[Bug-wget] trouble with self signed certificates --ca-directory=director

bug-wget

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-wget] trouble with self signed certificates --ca-directory=director

From:	drayon
Subject:	[Bug-wget] trouble with self signed certificates --ca-directory=directory
Date:	Thu, 29 Mar 2012 12:15:28 +0930

Having the most head wrenching time with wget:

Version/compile details running on Mac OS X 10.6.8
==================================================
GNU Wget 1.13.4 built on darwin11.3.0.

+digest +https +ipv6 -iri +large-file -nls +ntlm +opie +ssl/openssl 

Wgetrc: 
    /usr/local/etc/wgetrc (system)
Compile: gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/usr/local/etc/wgetrc" 
    -DLOCALEDIR="/usr/local/share/locale" -I. -I../lib -I../lib -O2 
    -Wall 
Link: gcc -O2 -Wall -liconv -lssl -lcrypto -lz -ldl -lz ftp-opie.o openssl.o 
    http-ntlm.o ../lib/libgnu.a 
==================================================

Command issued in terminal:
==================================================
wget https://forums.mvgroup.org/
--2012-03-29 10:20:39--  https://forums.mvgroup.org/
Resolving forums.mvgroup.org... 87.241.99.41
Connecting to forums.mvgroup.org|87.241.99.41|:443... connected.
ERROR: cannot verify forums.mvgroup.org's certificate, issued by 
`/O=MVGroup/CN=forums.mvgroup.org':
  Self-signed certificate encountered.
==================================================

I exported the Certificate "forums.mvgroup.org.pem" to 
/System/Library/OpenSSL/certs/forums.mvgroup.org.pem

If I open the text file the following data is inside
-----BEGIN CERTIFICATE-----
MIIB1TCCAT4CCQDWXiQIRDVVdDANBgkqhkiG9w0BAQUFADAvMRAwDgYDVQQKEwdN
Vkdyb3VwMRswGQYDVQQDExJmb3J1bXMubXZncm91cC5vcmcwHhcNMTIwMzI4MTgz
NDQzWhcNMTMwMzI4MTgzNDQzWjAvMRAwDgYDVQQKEwdNVkdyb3VwMRswGQYDVQQD
ExJmb3J1bXMubXZncm91cC5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
ALizUiY+TJ0JWqhwD8q0q75Fg15tV2W2FHFp9ysMw+4seMSiLI2R/h/aBc2XaAqG
sMb47wKYpqqtJWBkgFuOTZhpaIcr+nPQsLUGAT1hxVz+/fzytZP5XfzXlNq5CKcP
FQ3HwDqx61UXTngWDTBZIe8y/IuAvvvQJOICEL2QXPU5AgMBAAEwDQYJKoZIhvcN
AQEFBQADgYEAn3A7/1weG631+zO5fYiN9pl7tw1p6SC/fBuYr6yA/QmfiwYykv8V
rCqnQvlUNzY8PRIByRBYkezB3QEuaK0hpTCtp/ueBr9z/qVZhmcyXTm78HLDKopc
ft7z6DFRXtOYGhqy73Jax0cERNgA3LqzGE9RXNC31Hl3jVunGJAyfyc=
-----END CERTIFICATE-----

I then issued the following command: (--certificate=file)
====================================
wget --certificate=forums.mvgroup.org.pem 
https://forums.mvgroup.org/index.php?showtopic=2827
--2012-03-29 10:56:08--  https://forums.mvgroup.org/index.php?showtopic=2827
OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line
OpenSSL: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
Disabling SSL due to encountered errors.
=======================================
I assume "--certificate=forums.mvgroup.org.pem" looks for this "file" in the 
current terminal directory? or do we include the full path? ie
wget --certificate=/System/Library/OpenSSL/certs/forums.mvgroup.org.pem
=======================================

Ok so in Terminal I change directory to '/System/Library/OpenSSL/certs'
then issue:
sudo wget --ca-certificate=forums.mvgroup.org.pem 
https://forums.mvgroup.org/index.php?showtopic=2827

Success (note sudo since this is a system directory).

wget manual says "Without this option Wget looks for CA certificates at the 
system-specified locations, chosen at OpenSSL installation time". So why on OS 
X does SSL NOT look in '/System/Library/OpenSSL/certs'? I can't find a config 
file or correct command to set to this directory as the default to look for 
certificates.

Also I use ‘--ca-directory=directory’ as

wget --ca-directory=/System/Library/OpenSSL/certs/ 
https://forums.mvgroup.org/index.php?showtopic=2827

terminal reports
======================
Resolving forums.mvgroup.org... 87.241.99.41
Connecting to forums.mvgroup.org|87.241.99.41|:443... connected.
ERROR: cannot verify forums.mvgroup.org's certificate, issued by 
`/O=MVGroup/CN=forums.mvgroup.org':
  Self-signed certificate encountered.
To connect to forums.mvgroup.org insecurely, use `--no-check-certificate'.
======================

I think this must be a bug or wrong usage because logically this command tells 
wget to tell openssl to look in '/System/Library/OpenSSL/certs/' for a 
certificate but it keeps failing unless we specifically tell wget the exact 
file based on the current directory else it fails if current directory doesnt 
contain a cert.

Please clarify and perhaps manual should show working examples for options like 
‘--ca-directory=directory’

Regards

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug-wget] trouble with self signed certificates --ca-directory=directory, drayon <=
- Re: [Bug-wget] trouble with self signed certificates --ca-directory=directory, Ángel González, 2012/03/29

Prev by Date: [Bug-wget] Bug on latest wget (1.3.14)
Next by Date: Re: [Bug-wget] trouble with self signed certificates --ca-directory=directory
Previous by thread: [Bug-wget] Bug on latest wget (1.3.14)
Next by thread: Re: [Bug-wget] trouble with self signed certificates --ca-directory=directory
Index(es):
- Date
- Thread