Solving wget “ERROR: cannot verify site certificate. Unable to locally verify the issuer’s authority.”

My Problem

When using wget on a SSL/TLS secured URL, I got the following error:

ERROR: cannot verify certificate
issued by “/C=US/O=GeoTrust, Inc./CN=RapidSSL CA”:
Unable to locally verify the issuer’s authority.
To connect to insecurely, use ‘--no-check-certificate’.

In my case I was attempting to wget an HTTPS URL that was secured with a certificate from a trusted authority and yet I still got the above error.

My Solution

Yes, you could take wget’s advice and use the --no-check-certificate option for wget, but that would be bad. Don’t get accustomed to avoiding errors by suppressing them.

You need to use openssl s_client to discover the certificate’s chain, thusly:

openssl s_client -connect -debug

Once you’ve figured out what the certificate chain looks like, then check your main certificate file, probably named cert.pem (finding that is an exercise left for the reader). Check to see if the certificates required by the site you’re trying to wget is in your certificate file. If not, you’ll need to acquire them and either append them to your main certificate file, or create a separate file and point to it with your wget command using the --ca-certificate option.

The Long Story

Imagine my surprise when I was trying to automate a simple process using wget, and I was stymied by the error:

ERROR: cannot verify certificate

The site was protected by a GeoTrust RapidSSL certificate. According to the wget man page, by default (at least in wget 1.12 which is what I was using at the time of this post) wget “looks for CA certificates at the system-specified locations, chosen at OpenSSL installation time.” To find out where that location is, you’ll want to read “How to Determine OpenSSL’s Default Directory OPENSSLDIR.

After running I ran openssl s_client -connect -debug and saw the errors listed above, I grep’d through my cert.pem file for any mention of the word “rapid.” No results were found, of course. I cursed cheap certificates and started searching for the RapidSSL certificate bundle. I finally found it here.

If the endpoint in question is using a self-signed certificate, then you’re going to have to just grab the certificate and copy / paste the presented certificate from -----BEGIN TRUSTED CERTIFICATE----- to -----END TRUSTED CERTIFICATE-----. Just don’t get into the habit of accepting self-signed certificates… which no one does. Certainly not me. <_<

Once it was downloaded, I had some options. I could append them to the main cert.pem file for the server in question. I wasn’t comfortable with changing the entire server’s behavior. There was no need to accept every and all RapidSSL cert across the whole server.

Instead, I chose to use the --ca-certificate=file option of wget. In the words of wget’s man page:

Use file as the file with the bundle of certificate authorities (“CA”) to verify the peers. The certificates must be in PEM format. Without this option Wget looks for CA certificates at the system-specified locations, chosen at OpenSSL installation time.

That way I can run wget in my script, not be in the bad habit of suppressing warnings, and not make universal changes to the server. And all was happy in the land. Until the secure login page wouldn’t work with wget’s post option, which is a different blog post.


  1. avzblog

    August 19, 2014 at 6:25 am

    “You need to use openssl s_client to discover the certificate’s chain” – to see all the certificates the ‘-showcerts’ option also needed.


Leave a Reply

Follow TheNubbyAdmin!

follow us in feedly

Raw RSS Feed:

Contact Me!

Want to hire me as a consultant? Have a job you think I might be interested in? Drop me a line:

Contact Me!

Subscribe via Email

Your email address is handled by Google FeedBurner and never spammed!

The Nubby Archives

Circle Me on Google+!

Photos from Flickr

Me on StackExchange

The IT Crowd Strava Group

%d bloggers like this: