Home Wget cannot verify certificate (Unable to locally verify the issuer's authority)
Reply: 0

Wget cannot verify certificate (Unable to locally verify the issuer's authority)

GiulioP
1#
GiulioP Published in 2018-02-13 16:39:36Z

I compiled wget 1.19.4 from sources https://ftp.gnu.org/gnu/wget/wget-1.19.tar.gz using OpenSSL 1.0.2n which I also compiled from sources https://www.openssl.org/source/openssl-1.0.2n.tar.gz. Wget works fine, except apparently it cannot verify except if I explicitly provide a reference to the certificate authority.

In other words, this command succeeds.

$ ./mywget --verbose --server-response -U 'Mozilla/5.0 (Linux; rv:55.0) Gecko/55.0 Firefox/55.0' 'https://www.google.com/' -O ~/google.html --ca-certificate=/etc/ssl/certs/GeoTrust_Global_CA.pem
--2018-02-13 17:14:37--  https://www.google.com/
Resolving www.google.com... 216.58.205.132, 2a00:1450:4002:801::2004
Connecting to www.google.com|216.58.205.132|:443... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 302 Found
  Cache-Control: private
  Content-Type: text/html; charset=UTF-8
  Referrer-Policy: no-referrer
  Location: https://www.google.it/?gfe_rd=cr&dcr=0&ei=7Q6DWoj4O5PCXuWanvgC
  Content-Length: 267
  Set-Cookie: CONSENT=WP.269e51; expires=Fri, 01-Jan-2038 00:00:00 GMT; 
path=/; domain=.google.com
  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
  Date: Tue, 13 Feb 2018 16:14:37 GMT
  Alt-Svc: hq=":443"; ma=2592000; quic=51303431; quic=51303339; 
quic=51303338; quic=51303337; quic=51303335,quic=":443"; ma=2592000; 
v="41,39,38,37,35"
Location: https://www.google.it/?gfe_rd=cr&dcr=0&ei=7Q6DWoj4O5PCXuWanvgC 
[following]
--2018-02-13 17:14:37--  https://www.google.it/?
gfe_rd=cr&dcr=0&ei=7Q6DWoj4O5PCXuWanvgC
Resolving www.google.it... 172.217.23.227, 2a00:1450:4002:806::2003
Connecting to www.google.it|172.217.23.227|:443... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 200 OK
  Date: Tue, 13 Feb 2018 16:14:38 GMT
  Expires: -1
  Cache-Control: private, max-age=0
  Content-Type: text/html; charset=UTF-8
  Strict-Transport-Security: max-age=3600
  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
  Server: gws
  X-XSS-Protection: 1; mode=block
  X-Frame-Options: SAMEORIGIN
  Set-Cookie: 1P_JAR=2018-02-13-16; expires=Thu, 15-Mar-2018 16:14:38 GMT; 
  path=/; domain=.google.it
  Set-Cookie: NID=123=EJ8tnCEToqMdMUHSHwFfrOmVvwYQfe3DrI_rzastMDql0mPqmKUTfH4EBooMzSKwF7ugyNGO
8-SLxw_pDQpvf2DQRzun7_y79NvL_SbNforpFbl7N297thWLnP2JfR-f; expires=Wed, 15-
Aug-2018 16:14:38 GMT; path=/; domain=.google.it; HttpOnly
 Set-Cookie: CONSENT=WP.269e51; expires=Fri, 01-Jan-2038 00:00:00 GMT; path=/; domain=.google.it
  Alt-Svc: hq=":443"; ma=2592000; quic=51303431; quic=51303339; 
quic=51303338; quic=51303337; quic=51303335,quic=":443"; ma=2592000; 
v="41,39,38,37,35"
  Accept-Ranges: none
  Vary: Accept-Encoding
  Transfer-Encoding: chunked
Length: unspecified [text/html]
Saving to: ‘/home/username/google.html’

/home/username/google.html                                      [ <=>                                                                                                                                     ] 217.25K  --.-KB/s    in 0.1s

2018-02-13 17:14:38 (1.50 MB/s) - ‘/home/username/google.html’ saved [222460]

This one does not.

$ ./mywget --verbose --server-response -U 'Mozilla/5.0 (Linux; rv:55.0) Gecko/55.0 Firefox/55.0' 'https://www.google.com/' -O ~/google.html
--2018-02-13 17:14:44--  https://www.google.com/
Resolving www.google.com... 216.58.205.132, 2a00:1450:4002:801::2004
Connecting to www.google.com|216.58.205.132|:443... connected.
ERROR: cannot verify www.google.com's certificate, issued by ‘CN=Google Internet Authority G2,O=Google Inc,C=US’:
  Unable to locally verify the issuer's authority.
To connect to www.google.com insecurely, use `--no-check-certificate'.

The option --no-check-certificate indeed allows connecting to www.google.com anyway, but that is not exactly satifying.

Here are some details on how I compiled the software.

  1. I installed openssl with ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl make and sudo make install.
  2. I added /usr/local/ssl and /usr/local/ssl/lib to /etc/ld.conf and then ran ldconfig.
  3. After running CFLAGS='-O2 -Wall' PKG_CONFIG_PATH=/usr/local/ssl/lib/pkgconfig ./configure --enable-threads=posix --with-libiconv-prefix=/usr --with-ssl=openssl and make I finally got the binary for wget.

If you need other details, or you feel that this kind of question might be better suited for some other site (Unix & Linux, Serverfault, etc...), please let me know.

EDIT:

I just found out that the very same binary works just fine when run on a different server with the same version of operating system. Thus apparently there is some misconfiguration of the server I compiled it on. So I guess my question now is not about the compilation, but how do I determine what is wrong on the machine configuration and how can I fix it.

You need to login account before you can post.

About| Privacy statement| Terms of Service| Advertising| Contact us| Help| Sitemap|
Processed in 0.366747 second(s) , Gzip On .

© 2016 Powered by mzan.com design MATCHINFO