Why wget doesn't verify SSL certificates?

Question

I have a problem with my Fedora 8 installation. It looks that wget doesn't know how to verify SSL certificates any more. It's strange because I have another Fedora 8 box which I believe has the same configuration and it works!

How can I make it work without using --no-check-certificate switch?

This is a sample output:

wget https://www.google.com
--2011-09-23 00:11:13--  https://www.google.com/
Resolving www.google.com... 74.125.230.146, 74.125.230.147, 74.125.230.148, ...
Connecting to www.google.com|74.125.230.146|:443... connected.
ERROR: cannot verify www.google.com's certificate, issued by `/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA':
  Unable to locally verify the issuer's authority.
To connect to www.google.com insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.

EDIT

I have this file /etc/pki/tls/certs/ca-bundle.crt file and when I run wget with --ca-certificate switch pointing to this file everything goes fine. Where should this file be placed so that I don't need to use the switch?

BTW: curl and links work fine, but lynx also complains: "SSL error:unable to get local issuer certificate" so this is not only wget's issue...

I'm aware this is an ancient OS no longer supported but I hope that this is just some kind of a configuration problem which might be easily solved by someone experienced so that I don't need to upgrade the whole system. — tomazy, Sep 23 '11 at 02:00
I have solve my problem using this link [here](http://stackoverflow.com/questions/33320340/crontab-to-use-wget-without-sertificate) — Hardik Mamtora, May 25 '16 at 12:19

Jared · Answer 1 · 2019-08-14T07:55:13.707

18

I had problems with wget not finding my certificates so I installed ca-certificates

sudo apt install ca-certificates

then I edited:

sudo vi /etc/wgetrc

and added

ca_directory=/etc/ssl/certs

or you can just use this command to append it to the end:

printf "\nca_directory=/etc/ssl/certs" | sudo tee -a /etc/wgetrc

edited Aug 14 '19 at 07:55

answered Aug 13 '19 at 03:38

Jared

316
2
5

1

alternatively it worked for me if I used `wget https://myurl --ca-directory=/etc/ssl/certs/` but I don't want to have to type that every time, aint nobody got time for that ;-) – Jared Aug 13 '19 at 03:40
This worked for me, thanks! – cyrusbehr Sep 17 '20 at 19:29
2

CentOS 7: `sudo yum upgrade ca-certificates` – Kevin Jan 03 '22 at 15:59

score 13 · Accepted Answer · answered Sep 23 '11 at 02:06

13

By default wget will check for certificates in the path defined in openssl conf file /etc/pki/tls/openssl.cnf (no sure whether the path is correct for fc8). Please check the openssl configuration file and confirm that the paths are correct. May be it is openssl, that need to be corrected.

answered Sep 23 '11 at 02:06

SparX

1,924
12
10

It was a problem with openssl - cert.pem file was missing in /etc/pki/tls. Thanks – tomazy Sep 23 '11 at 03:08

score 5 · Answer 3 · answered Sep 23 '11 at 00:30

5

Your system doesn't trust the signature chain for Google's cert.

They also aren't presenting the full certificate chain, just their issuer's certificate; not 100% up to par, but certainly nothing that should stop you from validating the chain.

Your ancient system is likely to have an equally ancient set of trusted root certificate authorities.

Trust the right VeriSign cert (here), and you should be good.

answered Sep 23 '11 at 00:30

Shane Madden

114,520
13
181
251

How exactly do I "trust" the VeriSign cert? – tomazy Sep 23 '11 at 01:39
Probably needs to be put in `/etc/ssl/certs`. – Shane Madden Sep 23 '11 at 01:51
This dir didn't exist but I created it and copied the cert files - it didn't help :( – tomazy Sep 23 '11 at 02:02
Not sure where the certificates directory is located in that OS, then. `grep` around! – Shane Madden Sep 23 '11 at 02:16

score 4 · Answer 4 · answered Sep 23 '11 at 00:58

You need to gather a list of the root certificates that you wish to trust and tell wget how to find them using either the --ca-certificate or --ca-directory option. You may already have one in /etc/pki/tls/certs if you have the appropriate package installed.

Why wget doesn't verify SSL certificates?

4 Answers4

Linked

Related