> Yeah, take a look at the makefile for wget and you can get an idea of
> how complicated these kinds of general use programs are. you can make
> a relatively simple http client in code, but trying to get it to
> handle all the corner cases of the web, it's just easier to depend on
> something that already does all the heavy lifting. For scripting,
> it's usually either wget or curl. Full languages will tend to have
> their own http libs and don't have to reach outside, though they will
> tend to depend on SSL/TLS from openssl or gnu_tls on the OS to avoid
> having the implement that whole stack in native code. Tend, not
> required. There is a native ssl implementation in java for example.
>
> Interesting about wget2. The distros I tend to use are so ancient I
> wasn't aware it had been released. Finally support for some of the
> more modern http options, which has always been a weakness of wget.
> Thanks for that!
>
> Regarding the certificate trust issue, if you want to continue poking,
> check to see if you have
> /etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem
> check to see if that's in /etc/ssl/certs/ca-certificates.crt
>
> If it is, try wget with --ca-certificate or --ca-directory options and
> see if that helps.
>
> Based on the error, ERROR: cannot verifywww.gutenberg.org's
> <http://www.gutenberg.org%27s/>certificate, issued by ‘CN=Network
> Solutions OV Server CA 2 ,O=Network Solutions
> L.L.C.,L=Herndon,ST=VA,C=US’: that should follow the chain to CN =
> USERTrust RSA Certification Authority. Since it's not, that would be
> where I would look. "sudo update-ca-certificates -f" if you need to
> clean up /etc/ssl/certs from old links.
>
> On Sun, Sep 18, 2022 at 9:26 AM Jim via PLUG-discuss
> <plug-discuss@lists.phxlinux.org> wrote:
>
> I was looking in muon and found wget2. In the description it
> says: GNU Wget2 is the successor of GNU Wget. So I installed
> wget2 and tested it to find it works. Do any other apps use
> wget? If so, could I replace /usr/bin/wget with a symbolic link
> to /usr/bin/wget2? I ask because I thought about using muon to
> purge wget, but it warned me that a bunch of stuff would also be
> removed, so I clicked cancel.
>
> On 9/17/22 15:08, James Mcphee via PLUG-discuss wrote:
>> wget, curl, etc are compiled with gnu_tls or openssl or libressl,
>> or whatever. usually when adding those config options, you'll
>> have some vars for distro-specific settings. anyway. in ubuntu,
>> ca-certificates is the pkg that holds your normal trust stuff.
>> update-ca-certificates is the command you'd use to do the
>> update. So, if you think you broke your trust store, you could
>> try update-ca-certificates, and if that didn't work, a reinstall
>> of ca-certificates. specifically, what update-ca-certificates
>> does is takes the list from /etc/ca-certificates.conf from
>> /etc/ssl/certs and updates the various ca bundles like the java
>> cacerts and the ca-certificates.txt, and anything else if the
>> distro decided to use that in its TLS/SSL config.
>>
>> On Sat, Sep 17, 2022 at 11:46 AM Michael Butash via PLUG-discuss
>> <plug-discuss@lists.phxlinux.org> wrote:
>>
>> Some quick searching as I don't often use wget, it looks like
>> it doesn't use local system certs, and has no inherent trust
>> to certs at all. If you search "wget ssl certificates" like
>> I just did, you see others posting how to skip the check and
>> trust anyways, and various discussions wtf this is even a
>> thing still. Weird software caveat I'd say it doesn't just
>> reference system cert trusts, or just hasn't felt the need to
>> be updated in 20 years because you know, security is meh.
>>
>> -mb
>>
>>
>>
>> On Sat, Sep 17, 2022 at 10:40 AM Jim via PLUG-discuss
>> <plug-discuss@lists.phxlinux.org> wrote:
>>
>> It's not just ww.gutenberg.org <http://ww.gutenberg.org>.
>> That's an example of what happens no matter what site I
>> try to use wget on. About the truststore, how do I add
>> to or update it? I decided to ask for help after trying
>> to install openwebrx following the instructions here.
>> https://www.openwebrx.de/download/ubuntu.php Also I found
>> out today that something similar happens with
>> youtube-dl. I tried to use it today and this is what
>> happened. Youtube-dl works if I use the
>> --no-check-certificate option.
>>
>> $ youtube-dl https://www.youtube.com/watch?v=VW3XQDDGhA4
>> [youtube] VW3XQDDGhA4: Downloading webpage
>> WARNING:Unable to download webpage: <urlopen error [SSL:
>> CERTIFICATE_VERIFY_FAILED] certificate ver
>> ify failed: unable to get local issuer certificate
>> (_ssl.c:1131)>
>> [youtube] VW3XQDDGhA4: Downloading API JSON
>> ERROR:Unable to download API page: <urlopen error [SSL:
>> CERTIFICATE_VERIFY_FAILED] certificate veri
>> fy failed: unable to get local issuer certificate
>> (_ssl.c:1131)> (caused by URLError(SSLCertVerifica
>> tionError(1, '[SSL: CERTIFICATE_VERIFY_FAILED]
>> certificate verify failed: unable to get local issuer
>> certificate (_ssl.c:1131)')))
>>
>>
>>
>> On 9/16/22 17:33, James Mcphee via PLUG-discuss wrote:
>>> check out the verification of the cert chain. it works
>>> for me with a new build of 20.04, so it might be that
>>> you need to add or update your truststore.
>>> openssl s_client -connect www.gutenberg.org:443
>>> <http://www.gutenberg.org:443> < /dev/null | openssl
>>> x509 -text -noout
>>>
>>> up there at the top, this is what it looks like when it
>>> works
>>> depth=2 C = US, ST = New Jersey, L = Jersey City, O =
>>> The USERTRUST Network, CN = USERTrust RSA Certification
>>> Authority
>>> verify return:1
>>> depth=1 C = US, ST = VA, L = Herndon, O = Network
>>> Solutions L.L.C., CN = Network Solutions OV Server CA 2
>>> verify return:1
>>> depth=0 C = US, ST = Utah, L = Salt Lake City, O =
>>> Project Gutenberg Literary Archive Foundation, CN =
>>> *.gutenberg.org <http://gutenberg.org>
>>> verify return:1
>>> DONE
>>>
>>> I can see that i have that usertrust network cert in
>>> /etc/ssl/certs, so all is good. if i had to add one i'd
>>> have then run update-ca-certicates.
>>>
>>> On Fri, Sep 16, 2022 at 2:17 PM Jim via PLUG-discuss
>>> <plug-discuss@lists.phxlinux.org> wrote:
>>>
>>> This has been bugging me for a while, but today it's
>>> annoying me to the point I want to fix it. Wget
>>> gives me an error whenever I try to use it. I have
>>> no problem getting files using a web browser.
>>> Here's an example. Using firefox I was able to
>>> download the file, but this can be a pain in the
>>> butt when I'm trying to add a repository. I have
>>> Ubuntu 20.04 installed.
>>>
>>>
>>> $ wget
>>> https://www.gutenberg.org/ebooks/68992.epub.images
>>> --2022-09-16 14:08:02--
>>> https://www.gutenberg.org/ebooks/68992.epub.images
>>> Resolving www.gutenberg.org
>>> <http://www.gutenberg.org> (www.gutenberg.org
>>> <http://www.gutenberg.org>)... 152.19.134.47,
>>> 2610:28:3090:3000:0:bad:cafe:47
>>> Connecting to www.gutenberg.org
>>> <http://www.gutenberg.org> (www.gutenberg.org
>>> <http://www.gutenberg.org>)|152.19.134.47|:443...
>>> connected.
>>> ERROR: cannot verify www.gutenberg.org's
>>> <http://www.gutenberg.org's> certificate, issued by
>>> ‘CN=Network Solutions OV Server CA 2
>>> ,O=Network Solutions L.L.C.,L=Herndon,ST=VA,C=US’:
>>> Self-signed certificate encountered.
>>> To connect to www.gutenberg.org
>>> <http://www.gutenberg.org> insecurely, use
>>> `--no-check-certificate'.
>>>
>>> Any idea how to fix this? thanks
>>>
>>>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list:
>>> PLUG-discuss@lists.phxlinux.org
>>> To subscribe, unsubscribe, or to change your mail
>>> settings:
>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>
>>>
>>>
>>> --
>>> James McPhee
>>> jmcphe@gmail.com
>>>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list:PLUG-discuss@lists.phxlinux.org
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>> ---------------------------------------------------
>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>>
>>
>> --
>> James McPhee
>> jmcphe@gmail.com
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list:PLUG-discuss@lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
> ---------------------------------------------------
> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
>
>
> --
> James McPhee
> jmcphe@gmail.com
>
> ---------------------------------------------------
> PLUG-discuss mailing list:PLUG-discuss@lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
(text/plain)