Using client certificates with wget

Question

I cannot get wget to use the client certificates. The documentation speaks about using the --certificate flag.

The use of the certificate flag is clear, I set it to use the PEM version of the client certificate.

But when I connect I get the following error:

HTTP request sent, awaiting response... Read error (error:14094410:SSL routines:
SSL3_READ_BYTES:sslv3 alert handshake failure; error:140940E5:SSL routines:SSL3_
READ_BYTES:ssl handshake failure) in headers.
Giving up.

ssl handshake failure means the client did not supply a correct client cert. Still the client cert I use, works in a browser.

Note: When I disable client authentication on the server, wget can connect. Note: The use of curl is suggested, but I'd like to avoid the switch.

I made a workaround: Define a VirtualHost in Apache without client certificate authentication, set DocRoot to the same dir and set Allow from to the localhost address. — , Oct 15 '09 at 09:24

score 11 · Answer 1 · edited Oct 29 '19 at 13:19

11

I studied a week on this, finaly with the help I got from this page.

The command I used to connect is:

wget --ca-cert=/etc/ssl/certs/winhostname.pem --certificate=/etc/ssl/private/linuxhost.pem \
     --private-key=/etc/ssl/private/linuxhost.key https://winhostname.home.net:8443/winhosturl.asmx

edited Oct 29 '19 at 13:19

peterh

4,953
13
30
44

answered Feb 01 '13 at 12:00

Wouter

111
1
2

you made my day! – Peter Butkovic Sep 12 '18 at 13:09

score 4 · Answer 2 · answered Oct 12 '09 at 20:58

Are you certain that SSL client certificate authentication is working against your server?

I just tested that I can take my certificate (in PKCS12 format), convert it to a cert and key file in PEM format and use it with wget just fine.

I can provoke three error conditions, none of which match what you are reporting:

failing to provide my key file: 400 Bad Request
providing a bad key: EVP_DecryptFinal_ex:bad decrypt from OpenSSL
providing a valid cert that the server does not like: 403 forbidden

I am using nginx; you don't mention what you're using, so I'm not sure if Apache would return the same responses.

I would suggest taking your certificate and key, combining it into PKCS12 (or just importing it as PEM if your browser supports the format) and ensuring that everything is working on that front first.

If you've already done that, perhaps you can try from another machine to ensure that it's not something strange with the version of OpenSSL you're using.

Lastly, try using OpenSSL in s_client mode:

openssl s_client -cert cert.pem -key req.pem -connect host:port -debug

And see if things work at that level. If so, then something is wonky with wget and you might want to re-build or reinstall it. If not, the level of debug output may help you pinpoint the problem more so than wget's debug output would.

I tried all your suggestions: 1. Cert works fine in FF 3.5 2. Server: Apache 2.2.11, Openssl 0.9.8i, Windows Server 2003 Client: WGET 1.11.4, OpenSSL 0.9.8k (binary), Win XP SP3 3. From other machine: same result 4. I received the cert from Comodo. Cert and key are all in one. I tried the following: openssl s_client -cert cert.pem openssl s_client -cert cert.pem -key key.key (extracted from cert) openssl s_client -cert cert.pem -key copyofcert.pem (Continued in next comment) — , Oct 13 '09 at 19:07
All gave the same error:
error setting private key
8584:error:0B080074:x509 certificate
routines:X509_check_private_key:key values
Notice that this a different error then above mismatch:.\crypto\x509\x509_cmp.c:399: — , Oct 13 '09 at 19:10
You're confusing your certs and keys. Until you get it to work with openssl s_client you can be sure you are passing the wrong file (contents) to wget. Look inside the files and see if they are tagged (usually are with something like ---BEGIN PRIVATE KEY--- or ---BEGIN RSA KEY--- or ---BEGIN CERTIFICATE--- ... etc.. .that will tell you what's in the files) — Ram, May 29 '12 at 18:22

score 2 · Answer 3 · edited Aug 18 '11 at 19:48

2

I have successfully used wget like this:

"C:\program files\GnuWin32\bin\wget" --no-check-certificate --certificate=C:\Users\Alex\xxx.pem --private-key=C:\Users\Alex\xxx.pem --input-file=retain.url --output-document=retain.xml

Note the --private-key option. retain.url has https://bla.bla.bla

However, it now prompts me with "Enter PEM pass phrase:".

If I enter the password it works OK, but does anyone know a way around the prompt?

edited Aug 18 '11 at 19:48

Bart De Vos

17,911
6
63
82

answered Nov 11 '09 at 16:08

4

Create a copy of the key without any pass phrase: openssl rsa -in key.pem -out keyout.pem – pehrs Jun 29 '10 at 22:25

score 0 · Answer 4 · answered Jun 29 '10 at 22:39

0

There have been problems with SSLv3 in versions like 0.9.8.

Try passing -no_ticket to openssl s_client or if -ssl2 work

answered Jun 29 '10 at 22:39

artifex

1,634
1
17
22

score 0 · Answer 5 · answered Oct 12 '09 at 18:39

0

Is it possible wget is connecting to port 80? That error is very similar to errors I receive in testing when I accidentally had HTTP listening to 80 and 443-wget was trying to talk SSL and not getting the response it wanted.

answered Oct 12 '09 at 18:39

Josh Budde

2,378
14
7

Nope. The URL is in a script, so it is always the same. And when I test with client auth off, but https on, it works. – Oct 12 '09 at 19:10

score 0 · Answer 6 · answered Oct 31 '09 at 19:34

0

Get a network capture and load it in Wireshark. This should give you a clearer picture of what's failing at SSL/TLS level.

answered Oct 31 '09 at 19:34

Using client certificates with wget

6 Answers6