This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: wget does not recognize PKI?
- From: Andrey Repin <anrdaemon at yandex dot ru>
- To: Lee <ler762 at gmail dot com>, cygwin at cygwin dot com
- Date: Mon, 6 Aug 2018 13:03:55 +0300
- Subject: Re: wget does not recognize PKI?
- References: <1964416456.20180805201253@yandex.ru> <CAD8GWssOdAt=MgArgPWPKCvyu9rstqCHyLEa=WM+zzp3-OMLWw@mail.gmail.com>
- Reply-to: cygwin at cygwin dot com
Greetings, Lee!
> On 8/5/18, Andrey Repin wrote:
>> Greetings, All!
> Greetings, Andrey Repin!
>> $ wget https://ca.rootdir.org/ca.crl
>> --2018-08-05 20:05:28-- https://ca.rootdir.org/ca.crl
>> Resolving ca.rootdir.org (ca.rootdir.org)... 192.168.1.6
>> Connecting to ca.rootdir.org (ca.rootdir.org)|192.168.1.6|:443...
>> connected.
>> ERROR: The certificate of ‘ca.rootdir.org’ is not trusted.
>> ERROR: The certificate of ‘ca.rootdir.org’ hasn't got a known issuer.
>>
>> $ "$( which wget )" --version
>> GNU Wget 1.19.1 built on cygwin.
>>
>> -cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls +ntlm
>> +opie +psl +ssl/gnutls
>>
>> The root CA certificate is correctly installed and hashed.
> Apparently not.
curl and openssl sees it.
Both Cygwin and native openssl.
> Does it work if you tell wget to use your root CA cert?
> ‘--ca-certificate=FILE’
It does, of course, but why doesn't it see the PKI by itself?
$ wget --ca-certificate=/etc/ssl/certs/dd07c56a.0 https://ca.rootdir.org/ca.crl
--2018-08-06 12:46:14-- https://ca.rootdir.org/ca.crl
Loaded CA certificate '/etc/ssl/certs/dd07c56a.0'
Resolving ca.rootdir.org (ca.rootdir.org)... 192.168.1.6
Connecting to ca.rootdir.org (ca.rootdir.org)|192.168.1.6|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 872 [application/octet-stream]
Saving to: ‘ca.crl’
ca.crl 100%[================================>] 872 --.-KB/s in 0s
2018-08-06 12:46:14 (18.0 MB/s) - ‘ca.crl’ saved [872/872]
> Use FILE as the file with the bundle of certificate authorities
> (“CA”) to verify the peers. The certificates must be in PEM
> format.
> Without this option Wget looks for CA certificates at the
> system-specified locations, chosen at OpenSSL installation time.
> & you probably have, but to be sure.. you looked at 'info
> update-ca-trust' - right?
No. Hashing /etc/ssl/certs has been enough for a long while.
I followed the directions, and it indeed fixed the issue, but I'm surprised by
the change in behavior.
--
With best regards,
Andrey Repin
Monday, August 6, 2018 12:44:13
Sorry for my terrible english...