Using client certificates with wget

ssl-certificate wget

I studied a week on this, finaly with the help I got from this page.

The command I used to connect is:

wget --ca-cert=/etc/ssl/certs/winhostname.pem --certificate=/etc/ssl/private/linuxhost.pem \
     --private-key=/etc/ssl/private/linuxhost.key https://winhostname.home.net:8443/winhosturl.asmx

Are you certain that SSL client certificate authentication is working against your server?

I just tested that I can take my certificate (in PKCS12 format), convert it to a cert and key file in PEM format and use it with wget just fine.

I can provoke three error conditions, none of which match what you are reporting:

  1. failing to provide my key file: 400 Bad Request
  2. providing a bad key: EVP_DecryptFinal_ex:bad decrypt from OpenSSL
  3. providing a valid cert that the server does not like: 403 forbidden

I am using nginx; you don't mention what you're using, so I'm not sure if Apache would return the same responses.

I would suggest taking your certificate and key, combining it into PKCS12 (or just importing it as PEM if your browser supports the format) and ensuring that everything is working on that front first.

If you've already done that, perhaps you can try from another machine to ensure that it's not something strange with the version of OpenSSL you're using.

Lastly, try using OpenSSL in s_client mode:

openssl s_client -cert cert.pem -key req.pem -connect host:port -debug

And see if things work at that level. If so, then something is wonky with wget and you might want to re-build or reinstall it. If not, the level of debug output may help you pinpoint the problem more so than wget's debug output would.


I have successfully used wget like this:

"C:\program files\GnuWin32\bin\wget" --no-check-certificate --certificate=C:\Users\Alex\xxx.pem --private-key=C:\Users\Alex\xxx.pem --input-file=retain.url --output-document=retain.xml

Note the --private-key option. retain.url has https://bla.bla.bla

However, it now prompts me with "Enter PEM pass phrase:".

If I enter the password it works OK, but does anyone know a way around the prompt?

Related

_default_ VirtualHost overlap on port 80
Godaddy cname "@" not working (instructions from Heroku)
How can I list all installed packages from lenny-backports?
Duplicate Directory with SSH
What's the lowest cost, legal, Microsoft server stack you can assemble? [closed]
ubuntu set system proxy from command line
Finding all IP ranges belonging to a specific ISP
How to install Oracle OLE drivers for use in SQL Server 2008 R2 x64
finding a file which was modified in last 10 minutes
Nagios remote monitoring: NRPE Vs. SSH
DNS and DHCP not agreeing on an IP address
Extract files out of Solaris pkg file without installing