Why wget doesn't verify SSL certificates?

I have a problem with my Fedora 8 installation. It looks that wget doesn't know how to verify SSL certificates any more. It's strange because I have another Fedora 8 box which I believe has the same configuration and it works!

How can I make it work without using --no-check-certificate switch?

This is a sample output:

wget https://www.google.com
--2011-09-23 00:11:13--  https://www.google.com/
Resolving www.google.com... 74.125.230.146, 74.125.230.147, 74.125.230.148, ...
Connecting to www.google.com|74.125.230.146|:443... connected.
ERROR: cannot verify www.google.com's certificate, issued by `/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA':
  Unable to locally verify the issuer's authority.
To connect to www.google.com insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.

EDIT

I have this file /etc/pki/tls/certs/ca-bundle.crt file and when I run wget with --ca-certificate switch pointing to this file everything goes fine. Where should this file be placed so that I don't need to use the switch?

BTW: curl and links work fine, but lynx also complains: "SSL error:unable to get local issuer certificate" so this is not only wget's issue...


By default wget will check for certificates in the path defined in openssl conf file /etc/pki/tls/openssl.cnf (no sure whether the path is correct for fc8). Please check the openssl configuration file and confirm that the paths are correct. May be it is openssl, that need to be corrected.


I had problems with wget not finding my certificates so I installed ca-certificates

sudo apt install ca-certificates

then I edited:

sudo vi /etc/wgetrc

and added

ca_directory=/etc/ssl/certs

or you can just use this command to append it to the end:

printf "\nca_directory=/etc/ssl/certs" | sudo tee -a /etc/wgetrc

Your system doesn't trust the signature chain for Google's cert.

They also aren't presenting the full certificate chain, just their issuer's certificate; not 100% up to par, but certainly nothing that should stop you from validating the chain.

Your ancient system is likely to have an equally ancient set of trusted root certificate authorities.

Trust the right VeriSign cert (here), and you should be good.


You need to gather a list of the root certificates that you wish to trust and tell wget how to find them using either the --ca-certificate or --ca-directory option. You may already have one in /etc/pki/tls/certs if you have the appropriate package installed.