Using client certificates with wget
I studied a week on this, finaly with the help I got from this page.
The command I used to connect is:
wget --ca-cert=/etc/ssl/certs/winhostname.pem --certificate=/etc/ssl/private/linuxhost.pem \
--private-key=/etc/ssl/private/linuxhost.key https://winhostname.home.net:8443/winhosturl.asmx
Are you certain that SSL client certificate authentication is working against your server?
I just tested that I can take my certificate (in PKCS12 format), convert it to a cert and key file in PEM format and use it with wget just fine.
I can provoke three error conditions, none of which match what you are reporting:
- failing to provide my key file: 400 Bad Request
- providing a bad key: EVP_DecryptFinal_ex:bad decrypt from OpenSSL
- providing a valid cert that the server does not like: 403 forbidden
I am using nginx; you don't mention what you're using, so I'm not sure if Apache would return the same responses.
I would suggest taking your certificate and key, combining it into PKCS12 (or just importing it as PEM if your browser supports the format) and ensuring that everything is working on that front first.
If you've already done that, perhaps you can try from another machine to ensure that it's not something strange with the version of OpenSSL you're using.
Lastly, try using OpenSSL in s_client mode:
openssl s_client -cert cert.pem -key req.pem -connect host:port -debug
And see if things work at that level. If so, then something is wonky with wget and you might want to re-build or reinstall it. If not, the level of debug output may help you pinpoint the problem more so than wget's debug output would.
I have successfully used wget like this:
"C:\program files\GnuWin32\bin\wget" --no-check-certificate --certificate=C:\Users\Alex\xxx.pem --private-key=C:\Users\Alex\xxx.pem --input-file=retain.url --output-document=retain.xml
Note the --private-key option
. retain.url has https://bla.bla.bla
However, it now prompts me with "Enter PEM pass phrase:".
If I enter the password it works OK, but does anyone know a way around the prompt?