Re: [Bug-wget] trouble with self signed certificates --ca-directory=directory

[Ángel González]

On 29/03/12 04:45, drayon wrote:
> Having the most head wrenching time with wget:
>
> Version/compile details running on Mac OS X 10.6.8
> ==================================================
> GNU Wget 1.13.4 built on darwin11.3.0.
> (...)
>
> I then issued the following command: (--certificate=file)
> ====================================
> wget --certificate=forums.mvgroup.org.pem 
> https://forums.mvgroup.org/index.php?showtopic=2827
> --2012-03-29 10:56:08--  https://forums.mvgroup.org/index.php?showtopic=2827
> OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line
> OpenSSL: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
> Disabling SSL due to encountered errors.
> =======================================
> I assume "--certificate=forums.mvgroup.org.pem" looks for this "file" in the 
> current terminal directory? or do we include the full path? ie
> wget --certificate=/System/Library/OpenSSL/certs/forums.mvgroup.org.pem
> =======================================
It looks for it in the current folder. You can also call it from a
different folder specifying the full path.
But note that it is reading it here, the error is "PEM
routines:PEM_read_bio:no start line", otherwise it
would be "system library:fopen:No such file or directory"



> Ok so in Terminal I change directory to '/System/Library/OpenSSL/certs'
> then issue:
> sudo wget --ca-certificate=forums.mvgroup.org.pem 
> https://forums.mvgroup.org/index.php?showtopic=2827
>
> Success (note sudo since this is a system directory).
You shouldn't need sudo here, just for running it on this folder (it
wouldn't be able to save it there, but you could use for instance -O
/tmp/forum ).

It's strange it worked for you, as I wasn't able to get it work using
just --ca-certificate

> wget manual says "Without this option Wget looks for CA certificates at the 
> system-specified locations, chosen at OpenSSL installation time". So why on 
> OS X does SSL NOT look in '/System/Library/OpenSSL/certs'? I can't find a 
> config file or correct command to set to this directory as the default to 
> look for certificates.
>
> Also I use ‘--ca-directory=directory’ as
>
> wget --ca-directory=/System/Library/OpenSSL/certs/ 
> https://forums.mvgroup.org/index.php?showtopic=2827
>
> terminal reports
> ======================
> Resolving forums.mvgroup.org... 87.241.99.41
> Connecting to forums.mvgroup.org|87.241.99.41|:443... connected.
> ERROR: cannot verify forums.mvgroup.org's certificate, issued by 
> `/O=MVGroup/CN=forums.mvgroup.org':
>   Self-signed certificate encountered.
> To connect to forums.mvgroup.org insecurely, use `--no-check-certificate'.
> ======================
>
> I think this must be a bug or wrong usage because logically this command 
> tells wget to tell openssl to look in '/System/Library/OpenSSL/certs/' for a 
> certificate but it keeps failing unless we specifically tell wget the exact 
> file based on the current directory else it fails if current directory doesnt 
> contain a cert.
Note that the wget manual also says "the file name is based on a hash
value derived from the certificate.  This is achieved by
processing a certificate directory with the `c_rehash' utility supplied
with OpenSSL.".
In this case, running c_rehash <folder>, creates a symlink from
3cc93452.0 to forums.mvgroup.org.pem

Using wget with ca-directory does work for me if there is such link, but
fail otherwise.
I suppose wget is also trying to open it at
/System/Library/OpenSSL/certs/3cc93452.0, so if you make such symlink
there it should also work.