ic5/V3IRQLNFFc7v4="; pin-sha256="iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0="; pin-sha256="LvRiGEjRqfzurezaWuj8Wie2gyHMrW5Q06LspMnox7A="; includeSubDomains
Hence, the public keys in my database are the same as the website is currently advertising. This leads me to believe that we are somehow at fault. I haven't investigated it yet.