Strange certificate problem with wget

Strange certificate problem with wget

[Neuer User]

Hello

I need to use wget with https support in my image. So I added "wget" to
my packages.

The problem is that it doesn't seem to find the installed certificates:

# wget https://www.google.com
--2014-05-19 11:20:42--  https://www.google.com/
Resolving www.google.com... 173.194.113.242, 173.194.113.241,
173.194.113.244, ...
Connecting to www.google.com|173.194.113.242|:443... connected.
ERROR: cannot verify www.google.com's certificate, issued by
'/C=US/O=Google Inc/CN=Google Internet Authority G2':
  Unable to locally verify the issuer's authority.
To connect to www.google.com insecurely, use `--no-check-certificate'.


No problem, when using curl instead.

Seems, I am missing something pretty obvious. Can anybody hint me into
the right direction?

Thanks

Michael

Re: Strange certificate problem with wget

[Burton, Ross]

On 19 May 2014 10:25, Neuer User <auslands-kv@gmx.de> wrote:
> I need to use wget with https support in my image. So I added "wget" to
> my packages.
>
> The problem is that it doesn't seem to find the installed certificates:

By "installed certificates" you mean that you installed
ca-certificates into the image, right?

Ross

Re: Strange certificate problem with wget

[Neuer User]

Am 19.05.2014 11:32, schrieb Burton, Ross:
> On 19 May 2014 10:25, Neuer User <auslands-kv@gmx.de> wrote:
>> I need to use wget with https support in my image. So I added "wget" to
>> my packages.
>>
>> The problem is that it doesn't seem to find the installed certificates:
> 
> By "installed certificates" you mean that you installed
> ca-certificates into the image, right?
> 
> Ross
> 
Yeah, exactly.

Re: Strange certificate problem with wget

[Paul Barker]

On 19 May 2014 10:35, Neuer User <auslands-kv@gmx.de> wrote:
> Am 19.05.2014 11:32, schrieb Burton, Ross:
>> On 19 May 2014 10:25, Neuer User <auslands-kv@gmx.de> wrote:
>>> I need to use wget with https support in my image. So I added "wget" to
>>> my packages.
>>>
>>> The problem is that it doesn't seem to find the installed certificates:
>>
>> By "installed certificates" you mean that you installed
>> ca-certificates into the image, right?
>>
>> Ross
>>
> Yeah, exactly.
>

If you run 'wget --version' you should be able to find out if you're
running busybox wget or gnu wget. I assume you're expecting gnu wget
as you added wget to your packages, but it's worth quickly checking
that the correct binary is being executed.

Thanks,

-- 
Paul Barker

Email: paul@paulbarker.me.uk
http://www.paulbarker.me.uk

Re: Strange certificate problem with wget

[Neuer User]

Am 19.05.2014 12:56, schrieb Paul Barker:
> On 19 May 2014 10:35, Neuer User <auslands-kv@gmx.de> wrote:
>> Am 19.05.2014 11:32, schrieb Burton, Ross:
>>> On 19 May 2014 10:25, Neuer User <auslands-kv@gmx.de> wrote:
>>>> I need to use wget with https support in my image. So I added "wget" to
>>>> my packages.
>>>>
>>>> The problem is that it doesn't seem to find the installed certificates:
>>>
>>> By "installed certificates" you mean that you installed
>>> ca-certificates into the image, right?
>>>
>>> Ross
>>>
>> Yeah, exactly.
>>
> 
> If you run 'wget --version' you should be able to find out if you're
> running busybox wget or gnu wget. I assume you're expecting gnu wget
> as you added wget to your packages, but it's worth quickly checking
> that the correct binary is being executed.
> 
> Thanks,
> 
~# wget --version
GNU Wget 1.14 built on linux-gnueabi.

+digest +https +ipv6 -iri -large-file +nls +ntlm +opie +ssl/openssl

Wgetrc:
    /etc/wgetrc (system)
Locale: /usr/share/locale
Compile: arm-poky-linux-gnueabi-gcc -march=armv7-a -mthumb-interwork
    -mfloat-abi=hard -mfpu=neon -mtune=cortex-a9
    --sysroot=/home/ubuntu/yocto/build/tmp/sysroots/cubox-i
    -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc"
    -DLOCALEDIR="/usr/share/locale" -I.

-I/home/ubuntu/yocto/build/tmp/work/cortexa9hf-vfp-neon-poky-linux-gnueabi/wget/1.14-r16.0/wget-1.14/src
-I../lib
-I/home/ubuntu/yocto/build/tmp/work/cortexa9hf-vfp-neon-poky-linux-gnueabi/wget/1.14-r16.0/wget-1.14/lib
-O2 -pipe -g -feliminate-unused-debug-types
Link: arm-poky-linux-gnueabi-gcc -march=armv7-a -mthumb-interwork
    -mfloat-abi=hard -mfpu=neon -mtune=cortex-a9
    --sysroot=/home/ubuntu/yocto/build/tmp/sysroots/cubox-i -O2 -pipe
    -g -feliminate-unused-debug-types -Wl,-O1 -Wl,--hash-style=gnu
    -Wl,--as-needed -lssl
    /home/ubuntu/yocto/build/tmp/sysroots/cubox-i/lib/libcrypto.so -lz
    -ldl -lz -lz -lpcre ftp-opie.o openssl.o http-ntlm.o
    ../lib/libgnu.a

Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://www.gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Originally written by Hrvoje Niksic <hniksic@xemacs.org>.
Please send bug reports and questions to <bug-wget@gnu.org>.


Looks, as if I get the right one, but strangely without working
certificates check...

Re: Strange certificate problem with wget

[Neuer User]

Nobody any idea?

I really need certificate support in wget. What am I missing? I guess,
it is a very stupid error on my side, but I just don't know which.

Michael


Am 19.05.2014 14:02, schrieb Neuer User:
> Am 19.05.2014 12:56, schrieb Paul Barker:
>> On 19 May 2014 10:35, Neuer User <auslands-kv@gmx.de> wrote:
>>> Am 19.05.2014 11:32, schrieb Burton, Ross:
>>>> On 19 May 2014 10:25, Neuer User <auslands-kv@gmx.de> wrote:
>>>>> I need to use wget with https support in my image. So I added "wget" to
>>>>> my packages.
>>>>>
>>>>> The problem is that it doesn't seem to find the installed certificates:
>>>>
>>>> By "installed certificates" you mean that you installed
>>>> ca-certificates into the image, right?
>>>>
>>>> Ross
>>>>
>>> Yeah, exactly.
>>>
>>
>> If you run 'wget --version' you should be able to find out if you're
>> running busybox wget or gnu wget. I assume you're expecting gnu wget
>> as you added wget to your packages, but it's worth quickly checking
>> that the correct binary is being executed.
>>
>> Thanks,
>>
> ~# wget --version
> GNU Wget 1.14 built on linux-gnueabi.
> 
> +digest +https +ipv6 -iri -large-file +nls +ntlm +opie +ssl/openssl
> 
> Wgetrc:
>     /etc/wgetrc (system)
> Locale: /usr/share/locale
> Compile: arm-poky-linux-gnueabi-gcc -march=armv7-a -mthumb-interwork
>     -mfloat-abi=hard -mfpu=neon -mtune=cortex-a9
>     --sysroot=/home/ubuntu/yocto/build/tmp/sysroots/cubox-i
>     -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc"
>     -DLOCALEDIR="/usr/share/locale" -I.
> 
> -I/home/ubuntu/yocto/build/tmp/work/cortexa9hf-vfp-neon-poky-linux-gnueabi/wget/1.14-r16.0/wget-1.14/src
> -I../lib
> -I/home/ubuntu/yocto/build/tmp/work/cortexa9hf-vfp-neon-poky-linux-gnueabi/wget/1.14-r16.0/wget-1.14/lib
> -O2 -pipe -g -feliminate-unused-debug-types
> Link: arm-poky-linux-gnueabi-gcc -march=armv7-a -mthumb-interwork
>     -mfloat-abi=hard -mfpu=neon -mtune=cortex-a9
>     --sysroot=/home/ubuntu/yocto/build/tmp/sysroots/cubox-i -O2 -pipe
>     -g -feliminate-unused-debug-types -Wl,-O1 -Wl,--hash-style=gnu
>     -Wl,--as-needed -lssl
>     /home/ubuntu/yocto/build/tmp/sysroots/cubox-i/lib/libcrypto.so -lz
>     -ldl -lz -lz -lpcre ftp-opie.o openssl.o http-ntlm.o
>     ../lib/libgnu.a
> 
> Copyright (C) 2011 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later
> <http://www.gnu.org/licenses/gpl.html>.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
> 
> Originally written by Hrvoje Niksic <hniksic@xemacs.org>.
> Please send bug reports and questions to <bug-wget@gnu.org>.
> 
> 
> Looks, as if I get the right one, but strangely without working
> certificates check...
> 
> 

Re: Strange certificate problem with wget

[Burton, Ross]

On 21 May 2014 10:37, Neuer User <auslands-kv@gmx.de> wrote:
> I really need certificate support in wget. What am I missing? I guess,
> it is a very stupid error on my side, but I just don't know which.

Try passing --ca-certificate=/etc/ssl/certs/ca-certificates.crt to
verify that wget works if you tell it exactly where the certificate
bundle is.

Ross

Re: Strange certificate problem with wget

[Neuer User]

Thanks Paul.

That's it. It does't seem to know where they are. If I add the option
with the path, it works.

Do I miss something in my local.conf?

Cheers

Michael

Am 21.05.2014 12:27, schrieb Burton, Ross:
> On 21 May 2014 10:37, Neuer User <auslands-kv@gmx.de> wrote:
>> I really need certificate support in wget. What am I missing? I guess,
>> it is a very stupid error on my side, but I just don't know which.
> 
> Try passing --ca-certificate=/etc/ssl/certs/ca-certificates.crt to
> verify that wget works if you tell it exactly where the certificate
> bundle is.
> 
> Ross
> 

Re: Strange certificate problem with wget

[Neuer User]

Very sorry for mixing up your name with Pauls, Ross.

Sorry,

Michael

------------------------------------------------------

Thanks Paul.

That's it. It does't seem to know where they are. If I add the option
with the path, it works.

Do I miss something in my local.conf?

Cheers

Michael


Am 21.05.2014 12:27, schrieb Burton, Ross:
> On 21 May 2014 10:37, Neuer User <auslands-kv@gmx.de> wrote:
>> I really need certificate support in wget. What am I missing? I guess,
>> it is a very stupid error on my side, but I just don't know which.
> 
> Try passing --ca-certificate=/etc/ssl/certs/ca-certificates.crt to
> verify that wget works if you tell it exactly where the certificate
> bundle is.
> 
> Ross
> 

Re: Strange certificate problem with wget

[Burton, Ross]

On 21 May 2014 11:49, Auslands-KV <auslands-kv@gmx.de> wrote:
> That's it. It does't seem to know where they are. If I add the option
> with the path, it works.
>
> Do I miss something in my local.conf?

No, OpenSSL should know where they are out of this, this is probably a
problem with the OpenSSL recipe.

GnuTLS is known to integrate better in general, so you might want to
try applying this patch to switch wget to GnuTLS:

http://git.yoctoproject.org/cgit/cgit.cgi/poky-contrib/commit/?id=8f42471e4bd5505a1f2766bbc675d23e078dfdc7

Ross

Re: Strange certificate problem with wget

[Neuer User]

Btw, this works beautifully. Thanks a lot!

Michael

Am 21.05.2014 17:02, schrieb Burton, Ross:
> On 21 May 2014 11:49, Auslands-KV <auslands-kv@gmx.de> wrote:
>> That's it. It does't seem to know where they are. If I add the option
>> with the path, it works.
>>
>> Do I miss something in my local.conf?
> 
> No, OpenSSL should know where they are out of this, this is probably a
> problem with the OpenSSL recipe.
> 
> GnuTLS is known to integrate better in general, so you might want to
> try applying this patch to switch wget to GnuTLS:
> 
> http://git.yoctoproject.org/cgit/cgit.cgi/poky-contrib/commit/?id=8f42471e4bd5505a1f2766bbc675d23e078dfdc7
> 
> Ross
>