Where do I install certificates so that wget and other MacPorts programs will find them?
Solution 1:
Create a wgetrc
file containing:
ca_directory=/System/Library/OpenSSL/certs
On Linux and BSD, the file is located at ~/.wgetrc
(and /etc/wgetrc
system-wide). I don't know if it is the same for MacPorts.
Solution 2:
The answer above didn't resolve the issue for me, but I found a similar easy solution with MacPorts:
sudo port install curl-ca-bundle
To install the Certificate Authrity bundle and then push its reference to the wget settings profile:
echo CA_CERTIFICATE=/opt/local/share/curl/curl-ca-bundle.crt >> ~/.wgetrc
Solution 3:
(Hello from 2019!) There is now a certsync
port which keeps the OpenSSL certificates in sync with your system keychain, which can be installed with:
sudo port install certsync
MacPorts should create a launchd startup item to do the sync periodically, but if not, sudo port load certsync
will do that (use port unload
to disable it).
This might be useful, if, for example, your Mac is pre-configured by your employer with a local root CA or other man-in-the-middle certs, or you have your own CAs for other reasons. While not impossible, it would be a pain to
- extract those from your system keychain,
- possibly converting formats with
openssl x509
(ugh),
- possibly converting formats with
- only to dump them somewhere else on your filesystem (that you're guaranteed to forget about in six months),
- and then, potentially, also having to configure every other command-line utility to point to them (as with the
/opt/local/etc/wgetrc
in the other solutions here).
Note that the certsync
port conflicts with curl-ca-bundle
, which is in the dependency chain for many other MacPorts packages, including curl
. If you try to proceed, you'll get warnings like this:
$ sudo port install certsync
Error: Can't install certsync because conflicting ports are active: curl-ca-bundle
Error: Follow https://guide.macports.org/#project.tickets to report a bug.
Error: Processing of port certsync failed
$ sudo port uninstall curl-ca-bundle
Note: It is not recommended to uninstall/deactivate a port that has dependents as
it breaks the dependents.
The following ports will break:
p11-kit @0.23.16.1_0
neomutt @20180716_0
neomutt @20180716_1
curl @7.65.3_1
subversion @1.12.2_0
Continue? [y/N]:
The "broken" ports will probably still work regardless, since certsync
essentially does the job of curl-ca-bundle
by concatenating all your system keychain's CAs into /opt/local/etc/openssl/cert.pem
, but I can't certify that.
Still, if you only care about getting wget
working, and are happy with the built-in /usr/bin/curl
(which is configured to use the macOS system-wide certificate store anyway), simply installing the certsync
port might be the most straightforward solution.
Source: the comments section of Fixing SSL CA certificates with OpenSSL from MacPorts (andatche.com)
Solution 4:
I can't add a comment to grawity's solution, so I guess I'll create a new answer...
grawity's solution seems to be incomplete. It worked because you had already "tried installing in /System/Library/OpenSSL/certs".
I installed OpenSSL from MacPorts (newer than the version included with my Snow Leopard install). This put a cert.pem
file in /opt/local/etc/openssl/
, which I could then point to with grawity's method. This is essentially what I did:
sudo port install openssl
sudo echo 'ca_directory = /opt/local/etc/openssl' > /opt/local/etc/wgetrc
sudo cat /opt/local/etc/wgetrc.sample >> /opt/local/etc/wgetrc`
Ain's solution probably would have worked for me as well.