Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

wget: where does it look for certificates?

Tags:

ssl

openssl

wget

I have a HTTPS-site that needs an intermediate-certificate to verify the servers SSL-certificate.

If I put the intermediate-cert into /etc/ssl/certs (and make the hash-link) then

openssl s_client -connect IP:PORT

will work. Otherwise I get a verification error.

Where does wget look for certificates? I only can make it work if I explicitly set --ca-directory in wget.

So it seems openssl looks into /etc/ssl/certs and wget does not.

Thanks!

EDIT

If I run wget with -d then I see without --ca-directory it loads about 150 certificates. With the option it is over 300. So it must be another path then openssl-default I think.

Wget 1.19.4 on linux-gnu on Debian 10

like image 227
chris01 Avatar asked Feb 23 '18 13:02

chris01

2 Answers

According to the manpage of wget:

Without this option Wget looks for CA certificates at the system-specified locations, chosen at OpenSSL installation time.

Where's that? Turns out, that's complicated. It depends on your system, etc.

Simple ways to find out what wget actually does are

  1. reading its output:

    Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'

  2. using strace:

    strace wget https://your-url

    In the output, you can read which files wget opened, tried to open, etc.

Since strace produces quite a lot of output, you may want to limit it to certain syscalls. It looks like wget uses openat to read files, so:

strace -e openat wget https://your-url

contains the interesing lines:

openat(AT_FDCWD, "/usr/share/ca-certificates/trust-source/mozilla.trust.p11-kit", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/usr/share/ca-certificates/trust-source/anchors/CAcert.org_root.crt", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/usr/share/ca-certificates/trust-source/anchors/CAcert.org_class3.crt", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = 3

And there are even more locations it looks at, they might even be different for your system.

like image 182
YSelf Avatar answered Nov 15 '22 13:11

YSelf

I had problems with wget not finding my certificates so I installed ca-

sudo apt install ca-certificates

then I edited:

sudo vi /etc/wgetrc

and added

ca_directory=/etc/ssl/certs

or you can just use this command to append it to the end:

printf "\nca_directory=/etc/ssl/certs" | sudo tee -a /etc/wgetrc
like image 45
Jared Avatar answered Nov 15 '22 12:11

Jared
Sign in to Comment

Related questions

Download a image from SSL using curl?
Should I get Apache with no ssl or with open ssl? Can someone tell me what ssl is exactly?
how to secure POST method without using SSL?
How to make Restlet client ignore SSL Certificate problems
soapui WSDL error when adding
Has tinyca moved? What else to use for a private CA?
Writing bytes directly to OpenSSL Connection, without TCP
Get SSL Version used in HttpsURLConnection - Java
Apache proxypass https to https
How to get Charles working with Xcode 7 on SSL connections?
Connecting to Docker-Machine via docker-py on OSX
Meteor.js connection to Mongo using X509 certificate auth
How to detect SSL pinning on Android
nginx redirect multiple servers to SSL
How to set up two-way SSL in Nginx for custom location?
How do I specify local file path to my ssl keystore file in spring application.properties?
How to get RSA key from -----BEGIN CERTIFICATE----- from.crt and .pem file?
How to set HTTPS SSL Cipher Suite Preference in Spring boot embedded tomcat
How can I fetch a certificate from a URL?
Python SSL Certification Problems in Tensorflow

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!