Home Wget cannot verify certificate (Unable to locally verify the issuer's authority)
 I compiled wget 1.19.4 from sources https://ftp.gnu.org/gnu/wget/wget-1.19.tar.gz using OpenSSL 1.0.2n which I also compiled from sources https://www.openssl.org/source/openssl-1.0.2n.tar.gz. Wget works fine, except apparently it cannot verify except if I explicitly provide a reference to the certificate authority. In other words, this command succeeds. $./mywget --verbose --server-response -U 'Mozilla/5.0 (Linux; rv:55.0) Gecko/55.0 Firefox/55.0' 'https://www.google.com/' -O ~/google.html --ca-certificate=/etc/ssl/certs/GeoTrust_Global_CA.pem --2018-02-13 17:14:37-- https://www.google.com/ Resolving www.google.com... 216.58.205.132, 2a00:1450:4002:801::2004 Connecting to www.google.com|216.58.205.132|:443... connected. HTTP request sent, awaiting response... HTTP/1.1 302 Found Cache-Control: private Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Location: https://www.google.it/?gfe_rd=cr&dcr=0&ei=7Q6DWoj4O5PCXuWanvgC Content-Length: 267 Set-Cookie: CONSENT=WP.269e51; expires=Fri, 01-Jan-2038 00:00:00 GMT; path=/; domain=.google.com P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Tue, 13 Feb 2018 16:14:37 GMT Alt-Svc: hq=":443"; ma=2592000; quic=51303431; quic=51303339; quic=51303338; quic=51303337; quic=51303335,quic=":443"; ma=2592000; v="41,39,38,37,35" Location: https://www.google.it/?gfe_rd=cr&dcr=0&ei=7Q6DWoj4O5PCXuWanvgC [following] --2018-02-13 17:14:37-- https://www.google.it/? gfe_rd=cr&dcr=0&ei=7Q6DWoj4O5PCXuWanvgC Resolving www.google.it... 172.217.23.227, 2a00:1450:4002:806::2003 Connecting to www.google.it|172.217.23.227|:443... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Date: Tue, 13 Feb 2018 16:14:38 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=3600 P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Server: gws X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2018-02-13-16; expires=Thu, 15-Mar-2018 16:14:38 GMT; path=/; domain=.google.it Set-Cookie: NID=123=EJ8tnCEToqMdMUHSHwFfrOmVvwYQfe3DrI_rzastMDql0mPqmKUTfH4EBooMzSKwF7ugyNGO 8-SLxw_pDQpvf2DQRzun7_y79NvL_SbNforpFbl7N297thWLnP2JfR-f; expires=Wed, 15- Aug-2018 16:14:38 GMT; path=/; domain=.google.it; HttpOnly Set-Cookie: CONSENT=WP.269e51; expires=Fri, 01-Jan-2038 00:00:00 GMT; path=/; domain=.google.it Alt-Svc: hq=":443"; ma=2592000; quic=51303431; quic=51303339; quic=51303338; quic=51303337; quic=51303335,quic=":443"; ma=2592000; v="41,39,38,37,35" Accept-Ranges: none Vary: Accept-Encoding Transfer-Encoding: chunked Length: unspecified [text/html] Saving to: ‘/home/username/google.html’ /home/username/google.html [ <=> ] 217.25K --.-KB/s in 0.1s 2018-02-13 17:14:38 (1.50 MB/s) - ‘/home/username/google.html’ saved [222460]  This one does not. $ ./mywget --verbose --server-response -U 'Mozilla/5.0 (Linux; rv:55.0) Gecko/55.0 Firefox/55.0' 'https://www.google.com/' -O ~/google.html --2018-02-13 17:14:44-- https://www.google.com/ Resolving www.google.com... 216.58.205.132, 2a00:1450:4002:801::2004 Connecting to www.google.com|216.58.205.132|:443... connected. ERROR: cannot verify www.google.com's certificate, issued by ‘CN=Google Internet Authority G2,O=Google Inc,C=US’: Unable to locally verify the issuer's authority. To connect to www.google.com insecurely, use --no-check-certificate'.  The option --no-check-certificate indeed allows connecting to www.google.com anyway, but that is not exactly satifying. Here are some details on how I compiled the software. I installed openssl with ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl make and sudo make install. I added /usr/local/ssl and /usr/local/ssl/lib to /etc/ld.conf and then ran ldconfig. After running CFLAGS='-O2 -Wall' PKG_CONFIG_PATH=/usr/local/ssl/lib/pkgconfig ./configure --enable-threads=posix --with-libiconv-prefix=/usr --with-ssl=openssl and make I finally got the binary for wget`. If you need other details, or you feel that this kind of question might be better suited for some other site (Unix & Linux, Serverfault, etc...), please let me know. EDIT: I just found out that the very same binary works just fine when run on a different server with the same version of operating system. Thus apparently there is some misconfiguration of the server I compiled it on. So I guess my question now is not about the compilation, but how do I determine what is wrong on the machine configuration and how can I fix it.