Where do I install certificates so that wget and other MacPorts programs will find them?

Solution 1:

Create a wgetrc file containing:

ca_directory=/System/Library/OpenSSL/certs

On Linux and BSD, the file is located at ~/.wgetrc (and /etc/wgetrc system-wide). I don't know if it is the same for MacPorts.

Solution 2:

The answer above didn't resolve the issue for me, but I found a similar easy solution with MacPorts:

sudo port install curl-ca-bundle

To install the Certificate Authrity bundle and then push its reference to the wget settings profile:

echo CA_CERTIFICATE=/opt/local/share/curl/curl-ca-bundle.crt >> ~/.wgetrc

Solution 3:

(Hello from 2019!) There is now a certsync port which keeps the OpenSSL certificates in sync with your system keychain, which can be installed with:

sudo port install certsync

MacPorts should create a launchd startup item to do the sync periodically, but if not, sudo port load certsync will do that (use port unload to disable it).

This might be useful, if, for example, your Mac is pre-configured by your employer with a local root CA or other man-in-the-middle certs, or you have your own CAs for other reasons. While not impossible, it would be a pain to

1. extract those from your system keychain,
   • possibly converting formats with openssl x509 (ugh),
2. only to dump them somewhere else on your filesystem (that you're guaranteed to forget about in six months),
3. and then, potentially, also having to configure every other command-line utility to point to them (as with the /opt/local/etc/wgetrc in the other solutions here).

Note that the certsync port conflicts with curl-ca-bundle, which is in the dependency chain for many other MacPorts packages, including curl. If you try to proceed, you'll get warnings like this:

$ sudo port install certsync

Error: Can't install certsync because conflicting ports are active: curl-ca-bundle
Error: Follow https://guide.macports.org/#project.tickets to report a bug.
Error: Processing of port certsync failed

$ sudo port uninstall curl-ca-bundle
Note: It is not recommended to uninstall/deactivate a port that has dependents as
it breaks the dependents.
The following ports will break:
 p11-kit @0.23.16.1_0
 neomutt @20180716_0
 neomutt @20180716_1
 curl @7.65.3_1
 subversion @1.12.2_0
Continue? [y/N]:

The "broken" ports will probably still work regardless, since certsync essentially does the job of curl-ca-bundle by concatenating all your system keychain's CAs into /opt/local/etc/openssl/cert.pem, but I can't certify that.

Still, if you only care about getting wget working, and are happy with the built-in /usr/bin/curl (which is configured to use the macOS system-wide certificate store anyway), simply installing the certsync port might be the most straightforward solution.

Source: the comments section of Fixing SSL CA certificates with OpenSSL from MacPorts (andatche.com)

Solution 4:

I can't add a comment to grawity's solution, so I guess I'll create a new answer...

grawity's solution seems to be incomplete. It worked because you had already "tried installing in /System/Library/OpenSSL/certs".

I installed OpenSSL from MacPorts (newer than the version included with my Snow Leopard install). This put a cert.pem file in /opt/local/etc/openssl/, which I could then point to with grawity's method. This is essentially what I did:

sudo port install openssl
sudo echo 'ca_directory = /opt/local/etc/openssl' > /opt/local/etc/wgetrc
sudo cat /opt/local/etc/wgetrc.sample >> /opt/local/etc/wgetrc`

Ain's solution probably would have worked for me as well.