drush up and drush dl failing

Submitted by John on Fri, 11/11/2016 - 14:02

I've noticed an issue crop up recently where drush seems unable to download new modules, or update existing ones with the drush dl and drush up commands. The issue is that some versions of wget shipped with Redhat Enterprise Linux failed to check SAN names in certificates properly. This article from fastly explains the issue well. Note that Drupal.org hosts its updates server on fastly. 

You can see where drush is failing by using the verbose flags

drush dl [module-name] -vvv

This shows drush working under the hood, and let's you see that it tries to download module updates via wget. Trying the wget command manually may show something like this:

$ wget https://ftp.drupal.org/files/projects/[module-name].tar.gz
ERROR: cannot verify ftp.drupal.org’s certificate, issued by “/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2”:
  Unable to locally verify the issuer’s authority.
ERROR: certificate common name “j.ssl.fastly.net” doesn’t match requested host name “ftp.drupal.org”.

The solution? One option could be to add a ~/.wgetrc file and add the following inside of that:


This might be fine in a VM for local development, but that just feels like bad news on a server in the wild. The better option would be to upgrade your local wget to a newer version, where the problem has been fixed. Edit: or rather, update the ca-certificates package.

sudo yum install ca-certificates