Re: wget & certificates
David Sastre <d.sastre.medina@gmail.com> writes:
> On Thu, May 19, 2011 at 07:27:34AM +0200, Kamil Jońca wrote:
>>
>> I have strange problem with wget:
>> $wget -e "background = off" -v -x 'https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90&lang=pl'
>>
>> --8<---------------cut here---------------start------------->8---
>> --2011-05-19 07:26:00-- https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90&lang=pl
>> Resolving www.centrum24.pl... 195.20.110.130
>> Connecting to www.centrum24.pl|195.20.110.130|:443... connected.
>> ERROR: cannot verify www.centrum24.pl's certificate, issued by `/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA':
>> Unable to locally verify the issuer's authority.
>> To connect to www.centrum24.pl insecurely, use `--no-check-certificate'.
>> --8<---------------cut here---------------end--------------->8---
>>
>> Connecting with iceweasel seems ok?
>> What is wrong, what to check?
>> KJ
>
> Check that your version supports https. It should be listed in the
> output of 'wget -V'. wget-1.12-2.1 from the squeeze repos supports it.
Wget -V
--8<---------------cut here---------------start------------->8---
GNU Wget 1.12 built on linux-gnu.
+digest +ipv6 +nls +ntlm +opie +md5/openssl +https -gnutls +openssl
-iri
Wgetrc:
/home/kjonca/.wgetrc (user)
/etc/wgetrc (system)
Locale: /usr/share/locale
Compile: gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc"
-DLOCALEDIR="/usr/share/locale" -I. -I../lib -g -O2 -DNO_SSLv2
-D_FILE_OFFSET_BITS=64 -O2 -g -Wall
Link: gcc -g -O2 -DNO_SSLv2 -D_FILE_OFFSET_BITS=64 -O2 -g -Wall
/usr/lib/libssl.so /usr/lib/libcrypto.so -ldl -lrt ftp-opie.o
openssl.o http-ntlm.o gen-md5.o ../lib/libgnu.a
--8<---------------cut here---------------end--------------->8---
/etc/wgetrc - exists, but whole file is commented out
~/.wgetrc - only "use_proxy = on"
When I connect to site via Firefox[1], I ends with certificate:
--8<---------------cut here---------------start------------->8---
S/N 18:DA:D1:9E:26:7D:E8:BB:4A:21:58:CD:CC:6B:3B:4A
Subject:
CN = VeriSign Class 3 Public Primary Certification Authority - G5
OU = "(c) 2006 VeriSign, Inc. - For authorized use only"
OU = VeriSign Trust Network
O = "VeriSign, Inc."
C = US
--8<---------------cut here---------------end--------------->8---
I have this cert under
/usr/share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt
and after c_rehash I have:
--8<---------------cut here---------------start------------->8---
ll $(find -type l -lname "*VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5*")
lrwxrwxrwx 1 root root 64 Jun 2 05:07 ./b204d74a.0 -> VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt
lrwxrwxrwx 1 root root 64 Jun 2 05:07 ./facacbc6.0 -> VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt
lrwxrwxrwx 1 root root 99 Jun 2 04:52 ./VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt -> /usr/share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt
lrwxrwxrwx 1 root root 99 Jun 2 05:04 ./VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem -> /usr/share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt
--8<---------------cut here---------------end--------------->8---
but stracing wget shows that it try to open completely different file
--8<---------------cut here---------------start------------->8---
[...]
stat("/usr/lib/ssl/certs/415660c1.0", {st_mode=S_IFREG|0644, st_size=834, ...}) = 0
open("/usr/lib/ssl/certs/415660c1.0", O_RDONLY) = 5
[...]
--8<---------------cut here---------------end--------------->8---
(/usr/lib/ssl/certs is symlink to /etc/ssl/certs)
Any ideas?
KJ
[1] - it's Fx4 from http://mozilla.debian.net/
--
http://sporothrix.wordpress.com/2011/01/16/usa-sie-krztusza-kto-nastepny/
Spokojnie... To tylko prowokacja.
Reply to: