Web lists-archives.com

Re: wget does not recognize PKI?




On 2018-08-05 14:03, Csaba Raduly wrote:
> On Sun, Aug 5, 2018 at 7:36 PM, Marco Atzeri  wrote:
>> Am 05.08.2018 um 19:12 schrieb Andrey Repin:
>>> $ wget https://ca.rootdir.org/ca.crl
>>> --2018-08-05 20:05:28--  https://ca.rootdir.org/ca.crl
>>> Resolving ca.rootdir.org (ca.rootdir.org)... 192.168.1.6
>>> Connecting to ca.rootdir.org (ca.rootdir.org)|192.168.1.6|:443...
>>> connected.
>>> ERROR: The certificate of ‘ca.rootdir.org’ is not trusted.
>>> ERROR: The certificate of ‘ca.rootdir.org’ hasn't got a known issuer.
>>> What's going on?
>> It seems not a cygwin issue:
>> "This connection is not secure
>> The owner of ca.rootdir.org did not properly configure the site. Firefox has
>> not affiliated with this site to protect your information from theft."
> And not just Firefox :
> $ curl -v https://ca.rootdir.org/ca.crl
> * STATE: INIT => CONNECT handle 0x600057990; line 1404 (connection #-5000)
> * Added connection 0. The cache now contains 1 members
> * STATE: CONNECT => WAITRESOLVE handle 0x600057990; line 1440 (connection #0)
> *   Trying 77.50.25.68...
> * TCP_NODELAY set
> * STATE: WAITRESOLVE => WAITCONNECT handle 0x600057990; line 1521
> (connection #0)
> * Connected to ca.rootdir.org (77.50.25.68) port 443 (#0)
> * STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x600057990; line 1573
> (connection #0)
> * Marked for [keep alive]: HTTP default
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
> * successfully set certificate verify locations:
>   CAfile: /etc/pki/tls/certs/ca-bundle.crt
>   CApath: none
> * TLSv1.2 (OUT), TLS header, Certificate Status (22):
> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
> * STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x600057990; line
> 1587 (connection #0)
> * TLSv1.2 (IN), TLS handshake, Server hello (2):
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
> * TLSv1.2 (OUT), TLS alert, Server hello (2):
> * SSL certificate problem: self signed certificate in certificate chain
> * Marked for [closure]: Failed HTTPS connection
> * multi_done
> * stopped the pause stream!
> * Closing connection 0
> * The cache now contains 0 members
> * Expire cleared
> curl: (60) SSL certificate problem: self signed certificate in certificate chain
> More details here: https://curl.haxx.se/docs/sslcerts.html
> curl failed to verify the legitimacy of the server and therefore could not
> establish a secure connection to it. To learn more about this situation and
> how to fix it, please visit the web page mentioned above.

Given that it's his own domain and root cert, not surprising it's not in
Mozilla's root CA list.
Lots of business gets done using counterparty certs with organization CA roots
not in any public or central repos, or just self-signed: avoids accessing or
giving CAs any info or money and dealing with fallout from vendor issues.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple