When using wget on a SSL/TLS secured URL, I got the following error:
ERROR: cannot verify whateversite.com certificate issued by “/C=US/O=GeoTrust, Inc./CN=RapidSSL CA”: Unable to locally verify the issuer’s authority. To connect to whateversite.com insecurely, use ‘--no-check-certificate’.
In my case I was attempting to wget an HTTPS URL that was secured with a certificate from a trusted authority and yet I still got the above error.
Yes, you could take wget’s advice and use the
--no-check-certificate option for wget, but that would be bad. Don’t get accustomed to avoiding errors by suppressing them.
You need to use
openssl s_client to discover the certificate’s chain, thusly:
openssl s_client -connect whateversite.com:443 -debug
Once you’ve figured out what the certificate chain looks like, then check your main certificate file, probably named cert.pem (finding that is an exercise left for the reader). Check to see if the certificates required by the site you’re trying to wget is in your certificate file. If not, you’ll need to acquire them and either append them to your main certificate file, or create a separate file and point to it with your wget command using the
The Long Story
Imagine my surprise when I was trying to automate a simple process using wget, and I was stymied by the error:
ERROR: cannot verify whateversite.com certificate
The site was protected by a GeoTrust RapidSSL certificate. According to the wget man page, by default (at least in wget 1.12 which is what I was using at the time of this post) wget “looks for CA certificates at the system-specified locations, chosen at OpenSSL installation time.” To find out where that location is, you’ll want to read “How to Determine OpenSSL’s Default Directory OPENSSLDIR.“
After running I ran
openssl s_client -connect whateversite.com:443 -debug and saw the errors listed above, I grep’d through my cert.pem file for any mention of the word “rapid.” No results were found, of course. I cursed cheap certificates and started searching for the RapidSSL certificate bundle. I finally found it here.
If the endpoint in question is using a self-signed certificate, then you’re going to have to just grab the certificate and copy / paste the presented certificate from
-----BEGIN TRUSTED CERTIFICATE----- to
-----END TRUSTED CERTIFICATE-----. Just don’t get into the habit of accepting self-signed certificates… which no one does. Certainly not me. <_<
Once it was downloaded, I had some options. I could append them to the main cert.pem file for the server in question. I wasn’t comfortable with changing the entire server’s behavior. There was no need to accept every and all RapidSSL cert across the whole server.
Instead, I chose to use the
--ca-certificate=file option of wget. In the words of wget’s man page:
Use file as the file with the bundle of certificate authorities (“CA”) to verify the peers. The certificates must be in PEM format. Without this option Wget looks for CA certificates at the system-specified locations, chosen at OpenSSL installation time.
That way I can run wget in my script, not be in the bad habit of suppressing warnings, and not make universal changes to the server. And all was happy in the land. Until the secure login page wouldn’t work with wget’s post option, which is a different blog post.