Re: wget ssl certificate problem

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Jim via PLUG-discuss
Date:  
To: James Mcphee via PLUG-discuss
CC: Jim
Subject: Re: wget ssl certificate problem
I was looking in muon and found wget2.  In the description it says: GNU
Wget2 is the successor of GNU Wget.  So I installed wget2 and tested it
to find it works.  Do any other apps use wget?  If so, could I replace
/usr/bin/wget with a symbolic link to /usr/bin/wget2?  I ask because I
thought about using muon to purge wget, but it warned me that a bunch of
stuff would also be removed, so I clicked cancel.

On 9/17/22 15:08, James Mcphee via PLUG-discuss wrote:
> wget, curl, etc are compiled with gnu_tls or openssl or libressl, or
> whatever.  usually when adding those config options, you'll have some
> vars for distro-specific settings.  anyway.  in ubuntu,
> ca-certificates is the pkg that holds your normal trust stuff. 
> update-ca-certificates is the command you'd use to do the update.  So,
> if you think you broke your trust store, you could try
> update-ca-certificates, and if that didn't work, a reinstall of
> ca-certificates.  specifically, what update-ca-certificates does is
> takes the list from /etc/ca-certificates.conf from /etc/ssl/certs and
> updates the various ca bundles like the java cacerts and the
> ca-certificates.txt, and anything else if the distro decided to use
> that in its TLS/SSL config.
>
> On Sat, Sep 17, 2022 at 11:46 AM Michael Butash via PLUG-discuss
> <> wrote:
>
>     Some quick searching as I don't often use wget, it looks like it
>     doesn't use local system certs, and has no inherent trust to certs
>     at all.  If you search "wget ssl certificates" like I just did,
>     you see others posting how to skip the check and trust anyways,
>     and various discussions wtf this is even a thing still.  Weird
>     software caveat I'd say it doesn't just reference system cert
>     trusts, or just hasn't felt the need to be updated in 20 years
>     because you know, security is meh.

>
>     -mb

>
>
>
>     On Sat, Sep 17, 2022 at 10:40 AM Jim via PLUG-discuss
>     <> wrote:

>
>         It's not just ww.gutenberg.org <http://ww.gutenberg.org>.
>         That's an example of what happens no matter what site I try to
>         use wget on.  About the truststore, how do I add to or update
>         it?  I decided to ask for help after trying to install
>         openwebrx following the instructions here.
>         https://www.openwebrx.de/download/ubuntu.php Also I found out
>         today that something similar happens with youtube-dl.  I tried
>         to use it today and this is what happened.   Youtube-dl works
>         if I use the --no-check-certificate option.

>
>         $ youtube-dl https://www.youtube.com/watch?v=VW3XQDDGhA4
>         [youtube] VW3XQDDGhA4: Downloading webpage
>         WARNING:Unable to download webpage: <urlopen error [SSL:
>         CERTIFICATE_VERIFY_FAILED] certificate ver
>         ify failed: unable to get local issuer certificate (_ssl.c:1131)>
>         [youtube] VW3XQDDGhA4: Downloading API JSON
>         ERROR:Unable to download API page: <urlopen error [SSL:
>         CERTIFICATE_VERIFY_FAILED] certificate veri
>         fy failed: unable to get local issuer certificate
>         (_ssl.c:1131)> (caused by URLError(SSLCertVerifica
>         tionError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate
>         verify failed: unable to get local issuer
>         certificate (_ssl.c:1131)')))

>
>
>
>         On 9/16/22 17:33, James Mcphee via PLUG-discuss wrote:
>>         check out the verification of the cert chain.  it works for
>>         me with a new build of 20.04, so it might be that you need to
>>         add or update your truststore.
>>         openssl s_client -connect www.gutenberg.org:443
>>         <http://www.gutenberg.org:443> < /dev/null | openssl x509
>>         -text -noout

>>
>>         up there at the top, this is what it looks like when it works
>>         depth=2 C = US, ST = New Jersey, L = Jersey City, O = The
>>         USERTRUST Network, CN = USERTrust RSA Certification Authority
>>         verify return:1
>>         depth=1 C = US, ST = VA, L = Herndon, O = Network Solutions
>>         L.L.C., CN = Network Solutions OV Server CA 2
>>         verify return:1
>>         depth=0 C = US, ST = Utah, L = Salt Lake City, O = Project
>>         Gutenberg Literary Archive Foundation, CN = *.gutenberg.org
>>         <http://gutenberg.org>
>>         verify return:1
>>         DONE

>>
>>         I can see that i have that usertrust network cert in
>>         /etc/ssl/certs, so all is good.  if i had to add one i'd have
>>         then run update-ca-certicates.

>>
>>         On Fri, Sep 16, 2022 at 2:17 PM Jim via PLUG-discuss
>>         <> wrote:

>>
>>             This has been bugging me for a while, but today it's
>>             annoying me to the point I want to fix it.  Wget gives me
>>             an error whenever I try to use it.  I have no problem
>>             getting files using a web browser.  Here's an example.
>>             Using firefox I was able to download the file, but this
>>             can be a pain in the butt when I'm trying to add a
>>             repository.  I have Ubuntu 20.04 installed.

>>
>>
>>             $ wget https://www.gutenberg.org/ebooks/68992.epub.images
>>             --2022-09-16 14:08:02--
>>             https://www.gutenberg.org/ebooks/68992.epub.images
>>             Resolving www.gutenberg.org <http://www.gutenberg.org>
>>             (www.gutenberg.org <http://www.gutenberg.org>)...
>>             152.19.134.47, 2610:28:3090:3000:0:bad:cafe:47
>>             Connecting to www.gutenberg.org
>>             <http://www.gutenberg.org> (www.gutenberg.org
>>             <http://www.gutenberg.org>)|152.19.134.47|:443... connected.
>>             ERROR: cannot verify www.gutenberg.org's
>>             <http://www.gutenberg.org's> certificate, issued by
>>             ‘CN=Network Solutions OV Server CA 2
>>             ,O=Network Solutions L.L.C.,L=Herndon,ST=VA,C=US’:
>>              Self-signed certificate encountered.
>>             To connect to www.gutenberg.org
>>             <http://www.gutenberg.org> insecurely, use
>>             `--no-check-certificate'.

>>
>>             Any idea how to fix this?  thanks

>>
>>
>>             ---------------------------------------------------
>>             PLUG-discuss mailing list: 
>>             To subscribe, unsubscribe, or to change your mail settings:
>>             https://lists.phxlinux.org/mailman/listinfo/plug-discuss

>>
>>
>>
>>         -- 
>>         James McPhee
>>         

>>
>>         ---------------------------------------------------
>>         PLUG-discuss mailing list:
>>         To subscribe, unsubscribe, or to change your mail settings:
>>         https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>         ---------------------------------------------------
>         PLUG-discuss mailing list: 
>         To subscribe, unsubscribe, or to change your mail settings:
>         https://lists.phxlinux.org/mailman/listinfo/plug-discuss

>
>     ---------------------------------------------------
>     PLUG-discuss mailing list: 
>     To subscribe, unsubscribe, or to change your mail settings:
>     https://lists.phxlinux.org/mailman/listinfo/plug-discuss

>
>
>
> --
> James McPhee
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list:
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list:
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss