33

I am not able to open any https URLs using wget or curl:

$ wget https://www.python.org
--2015-04-27 17:17:33--  https://www.python.org/
Resolving www.python.org (www.python.org)... 103.245.222.223
Connecting to www.python.org (www.python.org)|103.245.222.223|:443... connected.
ERROR: cannot verify www.python.org's certificate, issued by "/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA":
  Unable to locally verify the issuer's authority.
To connect to www.python.org insecurely, use '--no-check-certificate'.

$ curl https://www.python.org
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

This is using wget 1.12 and curl 7.30.0 on CentOS 5.5. It sounds like something is wrong with my local certificate store, but I have no idea how to proceed from here. Any ideas?

Update: After upgrading the openssl package from 0.9.8e-12.el5_4.6 to 0.9.8e-33.el5_11, there is now a different error:

$ wget https://pypi.python.org
--2015-04-28 10:27:35--  https://pypi.python.org/
Resolving pypi.python.org (pypi.python.org)... 103.245.222.223
Connecting to pypi.python.org (pypi.python.org)|103.245.222.223|:443... connected.
ERROR: certificate common name "www.python.org" doesn't match requested host name "pypi.python.org".
To connect to pypi.python.org insecurely, use '--no-check-certificate'.
aco
  • 431
  • 1
  • 4
  • 4
  • I think the root certificates are in the `ca-certificates` package. Is this package installed? Maybe try reinstalling it. If that's not the problem, run `strace -o /tmp/wget.strace wget https://www.python.org` and post the resulting trace, that should tell us where the problem is. – Gilles 'SO- stop being evil' Apr 27 '15 at 13:06
  • @Gilles - I upgraded the openssl package from 0.9.8e-12.el5_4.6 to 0.9.8e-33.el5_11 and the error went away (perhaps this reinstalled the root certificates?), but now there is a different error. – aco Apr 28 '15 at 00:32
  • That looks like a transient error with this specific site. Do other sites work? – Gilles 'SO- stop being evil' Apr 28 '15 at 00:36
  • @Gilles - Other websites don't work either. For example, Google returns the error: certificate common name "google.com" doesn't match requested host name "www.google.com.au". – aco Apr 28 '15 at 03:47
  • I could fix the same problem disabling Selinux: http://www.crypt.gen.nz/selinux/disable_selinux.html Cheers! –  Jul 29 '15 at 15:48

8 Answers8

11

I was having a similar error with https://excellmedia.dl.sourceforge.net/project/astyle/astyle/astyle%203.0.1/astyle_3.0.1_linux.tar.gz on a docker image(circleci/jdk8:0.1.1),

In my case upgrading ca-certificates solved the issue:

sudo apt-get install ca-certificates
Harsh Kumar Bhartiya
  • 111
  • 1
  • 3
5

The problem is lack of support for Server Name Indication. You need at least wget 1.14 or curl 7.18.1 and you need at least OpenSSL 0.98f, according to Wikipedia:

https://en.wikipedia.org/wiki/Server_Name_Indication#Implementation

Chuck E
  • 216
  • 3
  • 7
4

Solution 1:

openssl s_client -connect whateversite.com:443 -debug

Get the certificate key and copy to /etc/ssl/certs.

$ wget https://www.python.org --ca-certificate=/etc/ssl/certsfile

If you wanna go insecure way then try the solution 2

Solution 2:

$ wget https://www.python.org --no-check-certificate

or Using Curl

$ curl https://www.python.org --insecure
Community
  • 1
Ruban Savvy
  • 8,409
  • 8
  • 29
  • 43
  • 12
    “Doctor, I can't walk on my left leg. — Solution 1: move what you need close to your chair so that you don't need to stand. Solution 2: hop.” No, the solution is to cure the problem. Which, here, means repairing or reinstalling the root CA certificates. – Gilles 'SO- stop being evil' Apr 27 '15 at 13:04
  • 4
    this is only good for self signed self issued certificates – Pavel Niedoba Jul 21 '16 at 15:58
  • 1
    Yep, this is a bad idea. Solution 1 is insecure *too*. All you are doing is bypassing wget's checking by automatically trusting the certificate from this point onwards. You should be fixing the underlying problem by actually fixing the root certificates wget has access to. – Andrew Ferrier Apr 04 '17 at 15:58
  • Although this is only a workaround if your sysadmins force you to use broken root certificate lists or draconian security settings, it doesn't deserve the hate. – nurettin Jul 24 '17 at 07:00
  • much better workaround than disabling certificates completely. Not a solution for OP, but others. The command should specify server, to show the correct certificate: `openssl s_client -showcerts -servername some.site.com -connect some.site.com:443` – papo May 21 '20 at 22:02
3

Update the time on the server. One second can cause this issue!

Check with: date

Redhat/CentOS 6/7 yum -y install ntpdate; /usr/sbin/ntpdate -u pool.ntp.org

Ubuntu/Debian apt-get -y install ntpdate; /usr/sbin/ntpdate -u pool.ntp.org

user1926449
  • 31
  • 1
3

wget prior to 1.14 does not support Subject Alternative Name (SAN)*. PyPI uses a SAN as an alternative to its CN in its certificate, and wget is choking on the mismatch. Upgrading wget should resolve it.

* or possibly Server Name Indication (SNI) - I'm not sure which applies here.

References:

Heath Raftery
  • 1,232
  • 1
  • 15
  • 18
2

echo "check_certificate = off" >> ~/.wgetrc

Robert A
  • 129
  • 1
0

If you're on MacOS and are having this issue run wget as follows:

wget -c --ca-certificate=/usr/local/etc/ssl/cert.pem https://www.python.org

This references the file with your CA certificate bundle. It should be under /usr/local/etc/ssl.

To avoid having to type --ca-certificate= all the time, you can put the following in your wgetrc:

ca_certificate=/usr/local/etc/ssl/cert.pem

And then run wget as usual. Your wgetrc should be under /usr/local/etc.

If that still doesn't work, update your OpenSSL [LibreSSL on MacOS] to a recent version.

wget -c --no-check-certificate https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-{version_number}.tar.gz
tar -xzf libressl-{version_number}.tar.gz
cd libressl-{version_number}
./configure
make
sudo make install

where {version_number} should be replaced with an actual version number e.g. 3.2.5, etc.

Note: It's important that you are running a recent wget version i.e. after 1.18. If not, please update wget.

ObiHill
  • 101
  • 2
0

If you can connect to the site with a browser,

-> Click on the padlock sign before the address bar, and retrieve the certificate (ususally a .pem file).

-> Run these commands

cp <the_certificate_file.pem> /etc/pki/ca-trust/source/anchors/
update-ca-trust

Worked on a CentOS Linux 7.

ymudyruc
  • 1
  • 2