1. 技术文章
  2. wget: where does it look for certificates?

wget: where does it look for certificates?

坚强是说给别人听的谎言 提交于 2020-01-03 16:56:56

问题


I have a HTTPS-site that needs an intermediate-certificate to verify the servers SSL-certificate.

If I put the intermediate-cert into /etc/ssl/certs (and make the hash-link) then

openssl s_client -connect IP:PORT

will work. Otherwise I get a verification error.

Where does wget look for certificates? I only can make it work if I explicitly set --ca-directory in wget.

So it seems openssl looks into /etc/ssl/certs and wget does not.

Thanks!

EDIT

If I run wget with -d then I see without --ca-directory it loads about 150 certificates. With the option it is over 300. So it must be another path then openssl-default I think.

Wget 1.19.4 on linux-gnu on Debian 10


回答1:


According to the manpage of wget:

Without this option Wget looks for CA certificates at the system-specified locations, chosen at OpenSSL installation time.

Where's that? Turns out, that's complicated. It depends on your system, etc.

Simple ways to find out what wget actually does are

  1. reading its output:

    Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'

  2. using strace:

    strace wget https://your-url

    In the output, you can read which files wget opened, tried to open, etc.

Since strace produces quite a lot of output, you may want to limit it to certain syscalls. It looks like wget uses openat to read files, so:

strace -e openat wget https://your-url

contains the interesing lines:

openat(AT_FDCWD, "/usr/share/ca-certificates/trust-source/mozilla.trust.p11-kit", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/usr/share/ca-certificates/trust-source/anchors/CAcert.org_root.crt", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/usr/share/ca-certificates/trust-source/anchors/CAcert.org_class3.crt", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = 3

And there are even more locations it looks at, they might even be different for your system.




回答2:


I had problems with wget not finding my certificates so I installed ca-

sudo apt install ca-certificates

then I edited:

sudo vi /etc/wgetrc

and added

ca_directory=/etc/ssl/certs

or you can just use this command to append it to the end:

printf "\nca_directory=/etc/ssl/certs" | sudo tee -a /etc/wgetrc


来源:https://stackoverflow.com/questions/48949008/wget-where-does-it-look-for-certificates

标签
ssl
OpenSSL
wget
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!