wget, curl, etc are compiled with gnu_tls or openssl or libressl, or
whatever. usually when adding those config options, you'll have some vars
for distro-specific settings. anyway. in ubuntu, ca-certificates is the
pkg that holds your normal trust stuff. update-ca-certificates is the
command you'd use to do the update. So, if you think you broke your trust
store, you could try update-ca-certificates, and if that didn't work, a
reinstall of ca-certificates. specifically, what update-ca-certificates
does is takes the list from /etc/ca-certificates.conf from /etc/ssl/certs
and updates the various ca bundles like the java cacerts and the
ca-certificates.txt, and anything else if the distro decided to use that in
its TLS/SSL config.
On Sat, Sep 17, 2022 at 11:46 AM Michael Butash via PLUG-discuss <
plug-discuss@lists.phxlinux.org> wrote:
> Some quick searching as I don't often use wget, it looks like it doesn't
> use local system certs, and has no inherent trust to certs at all. If you
> search "wget ssl certificates" like I just did, you see others posting how
> to skip the check and trust anyways, and various discussions wtf this is
> even a thing still. Weird software caveat I'd say it doesn't just
> reference system cert trusts, or just hasn't felt the need to be updated in
> 20 years because you know, security is meh.
>
> -mb
>
>
>
> On Sat, Sep 17, 2022 at 10:40 AM Jim via PLUG-discuss <
> plug-discuss@lists.phxlinux.org> wrote:
>
>> It's not just ww.gutenberg.org. That's an example of what happens no
>> matter what site I try to use wget on. About the truststore, how do I add
>> to or update it? I decided to ask for help after trying to install
>> openwebrx following the instructions here.
>> https://www.openwebrx.de/download/ubuntu.php Also I found out today
>> that something similar happens with youtube-dl. I tried to use it today
>> and this is what happened. Youtube-dl works if I use the
>> --no-check-certificate option.
>>
>> $ youtube-dl https://www.youtube.com/watch?v=VW3XQDDGhA4
>> [youtube] VW3XQDDGhA4: Downloading webpage
>> WARNING: Unable to download webpage: <urlopen error [SSL:
>> CERTIFICATE_VERIFY_FAILED] certificate ver
>> ify failed: unable to get local issuer certificate (_ssl.c:1131)>
>> [youtube] VW3XQDDGhA4: Downloading API JSON
>> ERROR: Unable to download API page: <urlopen error [SSL:
>> CERTIFICATE_VERIFY_FAILED] certificate veri
>> fy failed: unable to get local issuer certificate (_ssl.c:1131)> (caused
>> by URLError(SSLCertVerifica
>> tionError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed:
>> unable to get local issuer
>> certificate (_ssl.c:1131)')))
>>
>>
>>
>> On 9/16/22 17:33, James Mcphee via PLUG-discuss wrote:
>>
>> check out the verification of the cert chain. it works for me with a new
>> build of 20.04, so it might be that you need to add or update your
>> truststore.
>> openssl s_client -connect www.gutenberg.org:443 < /dev/null | openssl
>> x509 -text -noout
>>
>> up there at the top, this is what it looks like when it works
>> depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST
>> Network, CN = USERTrust RSA Certification Authority
>> verify return:1
>> depth=1 C = US, ST = VA, L = Herndon, O = Network Solutions L.L.C., CN =
>> Network Solutions OV Server CA 2
>> verify return:1
>> depth=0 C = US, ST = Utah, L = Salt Lake City, O = Project Gutenberg
>> Literary Archive Foundation, CN = *.gutenberg.org
>> verify return:1
>> DONE
>>
>> I can see that i have that usertrust network cert in /etc/ssl/certs, so
>> all is good. if i had to add one i'd have then run update-ca-certicates.
>>
>> On Fri, Sep 16, 2022 at 2:17 PM Jim via PLUG-discuss <
>> plug-discuss@lists.phxlinux.org> wrote:
>>
>>> This has been bugging me for a while, but today it's annoying me to the
>>> point I want to fix it. Wget gives me an error whenever I try to use it.
>>> I have no problem getting files using a web browser. Here's an example.
>>> Using firefox I was able to download the file, but this can be a pain in
>>> the butt when I'm trying to add a repository. I have Ubuntu 20.04
>>> installed.
>>>
>>>
>>> $ wget https://www.gutenberg.org/ebooks/68992.epub.images
>>> --2022-09-16 14:08:02--
>>> https://www.gutenberg.org/ebooks/68992.epub.images
>>> Resolving www.gutenberg.org (www.gutenberg.org)... 152.19.134.47,
>>> 2610:28:3090:3000:0:bad:cafe:47
>>> Connecting to www.gutenberg.org (www.gutenberg.org)|152.19.134.47|:443...
>>> connected.
>>> ERROR: cannot verify www.gutenberg.org's certificate, issued by
>>> ‘CN=Network Solutions OV Server CA 2
>>> ,O=Network Solutions L.L.C.,L=Herndon,ST=VA,C=US’:
>>> Self-signed certificate encountered.
>>> To connect to www.gutenberg.org insecurely, use
>>> `--no-check-certificate'.
>>>
>>> Any idea how to fix this? thanks
>>>
>>>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>>
>>
>> --
>> James McPhee
>> jmcphe@gmail.com
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
> ---------------------------------------------------
> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
--
James McPhee
jmcphe@gmail.com
---------------------------------------------------
PLUG-discuss mailing list:
PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
(text/plain)