`wget` fails with `403` when trying to download source archives #65227

jpalus · 2023-08-28T20:27:37Z

jpalus
Aug 28, 2023

Select Topic Area

Bug

Body

Without any relevant change recently wget 1.21.4 started failing with 403. All sources are affected. Surprisingly curl works fine.

wget -d https://github.com/cli/cli/archive/refs/tags/v2.33.0.tar.gz 
DEBUG output created by Wget 1.21.4 on linux-gnu.

Reading HSTS entries from /home/users/jan/.wget-hsts
URI encoding = ‘UTF-8’
Converted file name 'v2.33.0.tar.gz' (UTF-8) -> 'v2.33.0.tar.gz' (UTF-8)
--2023-08-28 22:25:52--  https://github.com/cli/cli/archive/refs/tags/v2.33.0.tar.gz
Resolving github.com (github.com)... 140.82.121.4
Caching github.com => 140.82.121.4
Connecting to github.com (github.com)|140.82.121.4|:443... connected.
Created socket 3.
Releasing 0x000000000516c350 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x000000000513d910
certificate:
  subject: CN=github.com,O=GitHub\\, Inc.,L=San Francisco,ST=California,C=US
  issuer:  CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1,O=DigiCert Inc,C=US
X509 certificate successfully verified and matches host github.com

---request begin---
GET /cli/cli/archive/refs/tags/v2.33.0.tar.gz HTTP/1.1
Host: github.com
User-Agent: Wget/1.21.4
Accept: */*
Accept-Encoding: identity
Connection: Keep-Alive

---request end---
HTTP request sent, awaiting response... 
---response begin---
HTTP/1.1 302 Found
Server: github.com
Date: Mon, 28 Aug 2023 20:25:52 GMT
Content-Type: text/html; charset=utf-8
Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
Location: https://codeload.github.com/cli/cli/tar.gz/refs/tags/v2.33.0
Cache-Control: max-age=0, private
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com objects-origin.githubusercontent.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events *.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ wss://*.actions.githubusercontent.com github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com objects-origin.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/
Content-Length: 0
X-GitHub-Request-Id: 98BA:74A7:48233D3:48C8BCC:64ED02D0

---response end---
302 Found
Registered socket 3 for persistent reuse.
Parsed Strict-Transport-Security max-age = 31536000, includeSubDomains = true
Updated HSTS host: github.com:443 (max-age: 31536000, includeSubdomains: true)
URI content encoding = ‘utf-8’
Location: https://codeload.github.com/cli/cli/tar.gz/refs/tags/v2.33.0 [following]
] done.
URI content encoding = None
Converted file name 'v2.33.0.tar.gz' (UTF-8) -> 'v2.33.0.tar.gz' (UTF-8)
--2023-08-28 22:25:52--  https://codeload.github.com/cli/cli/tar.gz/refs/tags/v2.33.0
Resolving codeload.github.com (codeload.github.com)... 140.82.121.10
Caching codeload.github.com => 140.82.121.10
Connecting to codeload.github.com (codeload.github.com)|140.82.121.10|:443... connected.
Created socket 4.
Releasing 0x0000000005054740 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 4 to SSL handle 0x00000000050d3130
certificate:
  subject: CN=*.git.luolix.top,O=GitHub\\, Inc.,L=San Francisco,ST=California,C=US
  issuer:  CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1,O=DigiCert Inc,C=US
X509 certificate successfully verified and matches host codeload.github.com

---request begin---
GET /cli/cli/tar.gz/refs/tags/v2.33.0 HTTP/1.1
Host: codeload.github.com
User-Agent: Wget/1.21.4
Accept: */*
Accept-Encoding: identity
Connection: Keep-Alive

---request end---
HTTP request sent, awaiting response... 
---response begin---
HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 0
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'
connection: close

---response end---
403 Forbidden
Parsed Strict-Transport-Security max-age = 31536000, includeSubDomains = false
Updated HSTS host: codeload.github.com:443 (max-age: 31536000, includeSubdomains: false)
URI content encoding = ‘utf-8’
Closed 4/SSL 0x00000000050d3130
2023-08-28 22:25:53 ERROR 403: Forbidden.

Answered by bk2204

Aug 29, 2023

Hey,

I'm one of the engineers on the Git Protocols team, which is responsible for the service, codeload, that serves archives. We blocked a scraper which was causing some performance impact earlier and it appears our pattern wasn't specific enough, so it accidentally flagged more clients than we wanted.

We've restricted the pattern to be more specific so it shouldn't impact other parties, and things should be back to normal. My apologies for the problems; we'll try to avoid this kind of problem again in the future.

View full answer

IFREES · 2023-08-28T20:49:27Z

IFREES
Aug 28, 2023

Same for me but with a different version: GNU Wget 1.20.3 built on linux-gnu.

URI encoding = ‘UTF-8’
/tmp/nanorc.zip: Scheme missing.
URI encoding = ‘UTF-8’
Converted file name 'master.zip' (UTF-8) -> 'master.zip' (UTF-8)
--2023-08-28 22:46:33--  https://github.com/scopatz/nanorc/archive/master.zip
Resolving github.com (github.com)... 140.82.121.3
Caching github.com => 140.82.121.3
Connecting to github.com (github.com)|140.82.121.3|:443... connected.
Created socket 3.
Releasing 0x000055a6d8339180 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x000055a6d8339330
certificate:
  subject: CN=github.com,O=GitHub\\, Inc.,L=San Francisco,ST=California,C=US
  issuer:  CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1,O=DigiCert Inc,C=US
X509 certificate successfully verified and matches host github.com

---request begin---
GET /scopatz/nanorc/archive/master.zip HTTP/1.1
User-Agent: Wget/1.20.3 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: github.com
Connection: Keep-Alive

---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 302 Found
Server: github.com
Date: Mon, 28 Aug 2023 20:46:33 GMT
Content-Type: text/html; charset=utf-8
Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
Location: https://codeload.github.com/scopatz/nanorc/zip/refs/heads/master
Cache-Control: max-age=0, private
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com objects-origin.githubusercontent.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events *.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ wss://*.actions.githubusercontent.com github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com objects-origin.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/
Content-Length: 0
X-GitHub-Request-Id: A768:1ED9:4BDC51C:4C86B1A:64ED07A9

---response end---
302 Found
Registered socket 3 for persistent reuse.
Parsed Strict-Transport-Security max-age = 31536000, includeSubDomains = true
Updated HSTS host: github.com:443 (max-age: 31536000, includeSubdomains: true)
URI content encoding = ‘utf-8’
Location: https://codeload.github.com/scopatz/nanorc/zip/refs/heads/master [following]
] done.
URI content encoding = None
Converted file name 'master.zip' (UTF-8) -> 'master.zip' (UTF-8)
--2023-08-28 22:46:33--  https://codeload.github.com/scopatz/nanorc/zip/refs/heads/master
Resolving codeload.github.com (codeload.github.com)... 140.82.121.10
Caching codeload.github.com => 140.82.121.10
Connecting to codeload.github.com (codeload.github.com)|140.82.121.10|:443... connected.
Created socket 4.
Releasing 0x000055a6d834f660 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 4 to SSL handle 0x000055a6d833b360
certificate:
  subject: CN=*.git.luolix.top,O=GitHub\\, Inc.,L=San Francisco,ST=California,C=US
  issuer:  CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1,O=DigiCert Inc,C=US
X509 certificate successfully verified and matches host codeload.github.com

---request begin---
GET /scopatz/nanorc/zip/refs/heads/master HTTP/1.1
User-Agent: Wget/1.20.3 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: codeload.github.com
Connection: Keep-Alive

---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 0
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'
connection: close

---response end---
403 Forbidden
Parsed Strict-Transport-Security max-age = 31536000, includeSubDomains = false
Updated HSTS host: codeload.github.com:443 (max-age: 31536000, includeSubdomains: false)
URI content encoding = ‘utf-8’
Closed 4/SSL 0x000055a6d833b360
2023-08-28 22:46:33 ERROR 403: Forbidden.
``` /

1 reply

milkylainen Aug 28, 2023

Ack. Noticed failed downloads about two hours before the first post.
Drove me nuts before I found this.

AndreMiras · 2023-08-28T21:28:01Z

AndreMiras
Aug 28, 2023

I also started having that issue a couple of hours ago.
However it did happen only in a docker environment and not on my host.
I compared the HTTP headers and they're mainly the same, so I figure out it was at SSL level.
And I could get it work changing the secure protocol, e.g. in ubuntu:22.04 docker image adding --secure-protocol=TLSv1_2 makes it work:

wget --secure-protocol=TLSv1_2 https://codeload.github.com/openresty/lua-resty-string/tar.gz/refs/tags/v0.09

4 replies

fennewald Aug 28, 2023

this resolved it for me on non-dockerized ubuntu 22.04 with wget 1.21.2

IFREES Aug 28, 2023

It seems that the bug only affects Linux.
I tried it on my Mac and the Windows version and both worked fine.
On my Ubuntu 20.04.6 wsl instance and on my Ubuntu 20.XX.X server, wget also fails.

jpalus Aug 28, 2023
Author

Actually it seems to work with any explicit TLS --secure-protocol including TLSv1, TLSv1_1, TLSv1_2 and TLSv1_3. It's the auto that causes issues (the default). man page describes it as:

If auto is used, the SSL library is given the liberty of choosing the appropriate protocol
automatically, which is achieved by sending a TLSv1 greeting. This is the default.

jpalus Aug 28, 2023
Author

In turn seems to be related to ciphers configured for auto mode:

      if (opt.secure_protocol == secure_protocol_auto)
	      ciphers_string = "HIGH:!aNULL:!RC4:!MD5:!SRP:!PSK";

which does not work with default TLSv1, though works with TLSv1_3.

kkawabat · 2023-08-29T01:24:23Z

kkawabat
Aug 29, 2023

Anyone have a solution to this without modifying the wget command? I have a wget calls in a 3rd party script that is breaking due to this issue.

At the moment I am able to fix it by adding TLSv1 as default security protocol in wget config file:

echo "secureprotocol = TLSv1" > "$HOME/.wgetrc"

But I'm not sure if this is the best approach.

0 replies

bk2204 · 2023-08-29T03:13:55Z

bk2204
Aug 29, 2023

Hey,

I'm one of the engineers on the Git Protocols team, which is responsible for the service, codeload, that serves archives. We blocked a scraper which was causing some performance impact earlier and it appears our pattern wasn't specific enough, so it accidentally flagged more clients than we wanted.

We've restricted the pattern to be more specific so it shouldn't impact other parties, and things should be back to normal. My apologies for the problems; we'll try to avoid this kind of problem again in the future.

6 replies

zhongjiajie Aug 30, 2023

this change failed our self-host GitHub action runner, and I think some other users with Ali cloud as their infra suffer for this too, see https://github.com/orgs/community/discussions/65227#discussioncomment-6852121 could you do not ban Ali cloud anymore?

delatbabel Aug 30, 2023

@bk2204 this is still failing across all Alicloud IP addresses.

nielifeng Aug 30, 2023

@bk2204 this is still failing across all Alicloud IP addresses.

nielifeng Aug 30, 2023

I contacted Alicloud and they had no good solution. It seems that the problem lies with github

shudarshon-deriv Aug 30, 2023

thanks @bk2204 for the heads up. do you guys have any plan to whitelist alicloud ip back?

delatbabel · 2023-08-29T11:30:29Z

delatbabel
Aug 29, 2023

Hi,

We are still having the same problem, started in the last 8 hours so maybe different to what was reported above. It affects multiple servers and I have tried using the --secure-protocol workarounds mentioned above to no effect.

It's affecting all of our servers in SE Asia and E Asia data centres including Tokyo, Singapore and Hong Kong. It's not affecting a similar server in Sydney nor is it affecting our desktop devices in Vietnam.

Any chance of a resolution?

$ wget --secure-protocol=TLSv1_2 https://github.com/unicode-cldr/cldr-misc-modern/archive/32.0.0.zip --2023-08-29 19:20:54-- https://github.com/unicode-cldr/cldr-misc-modern/archive/32.0.0.zip Resolving github.com (github.com)... 20.27.177.113 Connecting to github.com (github.com)|20.27.177.113|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://codeload.github.com/unicode-cldr/cldr-misc-modern/zip/refs/tags/32.0.0 [following] --2023-08-29 19:20:54-- https://codeload.github.com/unicode-cldr/cldr-misc-modern/zip/refs/tags/32.0.0 Resolving codeload.github.com (codeload.github.com)... 20.27.177.114 Connecting to codeload.github.com (codeload.github.com)|20.27.177.114|:443... connected. HTTP request sent, awaiting response... 403 Forbidden 2023-08-29 19:20:54 ERROR 403: Forbidden.

8 replies

mekpin Aug 30, 2023

@bk2204 hi BK i think this problem also affect many instances under ali cloud

https://github.com/orgs/community/discussions/65335

theres another thread discussing it

if you have any workaround please do tell

delatbabel Aug 30, 2023

I have logged a support ticket with Github. I'm guessing that nobody else other than me and github support can see the ticket but here is the URL for reference: https://support.github.com/ticket/personal/0/2312134

zhongjiajie Aug 30, 2023

@delatbabel I can not see the ticket, please give me mention me if have any process of this, thanks

adinriv Sep 25, 2023

@delatbabel did you get a solution from support? I have a similar issue on self-hosted runners.

Strangely, I can get a wget from the runner machine but not from the action when it is executing.

delatbabel Sep 25, 2023

@adinriv yes it's working for us now on Alicloud. Initially it was affecting all machines on Alicloud but now that's working OK. It sounds like you have a different problem, because for us every action on the runner machine was being blocked, but now that's not the case.

webertrlz · 2023-08-30T11:40:13Z

webertrlz
Aug 30, 2023

This is heavily impacting our production process as we are currently affected by the blockage. How can we solve this issue?
This impedes GitHub Actions from downloading Actions to execute them on a Workflow.
I have created a Support Ticket 2312554.

0 replies

delatbabel · 2023-08-30T14:18:08Z

delatbabel
Aug 30, 2023

I got a contact back from github support, it has been fixed and I have verified that it's working for me now.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Community

`wget` fails with `403` when trying to download source archives #65227

{{title}}

Replies: 7 comments 19 replies

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

wget fails with 403 when trying to download source archives #65227

Select Topic Area

Body

Replies: 7 comments · 19 replies

jpalus Aug 28, 2023 Author

jpalus Aug 28, 2023 Author

`wget` fails with `403` when trying to download source archives #65227

Replies: 7 comments 19 replies

jpalus Aug 28, 2023
Author

jpalus Aug 28, 2023
Author