Why wget doesn't verify SSL certificates?
I have a problem with my Fedora 8 installation. It looks that wget
doesn't know how to verify SSL certificates any more. It's strange because I have another Fedora 8 box which I believe has the same configuration and it works!
How can I make it work without using --no-check-certificate
switch?
This is a sample output:
wget https://www.google.com
--2011-09-23 00:11:13-- https://www.google.com/
Resolving www.google.com... 74.125.230.146, 74.125.230.147, 74.125.230.148, ...
Connecting to www.google.com|74.125.230.146|:443... connected.
ERROR: cannot verify www.google.com's certificate, issued by `/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA':
Unable to locally verify the issuer's authority.
To connect to www.google.com insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.
EDIT
I have this file /etc/pki/tls/certs/ca-bundle.crt
file and when I run wget
with --ca-certificate
switch pointing to this file everything goes fine. Where should this file be placed so that I don't need to use the switch?
BTW: curl
and links
work fine, but lynx
also complains: "SSL error:unable to get local issuer certificate" so this is not only wget
's issue...
By default wget will check for certificates in the path defined in openssl conf file /etc/pki/tls/openssl.cnf (no sure whether the path is correct for fc8). Please check the openssl configuration file and confirm that the paths are correct. May be it is openssl, that need to be corrected.
I had problems with wget not finding my certificates so I installed ca-certificates
sudo apt install ca-certificates
then I edited:
sudo vi /etc/wgetrc
and added
ca_directory=/etc/ssl/certs
or you can just use this command to append it to the end:
printf "\nca_directory=/etc/ssl/certs" | sudo tee -a /etc/wgetrc
Your system doesn't trust the signature chain for Google's cert.
They also aren't presenting the full certificate chain, just their issuer's certificate; not 100% up to par, but certainly nothing that should stop you from validating the chain.
Your ancient system is likely to have an equally ancient set of trusted root certificate authorities.
Trust the right VeriSign cert (here), and you should be good.
You need to gather a list of the root certificates that you wish to trust and tell wget
how to find them using either the --ca-certificate
or --ca-directory
option. You may already have one in /etc/pki/tls/certs
if you have the appropriate package installed.