[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] trouble with self signed certificates --ca-directory=dire
From: |
Ángel González |
Subject: |
Re: [Bug-wget] trouble with self signed certificates --ca-directory=directory |
Date: |
Thu, 29 Mar 2012 17:15:13 +0200 |
User-agent: |
Thunderbird |
On 29/03/12 04:45, drayon wrote:
> Having the most head wrenching time with wget:
>
> Version/compile details running on Mac OS X 10.6.8
> ==================================================
> GNU Wget 1.13.4 built on darwin11.3.0.
> (...)
>
> I then issued the following command: (--certificate=file)
> ====================================
> wget --certificate=forums.mvgroup.org.pem
> https://forums.mvgroup.org/index.php?showtopic=2827
> --2012-03-29 10:56:08-- https://forums.mvgroup.org/index.php?showtopic=2827
> OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line
> OpenSSL: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
> Disabling SSL due to encountered errors.
> =======================================
> I assume "--certificate=forums.mvgroup.org.pem" looks for this "file" in the
> current terminal directory? or do we include the full path? ie
> wget --certificate=/System/Library/OpenSSL/certs/forums.mvgroup.org.pem
> =======================================
It looks for it in the current folder. You can also call it from a
different folder specifying the full path.
But note that it is reading it here, the error is "PEM
routines:PEM_read_bio:no start line", otherwise it
would be "system library:fopen:No such file or directory"
> Ok so in Terminal I change directory to '/System/Library/OpenSSL/certs'
> then issue:
> sudo wget --ca-certificate=forums.mvgroup.org.pem
> https://forums.mvgroup.org/index.php?showtopic=2827
>
> Success (note sudo since this is a system directory).
You shouldn't need sudo here, just for running it on this folder (it
wouldn't be able to save it there, but you could use for instance -O
/tmp/forum ).
It's strange it worked for you, as I wasn't able to get it work using
just --ca-certificate
> wget manual says "Without this option Wget looks for CA certificates at the
> system-specified locations, chosen at OpenSSL installation time". So why on
> OS X does SSL NOT look in '/System/Library/OpenSSL/certs'? I can't find a
> config file or correct command to set to this directory as the default to
> look for certificates.
>
> Also I use ‘--ca-directory=directory’ as
>
> wget --ca-directory=/System/Library/OpenSSL/certs/
> https://forums.mvgroup.org/index.php?showtopic=2827
>
> terminal reports
> ======================
> Resolving forums.mvgroup.org... 87.241.99.41
> Connecting to forums.mvgroup.org|87.241.99.41|:443... connected.
> ERROR: cannot verify forums.mvgroup.org's certificate, issued by
> `/O=MVGroup/CN=forums.mvgroup.org':
> Self-signed certificate encountered.
> To connect to forums.mvgroup.org insecurely, use `--no-check-certificate'.
> ======================
>
> I think this must be a bug or wrong usage because logically this command
> tells wget to tell openssl to look in '/System/Library/OpenSSL/certs/' for a
> certificate but it keeps failing unless we specifically tell wget the exact
> file based on the current directory else it fails if current directory doesnt
> contain a cert.
Note that the wget manual also says "the file name is based on a hash
value derived from the certificate. This is achieved by
processing a certificate directory with the `c_rehash' utility supplied
with OpenSSL.".
In this case, running c_rehash <folder>, creates a symlink from
3cc93452.0 to forums.mvgroup.org.pem
Using wget with ca-directory does work for me if there is such link, but
fail otherwise.
I suppose wget is also trying to open it at
/System/Library/OpenSSL/certs/3cc93452.0, so if you make such symlink
there it should also work.