4

Basically, I was testing different versions of OpenSSL, and somewhere in the process broke wget's path to certificates. 

wget https://www.google.com

Results now in:

ERROR: cannot verify www.google.com's certificate, issued by 'CN=Google Internet Authority G2,O=Google Inc,C=US':
Unable to locally verify the issuer's authority.
To connect to www.google.com insecurely, use `--no-check-certificate'.

Which makes me think that wget doesn't know where to look for certificates, as ca-certificates is installed and if I set export SSL_CERT_DIR=/etc/ssl/certs everything works until reboot.

How can I permanently fix this? I want to revert to the original state, where wget automatically knows where to check certificates.

I can probably set this export on boot, but what it the right place, where it originally was?

Edit:

On another server, I've checked and there is no SSL_CERT_DIR variable in the environment, yet wget works correctly. How does wget knows where to look for certificates?

JonathanDavidArndt
  • 1,424
  • 3
  • 20
  • 29
Ilya
  • 143
  • 1
  • 1
  • 7

5 Answers5

4

Usually, the distribution will specify this in the global wgetrc file. For example, Arch Linux has this in /etc/wgetrc:

ca_certificate=/etc/ssl/certs/ca-certificates.crt

So, just find where your certificates live, and pass it to wgetrc.

darnir
  • 141
  • 1
  • 1
    Hey, I change to ca_directory=/etc/ssl/certs/ and it works. Thanks! Yet, on other server everything is the same, and without extra .wgetrc file, wget works. Will research further – Ilya Feb 07 '18 at 13:36
  • If you have trouble locating these files, I used `locate wgetrc` and `locate ca-certificates.crt` to confirm where both the certificate file and wgetrc file is located. – Norman Breau Dec 06 '18 at 02:39
1

It is set at ./configure time by the --openssldir option. wget will look for certificates in that directory.

You can find more on that here: https://unix.stackexchange.com/a/200058/39382

BlackPioter
  • 89
  • 1
  • 4
  • Hey, I've check my other servers, and `openssl version -d` returns /usr/local/ssl/, however there is no certs folder. Actual folder is in /etc/ssl/certs, but somehow wget works. I'm definitely missing something – Ilya Feb 07 '18 at 13:14
  • It makes sense, and should work, but even after I added symlinks from `etc/ssl/certs` to `/usr/local/ssl` (which is my openssldir), wget refuse to work. – Ilya Feb 07 '18 at 13:37
  • Hey, you've right about openssldir, the problem is that wget looks in `usr/lib/ssl/certs`, instead of `/usr/local/ssl`. Temporarily added symlink, but perhaps it's better to recompile and keep everything in '/usr'. I guess other packages can also break in the same way. – Ilya Feb 07 '18 at 14:23
0

This can be LetsEncrypt Root CA expire related:

https://stackoverflow.com/questions/21181231/server-certificate-verification-failed-cafile-etc-ssl-certs-ca-certificates-c/69562796#69562796

Just

  • update openssl version>1.0.2
  • disable DST_Root_CA_X3 in /etc/ca-certificates.conf
  • install new X1 root CA
Arunas Bartisius
  • 709
  • 1
  • 7
  • 13
0

The solution here fixed my issue with this.

Basically, you use your package manager to install/upgrade your ca-certificates.

sudo yum install ca-certificate
Fred
  • 121
  • 1
  • 7
0

On macOS, you can point wget to the cert.pem file with this:

wget --ca-certificate=/etc/ssl/cert.pem

or in your .wgetrc:

ca-certificate = /etc/ssl/cert.pem

This works on macOS 10.14; other versions with the file in the same place will should ostensibly work.

Demitri
  • 105
  • 3