wget: where does it look for certificates?

ssl openssl wget
15,092

Solution 1

According to the manpage of wget:

Without this option Wget looks for CA certificates at the system-specified locations, chosen at OpenSSL installation time.

Where's that? Turns out, that's complicated. It depends on your system, etc.

Simple ways to find out what wget actually does are

  1. reading its output:

    Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'

  2. using strace:

    strace wget https://your-url

    In the output, you can read which files wget opened, tried to open, etc.

Since strace produces quite a lot of output, you may want to limit it to certain syscalls. It looks like wget uses openat to read files, so:

strace -e openat wget https://your-url

contains the interesing lines:

openat(AT_FDCWD, "/usr/share/ca-certificates/trust-source/mozilla.trust.p11-kit", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/usr/share/ca-certificates/trust-source/anchors/CAcert.org_root.crt", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/usr/share/ca-certificates/trust-source/anchors/CAcert.org_class3.crt", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = 3

And there are even more locations it looks at, they might even be different for your system.

Solution 2

I had problems with wget not finding my certificates so I installed ca-

sudo apt install ca-certificates

then I edited:

sudo vi /etc/wgetrc

and added

ca_directory=/etc/ssl/certs

or you can just use this command to append it to the end:

printf "\nca_directory=/etc/ssl/certs" | sudo tee -a /etc/wgetrc
Share:
15,092
chris01
Author by

chris01

Updated on June 18, 2022

Comments

  • chris01
    chris01 almost 2 years

    I have a HTTPS-site that needs an intermediate-certificate to verify the servers SSL-certificate.

    If I put the intermediate-cert into /etc/ssl/certs (and make the hash-link) then

    openssl s_client -connect IP:PORT

    will work. Otherwise I get a verification error.

    Where does wget look for certificates? I only can make it work if I explicitly set --ca-directory in wget.

    So it seems openssl looks into /etc/ssl/certs and wget does not.

    Thanks!

    EDIT

    If I run wget with -d then I see without --ca-directory it loads about 150 certificates. With the option it is over 300. So it must be another path then openssl-default I think.

    Wget 1.19.4 on linux-gnu on Debian 10

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to make wget trust my self signed certificate (without using --no-check-certificate)?
Wget, self signed cert and --no-check-certificate not working
Ubuntu 11.10, using wget/curl fails with ssl
"Issued certificate not yet valid." with wget?
how to download the ssl certificate from a website?
OpenSSL: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
Unable to establish SSL connection, how do I fix my SSL cert?
Cannot connect to wss with Flutter
ssl SSLError outines:SSL_CTX_use_certificate_chain_file:PEM lib
python3 and requests: still getting 'sslv3 alert handshake failure'