FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 05-19-2011, 05:27 AM
 
Default wget & certificates

I have strange problem with wget:
$wget -e "background = off" -v -x 'https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90&lang=pl'

--8<---------------cut here---------------start------------->8---
--2011-05-19 07:26:00-- https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90&lang=pl
Resolving www.centrum24.pl... 195.20.110.130
Connecting to www.centrum24.pl|195.20.110.130|:443... connected.
ERROR: cannot verify www.centrum24.pl's certificate, issued by `/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA':
Unable to locally verify the issuer's authority.
To connect to www.centrum24.pl insecurely, use `--no-check-certificate'.
--8<---------------cut here---------------end--------------->8---

Connecting with iceweasel seems ok?
What is wrong, what to check?
KJ


--
http://modnebzdury.wordpress.com/2009/10/01/niewiarygodny-list-prof-majewskiej-wprowadzenie/
"In order to form an immaculate member of a flock
of sheep one must, above all, be a sheep"
- Albert Einstein


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87y623xnsp.fsf@alfa.kjonca">http://lists.debian.org/87y623xnsp.fsf@alfa.kjonca
 
Old 05-19-2011, 09:34 AM
David Sastre
 
Default wget & certificates

On Thu, May 19, 2011 at 07:27:34AM +0200, Kamil Jońca wrote:
>
> I have strange problem with wget:
> $wget -e "background = off" -v -x 'https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90&lang=pl'
>
> --8<---------------cut here---------------start------------->8---
> --2011-05-19 07:26:00-- https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90&lang=pl
> Resolving www.centrum24.pl... 195.20.110.130
> Connecting to www.centrum24.pl|195.20.110.130|:443... connected.
> ERROR: cannot verify www.centrum24.pl's certificate, issued by `/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA':
> Unable to locally verify the issuer's authority.
> To connect to www.centrum24.pl insecurely, use `--no-check-certificate'.
> --8<---------------cut here---------------end--------------->8---
>
> Connecting with iceweasel seems ok?
> What is wrong, what to check?
> KJ

Check that your version supports https. It should be listed in the
output of 'wget -V'. wget-1.12-2.1 from the squeeze repos supports it.

I have tried that URL without problem:

$ LANG=C; wget -e "background = off" -v -x 'https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90&lang=pl'
--2011-05-19 11:29:20-- https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90&lang=pl
Resolving www.centrum24.pl... 195.20.110.130
Connecting to www.centrum24.pl|195.20.110.130|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `www.centrum24.pl/bzwbkonline/eSmart.html?typ=90&lang=pl'

[ <=> ] 29,601 --.-K/s in 0.1s

2011-05-19 11:29:20 (275 KB/s) - `www.centrum24.pl/bzwbkonline/eSmart.html?typ=90&lang=pl' saved [29601]

Not knowing the contents of your .wgetrc (if any), I'd check ca_certificate and ca_directory.
Failing that, try adding --no-check-certificate.

--
Huella de clave primaria: AD8F BDC0 5A2C FD5F A179 60E7 F79B AB04 5299 EC56
 
Old 06-02-2011, 03:17 AM
 
Default wget & certificates

David Sastre <d.sastre.medina@gmail.com> writes:

> On Thu, May 19, 2011 at 07:27:34AM +0200, Kamil Jońca wrote:
>>
>> I have strange problem with wget:
>> $wget -e "background = off" -v -x 'https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90&lang=pl'
>>
>> --8<---------------cut here---------------start------------->8---
>> --2011-05-19 07:26:00-- https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90&lang=pl
>> Resolving www.centrum24.pl... 195.20.110.130
>> Connecting to www.centrum24.pl|195.20.110.130|:443... connected.
>> ERROR: cannot verify www.centrum24.pl's certificate, issued by `/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA':
>> Unable to locally verify the issuer's authority.
>> To connect to www.centrum24.pl insecurely, use `--no-check-certificate'.
>> --8<---------------cut here---------------end--------------->8---
>>
>> Connecting with iceweasel seems ok?
>> What is wrong, what to check?
>> KJ
>
> Check that your version supports https. It should be listed in the
> output of 'wget -V'. wget-1.12-2.1 from the squeeze repos supports it.


Wget -V
--8<---------------cut here---------------start------------->8---
GNU Wget 1.12 built on linux-gnu.

+digest +ipv6 +nls +ntlm +opie +md5/openssl +https -gnutls +openssl
-iri

Wgetrc:
/home/kjonca/.wgetrc (user)
/etc/wgetrc (system)
Locale: /usr/share/locale
Compile: gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc"
-DLOCALEDIR="/usr/share/locale" -I. -I../lib -g -O2 -DNO_SSLv2
-D_FILE_OFFSET_BITS=64 -O2 -g -Wall
Link: gcc -g -O2 -DNO_SSLv2 -D_FILE_OFFSET_BITS=64 -O2 -g -Wall
/usr/lib/libssl.so /usr/lib/libcrypto.so -ldl -lrt ftp-opie.o
openssl.o http-ntlm.o gen-md5.o ../lib/libgnu.a
--8<---------------cut here---------------end--------------->8---

/etc/wgetrc - exists, but whole file is commented out
~/.wgetrc - only "use_proxy = on"


When I connect to site via Firefox[1], I ends with certificate:

--8<---------------cut here---------------start------------->8---
S/N 18A1:9E:26:7D:E8:BB:4A:21:58:CD:CC:6B:3B:4A
Subject:
CN = VeriSign Class 3 Public Primary Certification Authority - G5
OU = "(c) 2006 VeriSign, Inc. - For authorized use only"
OU = VeriSign Trust Network
O = "VeriSign, Inc."
C = US
--8<---------------cut here---------------end--------------->8---

I have this cert under
/usr/share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Auth ority_-_G5.crt

and after c_rehash I have:

--8<---------------cut here---------------start------------->8---
ll $(find -type l -lname "*VeriSign_Class_3_Public_Primary_Certification_Au thority_-_G5*")
lrwxrwxrwx 1 root root 64 Jun 2 05:07 ./b204d74a.0 -> VeriSign_Class_3_Public_Primary_Certification_Auth ority_-_G5.crt
lrwxrwxrwx 1 root root 64 Jun 2 05:07 ./facacbc6.0 -> VeriSign_Class_3_Public_Primary_Certification_Auth ority_-_G5.crt
lrwxrwxrwx 1 root root 99 Jun 2 04:52 ./VeriSign_Class_3_Public_Primary_Certification_Auth ority_-_G5.crt -> /usr/share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Auth ority_-_G5.crt
lrwxrwxrwx 1 root root 99 Jun 2 05:04 ./VeriSign_Class_3_Public_Primary_Certification_Auth ority_-_G5.pem -> /usr/share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Auth ority_-_G5.crt
--8<---------------cut here---------------end--------------->8---

but stracing wget shows that it try to open completely different file

--8<---------------cut here---------------start------------->8---
[...]
stat("/usr/lib/ssl/certs/415660c1.0", {st_mode=S_IFREG|0644, st_size=834, ...}) = 0
open("/usr/lib/ssl/certs/415660c1.0", O_RDONLY) = 5
[...]
--8<---------------cut here---------------end--------------->8---

(/usr/lib/ssl/certs is symlink to /etc/ssl/certs)

Any ideas?

KJ





[1] - it's Fx4 from http://mozilla.debian.net/
--
http://sporothrix.wordpress.com/2011/01/16/usa-sie-krztusza-kto-nastepny/
Spokojnie... To tylko prowokacja.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 877h94udjv.fsf@alfa.kjonca">http://lists.debian.org/877h94udjv.fsf@alfa.kjonca
 
Old 06-02-2011, 11:53 AM
Camaleón
 
Default wget & certificates

On Thu, 19 May 2011 07:27:34 +0200, Kamil Jońca wrote:

> I have strange problem with wget:

(...)

> Validation SSL SGC CA':
> Unable to locally verify the issuer's authority.
> To connect to www.centrum24.pl insecurely, use `--no-check-certificate'.

Wget cannot validate the CA and thus drops the connection.

You can:

1/ Discard "https://" and use plain "http" (unencrypted channel) as
suggested (don't do this unless you trust the site you are connecting to).

2/ Install "ca-certificates" package and point wget so it can find it
(wget --ca-certificate=/usr/share/ca-certificates/cacert.org/
cacert.org.crt ...)

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: pan.2011.06.02.11.53.37@gmail.com">http://lists.debian.org/pan.2011.06.02.11.53.37@gmail.com
 
Old 06-02-2011, 01:22 PM
 
Default wget & certificates

Camaleón <noelamac@gmail.com> writes:

> On Thu, 19 May 2011 07:27:34 +0200, Kamil Jońca wrote:
>
>> I have strange problem with wget:
>
> (...)
>
>> Validation SSL SGC CA':
>> Unable to locally verify the issuer's authority.
>> To connect to www.centrum24.pl insecurely, use `--no-check-certificate'.
>
> Wget cannot validate the CA and thus drops the connection.
>
> You can:
>
> 1/ Discard "https://" and use plain "http" (unencrypted channel) as
> suggested (don't do this unless you trust the site you are connecting
> to)
I want to use encrypted channel.
>
> 2/ Install "ca-certificates" package and point wget so it can find it
> (wget --ca-certificate=/usr/share/ca-certificates/cacert.org/
> cacert.org.crt ...)

"ca-certificates" were installed earlier. MOreover using
--ca-certificate option (ie.

--8<---------------cut here---------------start------------->8---
wget -v -x --ca-certificate=/usr/share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Auth ority_-_G5.crt 'https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90&lang=pl'
--8<---------------cut here---------------end--------------->8---
doesn't change wget's behavior; still wants to open
"/usr/lib/ssl/certs/415660c1.?" )


Moreover i noticed that fetchmail on one of my accounts shows the same
- cannot validate CA

KJ



--
http://modnebzdury.wordpress.com/2009/10/01/niewiarygodny-list-prof-majewskiej-wprowadzenie/
kondensator - kondensatorych - kondensatoremu
(odmiana słowa "kondensator" według MS Word 6.0)


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87ipsos6zd.fsf@alfa.kjonca">http://lists.debian.org/87ipsos6zd.fsf@alfa.kjonca
 
Old 06-02-2011, 02:02 PM
Camaleón
 
Default wget & certificates

On Thu, 02 Jun 2011 15:22:46 +0200, Kamil Jońca wrote:

> Camaleón <noelamac@gmail.com> writes:
>
>> On Thu, 19 May 2011 07:27:34 +0200, Kamil Jońca wrote:
>>
>>> Validation SSL SGC CA':
>>> Unable to locally verify the issuer's authority.
>>> To connect to www.centrum24.pl insecurely, use
>>> `--no-check-certificate'.
>>
>> Wget cannot validate the CA and thus drops the connection.
>>
>> You can:
>>
>> 1/ Discard "https://" and use plain "http" (unencrypted channel) as
>> suggested (don't do this unless you trust the site you are connecting
>> to)

> I want to use encrypted channel.

Fair enough :-)

Just for testing purposes, what happens when you run this?

wget --no-check-certificate https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90&lang=pl

(note that should still getting through the encrypted channel)

Moreover, are you getting the same error with another "https://" site?

I.e.: wget https://www.google.com

>> 2/ Install "ca-certificates" package and point wget so it can find it
>> (wget --ca-certificate=/usr/share/ca-certificates/cacert.org/
>> cacert.org.crt ...)
>
> "ca-certificates" were installed earlier. MOreover using
> --ca-certificate option (ie.
>
> --8<---------------cut here---------------start------------->8--- wget
> -v -x
> --ca-certificate=/usr/share/ca-certificates/mozilla/
VeriSign_Class_3_Public_Primary_Certification_Auth ority_-_G5.crt
> 'https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90&lang=pl'
> --8<---------------cut here---------------end--------------->8---
> doesn't change wget's behavior; still wants to open
> "/usr/lib/ssl/certs/415660c1.?" )

Why are you pointing to that cert specifically? :-?

> Moreover i noticed that fetchmail on one of my accounts shows the same -
> cannot validate CA

That's weird.

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: pan.2011.06.02.14.02.45@gmail.com">http://lists.debian.org/pan.2011.06.02.14.02.45@gmail.com
 
Old 06-02-2011, 02:58 PM
 
Default wget & certificates

Camaleón <noelamac@gmail.com> writes:

> On Thu, 02 Jun 2011 15:22:46 +0200, Kamil Jońca wrote:
>
>> Camaleón <noelamac@gmail.com> writes:
>>
>>> On Thu, 19 May 2011 07:27:34 +0200, Kamil Jońca wrote:
>>>
>>>> Validation SSL SGC CA':
>>>> Unable to locally verify the issuer's authority.
>>>> To connect to www.centrum24.pl insecurely, use
>>>> `--no-check-certificate'.
>>>
>>> Wget cannot validate the CA and thus drops the connection.
>>>
>>> You can:
>>>
>>> 1/ Discard "https://" and use plain "http" (unencrypted channel) as
>>> suggested (don't do this unless you trust the site you are connecting
>>> to)
>
>> I want to use encrypted channel.
>
> Fair enough :-)
>
> Just for testing purposes, what happens when you run this?
>
> wget --no-check-certificate https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90&lang=pl

Works.

>
> (note that should still getting through the encrypted channel)
>
> Moreover, are you getting the same error with another "https://" site?
>
> I.e.: wget https://www.google.com

Works.

>
>>> 2/ Install "ca-certificates" package and point wget so it can find it
>>> (wget --ca-certificate=/usr/share/ca-certificates/cacert.org/
>>> cacert.org.crt ...)
>>
>> "ca-certificates" were installed earlier. MOreover using
>> --ca-certificate option (ie.
>>
>> --8<---------------cut here---------------start------------->8--- wget
>> -v -x
>> --ca-certificate=/usr/share/ca-certificates/mozilla/
> VeriSign_Class_3_Public_Primary_Certification_Auth ority_-_G5.crt
>> 'https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90&lang=pl'
>> --8<---------------cut here---------------end--------------->8---
>> doesn't change wget's behavior; still wants to open
>> "/usr/lib/ssl/certs/415660c1.?" )
>
> Why are you pointing to that cert specifically? :-?

As I wrote earlier - mozilla shows this as final CA for this site.


KJ

--
http://modnebzdury.wordpress.com/2009/10/01/niewiarygodny-list-prof-majewskiej-wprowadzenie/
Zanim wlaczysz komputer, zastanow sie: Czy jestes absolutnie pewien(na), ze nie
jest podlaczany do wyrzutni rakiet?


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87aae0s2k0.fsf@alfa.kjonca">http://lists.debian.org/87aae0s2k0.fsf@alfa.kjonca
 
Old 06-03-2011, 01:14 PM
Camaleón
 
Default wget & certificates

On Thu, 02 Jun 2011 16:58:23 +0200, Kamil Jońca wrote:

> Camaleón <noelamac@gmail.com> writes:

(...)

>> Just for testing purposes, what happens when you run this?
>>
>> wget --no-check-certificate
>> https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90&lang=pl
>
> Works.
>
>
>> (note that should still getting through the encrypted channel)
>>
>> Moreover, are you getting the same error with another "https://" site?
>>
>> I.e.: wget https://www.google.com
>
> Works.

Hum... so it fails with one site but not all. Curious. Let me make some
tests in my wheezy box:

test@debian:~$ wget https://www.centrum24.pl/bzwbkonline/eSmart.html?
typ=90&lang=pl
[1] 4632
test@debian:~$ --2011-06-03 15:04:20-- https://www.centrum24.pl/
bzwbkonline/eSmart.html?typ=90
Resolving www.centrum24.pl... 195.20.110.130
Connecting to www.centrum24.pl|195.20.110.130|:443... connected.
ERROR: cannot verify www.centrum24.pl's certificate, issued by `/C=US/
O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://
www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC
CA':
Unable to locally verify the issuer's authority.
To connect to www.centrum24.pl insecurely, use `--no-check-certificate'.

Wow, here it fails! In lenny it worked perfectly :-O

Okay, let's see what "curl" says:

test@debian:~$ curl https://www.centrum24.pl/bzwbkonline/eSmart.html?
typ=90&lang=pl
[1] 4634
test@debian:~$ curl: (60) SSL certificate problem, verify that the CA
cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

It also fails here, but the message can be of help because Google returns
a bunch of results pointing to some sort of bug here (openssl?).

What to do? Dunno, but in the meantime you can safely connect to the site
using "wget --no-check-certificate" because the cert is valid (you
already know that because firefox told you so) and traffic is still being
sent through SSL.

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: pan.2011.06.03.13.14.12@gmail.com">http://lists.debian.org/pan.2011.06.03.13.14.12@gmail.com
 

Thread Tools




All times are GMT. The time now is 01:23 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org