Web lists-archives.com

Re: wget does not recognize PKI?




Greetings, Lee!

> On 8/5/18, Andrey Repin wrote:
>> Greetings, All!

> Greetings, Andrey Repin!

>> $ wget https://ca.rootdir.org/ca.crl
>> --2018-08-05 20:05:28--  https://ca.rootdir.org/ca.crl
>> Resolving ca.rootdir.org (ca.rootdir.org)... 192.168.1.6
>> Connecting to ca.rootdir.org (ca.rootdir.org)|192.168.1.6|:443...
>> connected.
>> ERROR: The certificate of ‘ca.rootdir.org’ is not trusted.
>> ERROR: The certificate of ‘ca.rootdir.org’ hasn't got a known issuer.
>>
>> $ "$( which wget )" --version
>> GNU Wget 1.19.1 built on cygwin.
>>
>> -cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls +ntlm
>> +opie +psl +ssl/gnutls
>>
>> The root CA certificate is correctly installed and hashed.

> Apparently not.

curl and openssl sees it.
Both Cygwin and native openssl.

> Does it work if you tell wget to use your root CA cert?
> ‘--ca-certificate=FILE’

It does, of course, but why doesn't it see the PKI by itself?

$ wget --ca-certificate=/etc/ssl/certs/dd07c56a.0 https://ca.rootdir.org/ca.crl
--2018-08-06 12:46:14--  https://ca.rootdir.org/ca.crl
Loaded CA certificate '/etc/ssl/certs/dd07c56a.0'
Resolving ca.rootdir.org (ca.rootdir.org)... 192.168.1.6
Connecting to ca.rootdir.org (ca.rootdir.org)|192.168.1.6|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 872 [application/octet-stream]
Saving to: ‘ca.crl’

ca.crl                   100%[================================>]     872  --.-KB/s    in 0s

2018-08-06 12:46:14 (18.0 MB/s) - ‘ca.crl’ saved [872/872]

>      Use FILE as the file with the bundle of certificate authorities
>      (“CA”) to verify the peers.  The certificates must be in PEM
>      format.

>      Without this option Wget looks for CA certificates at the
>      system-specified locations, chosen at OpenSSL installation time.

> & you probably have, but to be sure.. you looked at 'info
> update-ca-trust' - right?

No. Hashing /etc/ssl/certs has been enough for a long while.
I followed the directions, and it indeed fixed the issue, but I'm surprised by
the change in behavior.


-- 
With best regards,
Andrey Repin
Monday, August 6, 2018 12:44:13

Sorry for my terrible english...