The webserver behind grigoriefflab.umassmed.edu used to download CISTEM at https://grigoriefflab.umassmed.edu/sites/default/files/cistem-1.0.0-beta... , is misconfigured.
It does not send the whole certificate chain, instead sending only the certificate for *.umassmed.edu. This works for web browsers, as they cache intermeddiate certificates, but when used with wget or other tools, it fails with:
ERROR: The certificate of ‘grigoriefflab.umassmed.edu’ is not trusted.
ERROR: The certificate of ‘grigoriefflab.umassmed.edu’ doesn't have a known issuer.
This prevents anyone from installing CISTEM and other tools distributed from this server using commandline tools.
Output of `openssl s_client -connect grigoriefflab.umassmed.edu:443`:
CONNECTED(00000003)
depth=0 C = US, ST = MA, L = Worcester, OU = Information Technology, O = UMass Medical School, CN = *.umassmed.edu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = MA, L = Worcester, OU = Information Technology, O = UMass Medical School, CN = *.umassmed.edu
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:C = US, ST = MA, L = Worcester, OU = Information Technology, O = UMass Medical School, CN = *.umassmed.edu
i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
---
Server certificate
...
Compare with https://nginx.org/en/docs/http/configuring_https_servers.html section SSL certificate chains. As you can see, your certificate is signed by an intermediate certificate which is then not sent by your server. Because the C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018 certificate is not a root certificate, commandline tools and some browsers will refuse to connect.
Please forward this to whoever is responsible for the server.
Thanks in advance
Karel
Please use
wget --no-check-certificate https://grigoriefflab.umassmed.edu/sites/default/files/cistem-1.0.0-beta-intel-linux.tar.gz