wget fails by a certificate problem

networking wget openssl certificates

13,579

Solution 1

The thread: Problem with certificates helped me to solve the problem.

user mirabilos explain the commands to reinstall the ca-certificates

sudo apt-get install --reinstall ca-certificates
sudo apt-get -f install
sudo dpkg --purge --force-depends ca-certificates
sudo apt-get -f install

Solution 2

You once compiled and installed openssl yourself and it still exists or maybe you removed that installation:

If the foldef /usr/local/ssl/ exists, check that the file /usr/local/ssl/cert.pem exists, if not run:

sudo ln -s  /etc/ssl/certs/ca-certificates.crt /usr/local/ssl/cert.pem

Solution 3

I have installed it. It worked for Ubuntu 16.4 LTS

sudo apt-get install ca-certificates

13,579

Sérgio

Updated on September 18, 2022

Comments

Sérgio over 1 year

Same problem as wget interrupted by a certificate problem:

After do-release-upgrade from 16.04 to 18.01

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. 
Check your Internet connection or proxy settings

wget https://changelogs.ubuntu.com/meta-release-lts

--2018-09-15 08:03:41--  https://changelogs.ubuntu.com/meta-release-lts
Resolving changelogs.ubuntu.com (changelogs.ubuntu.com)... 91.189.95.15, 2001:67c:1560:8008::11
Connecting to changelogs.ubuntu.com (changelogs.ubuntu.com)|91.189.95.15|:443... connected.
ERROR: cannot verify changelogs.ubuntu.com's certificate, issued by ‘CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US’:
  Unable to locally verify the issuer's authority.
To connect to changelogs.ubuntu.com insecurely, use `--no-check-certificate'.

Also (as root):

# update-ca-certificates

Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

# wget https://www.google.com/

--2018-09-16 16:54:31--  https://www.google.com/
Resolving www.google.com (www.google.com)... 216.58.201.164, 2a00:1450:4003:80a::2004
Connecting to www.google.com (www.google.com)|216.58.201.164|:443... connected.
ERROR: cannot verify www.google.com's certificate, issued by ‘CN=Google Internet Authority G3,O=Google Trust Services,C=US’:
  Unable to locally verify the issuer's authority.
To connect to www.google.com insecurely, use `--no-check-certificate'.

Update 2018-10-23:

openssl s_client -connect www.google.com:443 -debug

fails

openssl s_client  -connect www.google.com:443 --debug --CApath /etc/ssl/certs/

works

 wget https://www.google.com/  --ca-directory=/etc/ssl/certs/

works, so why is the default ca-directory not /etc/ssl/certs/? and do I set it?

New Update and solved:

strace -e openat wget https://your-url

I saw that it was using /usr/local/lib/libssl.so.1.1, so I found one openssl installed on /usr/local, and after deleting it, the problem was fixed.

Thanks

Thomas over 5 years

Any special configuration involved in /etc/wgetrc or ${HOME}/.wgetrc? Also try to reinstall wget with sudo apt-get install --reinstall wget.
Sérgio over 5 years

No , ${HOME}/.wgetrc does not exit and /etc/wgetrc is unchanged , reinstall wget didn't solve the issue
Ben over 5 years

Are there actually any certificates in /etc/ssl/certs/ca-certificates.crt ?
Sérgio over 5 years

ll -h /etc/ssl/certs/ca-certificates.crt -rw-r--r-- 1 root root 203K set 17 02:46 /etc/ssl/certs/ca-certificates.crt
sudo over 2 years

openssl version -a is a good command for situations like this, you can see if OPENSSLDIR is set incorrectly (which is probably was for your dud copy in /usr/local/lib)

Sérgio about 3 years

I saw that it was using /usr/local/lib/libssl.so.1.1, so I found one openssl installed on /usr/local, and after deleting it, the problem was fixed.
Winfried about 3 years

Normally, I never type 'thank you' comments. But I've been searching for 5 days for the solution on how a manual installed openssl which was then removed and restored back to an 'apt'-installed openssl can be used. I kept getting certificate invalid errors. This helped me a lot: Thank you!