Some quick searching as I don't often use wget, it looks like it doesn't use local system certs, and has no inherent trust to certs at all.  If you search "wget ssl certificates" like I just did, you see others posting how to skip the check and trust anyways, and various discussions wtf this is even a thing still.  Weird software caveat I'd say it doesn't just reference system cert trusts, or just hasn't felt the need to be updated in 20 years because you know, security is meh.

-mb



On Sat, Sep 17, 2022 at 10:40 AM Jim via PLUG-discuss <plug-discuss@lists.phxlinux.org> wrote:

It's not just ww.gutenberg.org. That's an example of what happens no matter what site I try to use wget on.  About the truststore, how do I add to or update it?  I decided to ask for help after trying to install openwebrx following the instructions here.  https://www.openwebrx.de/download/ubuntu.php  Also I found out today that something similar happens with youtube-dl.  I tried to use it today and this is what happened.   Youtube-dl works if I use the --no-check-certificate option.

$ youtube-dl https://www.youtube.com/watch?v=VW3XQDDGhA4
[youtube] VW3XQDDGhA4: Downloading webpage
WARNING: Unable to download webpage: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate ver
ify failed: unable to get local issuer certificate (_ssl.c:1131)>
[youtube] VW3XQDDGhA4: Downloading API JSON
ERROR: Unable to download API page: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate veri
fy failed: unable to get local issuer certificate (_ssl.c:1131)> (caused by URLError(SSLCertVerifica
tionError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer
certificate (_ssl.c:1131)')))



On 9/16/22 17:33, James Mcphee via PLUG-discuss wrote:
check out the verification of the cert chain.  it works for me with a new build of 20.04, so it might be that you need to add or update your truststore.
openssl s_client -connect www.gutenberg.org:443 < /dev/null | openssl x509 -text -noout

up there at the top, this is what it looks like when it works
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = US, ST = VA, L = Herndon, O = Network Solutions L.L.C., CN = Network Solutions OV Server CA 2
verify return:1
depth=0 C = US, ST = Utah, L = Salt Lake City, O = Project Gutenberg Literary Archive Foundation, CN = *.gutenberg.org
verify return:1
DONE

I can see that i have that usertrust network cert in /etc/ssl/certs, so all is good.  if i had to add one i'd have then run update-ca-certicates.

On Fri, Sep 16, 2022 at 2:17 PM Jim via PLUG-discuss <plug-discuss@lists.phxlinux.org> wrote:

This has been bugging me for a while, but today it's annoying me to the point I want to fix it.  Wget gives me an error whenever I try to use it.  I have no problem getting files using a web browser.  Here's an example.  Using firefox I was able to download the file, but this can be a pain in the butt when I'm trying to add a repository.  I have Ubuntu 20.04 installed.


$ wget https://www.gutenberg.org/ebooks/68992.epub.images
--2022-09-16 14:08:02--  https://www.gutenberg.org/ebooks/68992.epub.images
Resolving www.gutenberg.org (www.gutenberg.org)... 152.19.134.47, 2610:28:3090:3000:0:bad:cafe:47
Connecting to www.gutenberg.org (www.gutenberg.org)|152.19.134.47|:443... connected.
ERROR: cannot verify www.gutenberg.org's certificate, issued by ‘CN=Network Solutions OV Server CA 2
,O=Network Solutions L.L.C.,L=Herndon,ST=VA,C=US’:
 Self-signed certificate encountered.
To connect to www.gutenberg.org insecurely, use `--no-check-certificate'.

Any idea how to fix this?  thanks


---------------------------------------------------
PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss


--
James McPhee
jmcphe@gmail.com

---------------------------------------------------
PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss