wget fails by a certificate problem

Question

Same problem as wget interrupted by a certificate problem:

After do-release-upgrade from 16.04 to 18.01

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. 
Check your Internet connection or proxy settings

wget https://changelogs.ubuntu.com/meta-release-lts

--2018-09-15 08:03:41--  https://changelogs.ubuntu.com/meta-release-lts
Resolving changelogs.ubuntu.com (changelogs.ubuntu.com)... 91.189.95.15, 2001:67c:1560:8008::11
Connecting to changelogs.ubuntu.com (changelogs.ubuntu.com)|91.189.95.15|:443... connected.
ERROR: cannot verify changelogs.ubuntu.com's certificate, issued by ‘CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US’:
  Unable to locally verify the issuer's authority.
To connect to changelogs.ubuntu.com insecurely, use `--no-check-certificate'.

Also (as root):

# update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

# wget https://www.google.com/
--2018-09-16 16:54:31--  https://www.google.com/
Resolving www.google.com (www.google.com)... 216.58.201.164, 2a00:1450:4003:80a::2004
Connecting to www.google.com (www.google.com)|216.58.201.164|:443... connected.
ERROR: cannot verify www.google.com's certificate, issued by ‘CN=Google Internet Authority G3,O=Google Trust Services,C=US’:
  Unable to locally verify the issuer's authority.
To connect to www.google.com insecurely, use `--no-check-certificate'.

Update 2018-10-23:

openssl s_client -connect www.google.com:443 -debug

fails

openssl s_client  -connect www.google.com:443 --debug --CApath /etc/ssl/certs/

works

 wget https://www.google.com/  --ca-directory=/etc/ssl/certs/

works, so why is the default ca-directory not /etc/ssl/certs/? and do I set it?

New Update and solved:

strace -e openat wget https://your-url

I saw that it was using /usr/local/lib/libssl.so.1.1, so I found one openssl installed on /usr/local, and after deleting it, the problem was fixed.

Thanks

Any special configuration involved in /etc/wgetrc or ${HOME}/.wgetrc? Also try to reinstall wget with sudo apt-get install --reinstall wget. — Thomas, Sep 16 '18 at 16:07
No , ${HOME}/.wgetrc does not exit and /etc/wgetrc is unchanged , reinstall wget didn't solve the issue — Sérgio, Sep 17 '18 at 01:31
Are there actually any certificates in /etc/ssl/certs/ca-certificates.crt ? — Ben, Sep 17 '18 at 22:59
ll -h /etc/ssl/certs/ca-certificates.crt -rw-r--r-- 1 root root 203K set 17 02:46 /etc/ssl/certs/ca-certificates.crt — Sérgio, Sep 18 '18 at 15:39
openssl version -a is a good command for situations like this, you can see if OPENSSLDIR is set incorrectly (which is probably was for your dud copy in /usr/local/lib) — James Broadhead, Sep 01 '21 at 16:06

score 4 · Answer 1 · edited Feb 10 '21 at 14:39

4

The thread: Problem with certificates helped me to solve the problem.

user mirabilos explain the commands to reinstall the ca-certificates

sudo apt-get install --reinstall ca-certificates
sudo apt-get -f install
sudo dpkg --purge --force-depends ca-certificates
sudo apt-get -f install

edited Feb 10 '21 at 14:39

Zanna

70,465

answered Dec 27 '20 at 04:55

PrivateDoss

41

bebbo · Answer 2 · 2021-04-23T06:05:12.863

3

You once compiled and installed openssl yourself and it still exists or maybe you removed that installation:

If the foldef /usr/local/ssl/ exists, check that the file /usr/local/ssl/cert.pem exists, if not run:

sudo ln -s  /etc/ssl/certs/ca-certificates.crt /usr/local/ssl/cert.pem

edited Apr 23 '21 at 06:05

answered Apr 14 '21 at 08:43

bebbo

289
3
8

I saw that it was using /usr/local/lib/libssl.so.1.1, so I found one openssl installed on /usr/local, and after deleting it, the problem was fixed. – Sérgio Apr 14 '21 at 20:46
Normally, I never type 'thank you' comments. But I've been searching for 5 days for the solution on how a manual installed openssl which was then removed and restored back to an 'apt'-installed openssl can be used. I kept getting certificate invalid errors. This helped me a lot: Thank you! – Winfried Apr 21 '21 at 21:40
Thank you -- I've spent the whole day trying to resolve the issue caused by the missing /usr/local/ssl/cert.pem – lawlist Oct 27 '22 at 22:16

score 1 · Answer 3 · answered May 28 '20 at 05:56

1

I have installed it. It worked for Ubuntu 16.4 LTS

sudo apt-get install ca-certificates

answered May 28 '20 at 05:56

JohnRose

111

score -1 · Answer 4 · edited Jul 28 '21 at 09:16

i faced same kind of issue. after the multiple checks i did below actions then fixed the certificate error for https wget connections.

Number of required root ca certificate is missing in the certificate path

root@SINGPWEBSERVER:~# cd /usr/lib/ssl/certs
root@SINGPWEBSERVER:/usr/lib/ssl/certs# ls -l | wc -l
12

Installed all the certificate using below command (select all the certificates)

 root@SINGPWEBSERVER:/usr/lib/ssl/certs# sudo dpkg-reconfigure ca-certificates

After the above extract command all the required HTTPS connection CA certificates installed

root@SINGPWEBSERVER:/usr/lib/ssl/certs# ls -l | wc -l
270

Find the https connection success result for your reference

root@SINGPWEBSERVER:/tmp# wget https://www.google.com/
--2021-07-28 15:23:19--  https://www.google.com/
Resolving www.google.com (www.google.com)... 142.250.204.68, 2404:6800:4005:813::2004
Connecting to www.google.com (www.google.com)|142.250.204.68|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html.6’
index.html.6                                   [ <=>                                                                                     ]  15.45K  --.-KB/s    in 0.001s
2021-07-28 15:23:19 (21.9 MB/s) - ‘index.html.6’ saved [15821]

wget fails by a certificate problem

4 Answers4