This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: wget does not recognize PKI?

From: Lee <ler762 at gmail dot com>
To: cygwin at cygwin dot com
Date: Mon, 6 Aug 2018 03:29:07 -0400
Subject: Re: wget does not recognize PKI?
References: <1964416456.20180805201253@yandex.ru>

On 8/5/18, Andrey Repin wrote:
> Greetings, All!

Greetings, Andrey Repin!

> $ wget https://ca.rootdir.org/ca.crl
> --2018-08-05 20:05:28--  https://ca.rootdir.org/ca.crl
> Resolving ca.rootdir.org (ca.rootdir.org)... 192.168.1.6
> Connecting to ca.rootdir.org (ca.rootdir.org)|192.168.1.6|:443...
> connected.
> ERROR: The certificate of ‘ca.rootdir.org’ is not trusted.
> ERROR: The certificate of ‘ca.rootdir.org’ hasn't got a known issuer.
>
> $ "$( which wget )" --version
> GNU Wget 1.19.1 built on cygwin.
>
> -cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls +ntlm
> +opie +psl +ssl/gnutls
>
> The root CA certificate is correctly installed and hashed.

Apparently not.  Does it work if you tell wget to use your root CA cert?
‘--ca-certificate=FILE’
     Use FILE as the file with the bundle of certificate authorities
     (“CA”) to verify the peers.  The certificates must be in PEM
     format.

     Without this option Wget looks for CA certificates at the
     system-specified locations, chosen at OpenSSL installation time.

& you probably have, but to be sure.. you looked at 'info
update-ca-trust' - right?

This might help verify your trust store:
$ cat listcerts.sh
#!/bin/sh
# ref: https://serverfault.com/questions/590870/how-to-view-all-ssl-certificates-in-a-bundle

if [ $# -eq 1 ]; then
   # bundle specified
   FILE="$1"
   if [ ! -r $FILE ]; then
      echo "p1 unreadable: $FILE"
      exit 1
   fi
else
   FILE="/usr/ssl/certs/ca-bundle.crt"
 # FILE="/etc/pki/tls/certs/ca-bundle.crt"
 # FILE="/etc/pki/tls/certs/ca-bundle.trust.crt"
fi


cat $FILE |\
awk -v cmd="openssl x509 -noout -subject " '
/^-----BEGIN/ { c = $0; next }
{ c = c "\n" $0 }
/^-----END/ { print c|cmd; close(cmd); c = "" }
'

# openssl x509 -noout -text
#  to see all the certificate info
# oopenssl x509 -noout -subject
#  to see just the subject

$

Regards,
Lee

>
> $ ls -l /etc/ssl/certs/
> total 3
> lrwxrwxrwx  1 anrdaemon None  13 мар 31 01:30 a94d09e5.0 -> ca-bundle.crt
> lrwxrwxrwx  1 anrdaemon None  49 мар 12 02:29 ca-bundle.crt ->
> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
> lrwxrwxrwx  1 anrdaemon None  55 мар 12 02:29 ca-bundle.trust.crt ->
> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
> lrwxrwxrwx  1 anrdaemon None  18 мар 31 01:30 dd07c56a.0 ->
> Rootdir.org_CA.crt
> drwxr-xr-x+ 1 anrdaemon None   0 апр 22 16:50 demo
> drwxr-xr-x+ 1 anrdaemon None   0 апр 22 16:50 expired
> -rw-r--r--  1 anrdaemon None 165 апр  3 14:04 README.RootCerts
> lrwxrwxrwx  1 anrdaemon None  29 фев 14 04:41 Rootdir.org_CA.crt ->
> /etc/ssl/ca-20120530-0121.crt
>
> What's going on?
>
>
> --
> With best regards,
> Andrey Repin
> Sunday, August 5, 2018 20:07:02
>
> Sorry for my terrible english...

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Follow-Ups:
- Re: wget does not recognize PKI?
  - From: Andrey Repin

References:
- wget does not recognize PKI?
  - From: Andrey Repin

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]