wget: where does it look for certificates?
Solution 1
According to the manpage of wget
:
Without this option Wget looks for CA certificates at the system-specified locations, chosen at OpenSSL installation time.
Where's that? Turns out, that's complicated. It depends on your system, etc.
Simple ways to find out what wget
actually does are
-
reading its output:
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
-
using
strace
:strace wget https://your-url
In the output, you can read which files
wget
opened, tried to open, etc.
Since strace
produces quite a lot of output, you may want to limit it to certain syscalls. It looks like wget uses openat
to read files, so:
strace -e openat wget https://your-url
contains the interesing lines:
openat(AT_FDCWD, "/usr/share/ca-certificates/trust-source/mozilla.trust.p11-kit", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/usr/share/ca-certificates/trust-source/anchors/CAcert.org_root.crt", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/usr/share/ca-certificates/trust-source/anchors/CAcert.org_class3.crt", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = 3
And there are even more locations it looks at, they might even be different for your system.
Solution 2
I had problems with wget not finding my certificates so I installed ca-
sudo apt install ca-certificates
then I edited:
sudo vi /etc/wgetrc
and added
ca_directory=/etc/ssl/certs
or you can just use this command to append it to the end:
printf "\nca_directory=/etc/ssl/certs" | sudo tee -a /etc/wgetrc
chris01
Updated on June 18, 2022Comments
-
chris01 almost 2 years
I have a HTTPS-site that needs an intermediate-certificate to verify the servers SSL-certificate.
If I put the intermediate-cert into /etc/ssl/certs (and make the hash-link) then
openssl s_client -connect IP:PORT
will work. Otherwise I get a verification error.
Where does wget look for certificates? I only can make it work if I explicitly set --ca-directory in wget.
So it seems openssl looks into /etc/ssl/certs and wget does not.
Thanks!
EDIT
If I run wget with -d then I see without --ca-directory it loads about 150 certificates. With the option it is over 300. So it must be another path then openssl-default I think.
Wget 1.19.4 on linux-gnu on Debian 10