How to make wget trust my self signed certificate (without using --no-check-certificate)?
I’d try the --ca-directory=directory
option:
wget --ca-directory=/etc/ssl/certs https://graphite.local
From the wget manual
Specifies directory containing CA certificates in PEM format. Each file contains one CA certificate, and the file name is based on a hash value derived from the certificate. This is achieved by processing a certificate directory with the c_rehash utility supplied with OpenSSL. Using ‘--ca-directory’ is more efficient than ‘--ca-certificate’ when many certificates are installed because it allows Wget to fetch certificates on demand.
Without this option Wget looks for CA certificates at the system-specified locations, chosen at OpenSSL installation time.
Related videos on Youtube
Greg Petersen
Updated on September 18, 2022Comments
-
Greg Petersen over 1 year
- Ubuntu 12.04
- OpenSSL 1.0.1 14
- Wget 1.13.4
My setup:
- create our own CA (
our_own_ca.crt
) - generate a certificate which is signed with the above CA (
graphite.local.crt
) - Concatenate that cert and the CA cert into a bundle file
Nginx configuration:
ssl_certificate /etc/ssl/certs/graphite.local.crt; ssl_certificate_key /etc/ssl/certs/graphite.local.key; ssl_client_certificate /etc/ssl/certs/our_own_ca_chained.crt;
with:
our_own_ca_chained.crt = graphite.local.crt + own_own_ca.crt
To install this CA into the trusted store, according to
/usr/share/doc/ca-certificates/README.Debian
, I just need to copy it to the/usr/local/share/ca-certificates/
, then runupdate-ca-certificates
. Here's the output:Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d.... Warning: there was a problem reading the certificate file /etc/ssl/certs/our_own_ca.pem. Message: Extensions not allowed in v2 certificate done. done.
After that, we have something like belows in
/etc/ssl/certs
:lrwxrwxrwx 1 root root 17 Mar 11 05:27 99ff557c.0 -> our_own_ca.pem lrwxrwxrwx 1 root root 17 Mar 11 05:27 dc79b3f0.0 -> our_own_ca.pem lrwxrwxrwx 1 root root 50 Mar 11 05:27 our_own_ca.pem -> /usr/local/share/ca-certificates/our_own_ca.crt
then
curl
worked:curl -I https://graphite.local
HTTP/1.1 302 FOUND Server: nginx Date: Wed, 11 Mar 2015 05:30:30 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive Vary: Cookie Location: https://graphite.local/account/login?next=/ Strict-Transport-Security: max-age=15768000
but
wget
does not:wget https://graphite.local --2015-03-11 05:31:22-- https://graphite.local/ Resolving graphite.local (graphite.local)... 127.0.0.1 Connecting to graphite.local (graphite.local)|127.0.0.1|:443... connected. ERROR: cannot verify graphite.local's certificate, issued by `xxx': Self-signed certificate encountered. To connect to graphite.local insecurely, use `--no-check-certificate'.
I also tried to use the
--ca-certificate
but got the same error.Did I miss something?
-
David C. over 2 yearsDoesn't work. /etc/ssl/certs is the system-specified location. I also tried manually running
sudo c_rehash
to do the processing WGet wants, but that didn't seem to help either.