Wget ошибка нет доверия сертификату для - Решение и исправление самых разных ошибок на TopOshibok.ru

For example, running wget https://www.dropbox.com results in the following errors:

ERROR: The certificate of `www.dropbox.com' is not trusted.
ERROR: The certificate of `www.dropbox.com' hasn't got a known issuer.

asked Feb 10, 2012 at 7:35

Russell DavisRussell Davis

8,3294 gold badges40 silver badges41 bronze badges

If you don’t care about checking the validity of the certificate just add the --no-check-certificate option on the wget command-line. This worked well for me.

NOTE: This opens you up to man-in-the-middle (MitM) attacks, and is not recommended for anything where you care about security.

davr

18.9k17 gold badges77 silver badges99 bronze badges

answered Jan 8, 2013 at 15:24

Looking at current hacky solutions in here, I feel I have to describe a proper solution after all.

First, you need to install the cygwin package ca-certificates via Cygwin’s setup.exe to get the certificates.

Do NOT use curl or similar hacks to download certificates (as a neighboring answer advices) because that’s fundamentally insecure and may compromise the system.

Second, you need to tell wget where your certificates are, since it doesn’t pick them up by default in Cygwin environment. If you can do that either with the command-line parameter --ca-directory=/usr/ssl/certs (best for shell scripts) or by adding ca_directory = /usr/ssl/certs to ~/.wgetrc file.

You can also fix that by running ln -sT /usr/ssl /etc/ssl as pointed out in another answer, but that will work only if you have administrative access to the system. Other solutions I described do not require that.

answered Mar 6, 2013 at 16:26

ShnatselShnatsel

4,0081 gold badge24 silver badges25 bronze badges

If the problem is that a known root CA is missing and when you are using ubuntu or debian, then you can solve the problem with this one line:

sudo apt-get install ca-certificates

SusanW

1,5621 gold badge13 silver badges22 bronze badges

answered Nov 10, 2012 at 20:41

cguenthercguenther

1,5791 gold badge10 silver badges14 bronze badges

May be this will help:

wget --no-check-certificate https://blah-blah.tld/path/filename

4b0

22k30 gold badges95 silver badges142 bronze badges

answered Jun 4, 2018 at 5:10

First, the SSL certificates need to be installed. Instructions (based on https://stackoverflow.com/a/4454754/278488):

pushd /usr/ssl/certs
curl http://curl.haxx.se/ca/cacert.pem | awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > "cert" n ".pem"}'
c_rehash

The above is enough to fix curl, but wget requires an extra symlink:

ln -sT /usr/ssl /etc/ssl

answered Feb 10, 2012 at 7:40

Russell DavisRussell Davis

8,3294 gold badges40 silver badges41 bronze badges

apt-get install ca-certificates

The s makes the difference

Milo

3,3659 gold badges30 silver badges44 bronze badges

answered Jan 16, 2018 at 17:12

PetePete

591 silver badge1 bronze badge

I have the similar problem and fixed it by temporarily disabling my antivirus(Kaspersky Free 18.0.0.405). This AV has HTTPS interception module that automatically self-sign all certificates it finds in HTTPS responses.

Wget from Cygwin does not know anything about AV root certificate, so when it finds that website’s certificate was signed with non trust certificate it prints that error.

To fix this permanently without disabling AV you should copy the AV root certificate from Windows certificate store to /etc/pki/ca-trust/source/anchors as .pem file(base64 encoding) and run update-ca-trust

answered Oct 28, 2018 at 23:15

Denis BakharevDenis Bakharev

9591 gold badge9 silver badges7 bronze badges

In my case, on raspberry pi 3B the timing was in the future (2025) that I need to update to the current local time using ntpdate by passing the time to the past and it solved the issue.

 $ sudo date +%Y%m%d -s "20210101"
 $ sudo ntpdate times1.mike.fi

answered Jul 17, 2021 at 15:04

I had a similar problem with wget to my own live web site returning errors after installing a new SSL certificate. I’d already checked several browsers and they didn’t report any errors:

wget --no-cache -O - "https://example.com/..." ERROR: The certificate of ‘example.com’ is not trusted. ERROR: The certificate of ‘example.com’ hasn't got a known issuer.

The problem was I had installed the wrong certificate authority .pem/.crt file from the issuer. Usually they bundle the SSL certificate and CA file as a zip file, but DigiCert email you the certificate and you have to figure out the matching CA on your own. https://www.digicert.com/help/ has an SSL certificate checker which lists the SSL authority and the hopefully matching CA with a nice blue link graphic if they agree:

`SSL Cert: Issuer GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1

CA: Subject GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1
Valid from 16/Jul/2020 to 31/May/2023
Issuer DigiCert Global Root CA`

answered Oct 3, 2020 at 23:24

We just had this same issue come up when we installed a newly minted certificate just this last week. I’ve also seen it two other times…yet I’m slow to learn. In all 3 cases I had to get the «intermediate certificates» and install them. In other words My cert was good but it’s signer or it’s signer’s signer wasn’t correctly installed. Make sure you go to your certificate provider’s site and get the correct intermediate certificates and install them as well on your server and then this warning will go away.

It might not JUST be the above, it could also be that clients don’t have updated lists…but I would make sure it’s not just you not fully installing the certificates right FIRST, and then after that going on to the clients and making sure their list is updated.

answered Apr 19, 2021 at 19:16

Uncle IrohUncle Iroh

5,7486 gold badges48 silver badges61 bronze badges

Not exactly the same issue. On docker, I was mounting my host filesystem to /etc where OpenSSL certs were already installed which gets overwritten.

Changing the mounting to different filesystem fixed it.

answered Feb 27, 2022 at 0:53

viggy28viggy28

7601 gold badge10 silver badges21 bronze badges

Thanks to Denis Bakharev I’ve solved that case.

If someone has Cygwin wget not working because ‘certificate not trusted’ and having ca-certificates installed AND having Antivirus that automatically self-sign all certificates it finds in HTTPS responses then you need:

Get root certificate from your AV (I got mine with browser: open any https web-site, check it’s certificate, go to Certification Path tab, click on Root certificate. Then click View certificate button, go to Details tab and click Copy to File... button. Default settings are fine for saving certificate in *.cer file).
Convert *.cer to *.crt. You can use Cygwin’s OpenSSL with the following command:

openssl x509 -inform DER -in <your *.cer certificate file> -out <new cert>.crt

Move new *.crt file to ca-directory (in my case it was /etc/pki/tls/certs/).

That was enough for me to get wget working.

answered May 31, 2022 at 12:13

If you are using windows just go to control panel, click on automatic updates then click on Windows Update Web Site link. Just follow the step. At least this works for me, no more certificates issue i.e whenever I go to https://www.dropbox.com as before.

answered Aug 20, 2014 at 3:13

Just do

apt-get install ca-certificate

Pang

9,614146 gold badges81 silver badges122 bronze badges

answered Jul 29, 2017 at 6:50

tekintiantekintian

2873 silver badges3 bronze badges

Источник

wget is a popular command for downloading files from the internet with protocols such as HTTP, HTTPS, and FTP. With the terminal emulator you use, you can download without logging in to the internet address. If the website you want to download has an insecure and problematic ssl certificate, you will encounter the following errors:

ERROR: Certificate ‘—‘ is not trusted.
ERROR: Certificate ‘—‘ has no known issuer.
The certificate has expired

You cannot download and it will show you that the address you want to download from has a security problem. We will tell you how to proceed with the download with the following steps.

Ignore SSL Certificate in Wget

When you open a website with a browser, if you encounter the following screen, it indicates that this site has a problem with the SSL certificate:

Ignore SSL Certificate

You can access the site with Advanced → Accept the Risk and Continue.

Now let’s try to download files from this website with wget in terminal:

foc@fedora:~$ wget https://expired.badssl.com
--2023-02-09 19:44:12--  https://expired.badssl.com/
Resolving expired.badssl.com (expired.badssl.com)... 104.154.89.105
Connecting to expired.badssl.com (expired.badssl.com)|104.154.89.105|:443... connected.
ERROR: The certificate of ‘expired.badssl.com’ is not trusted.
ERROR: The certificate of ‘expired.badssl.com’ has expired.
The certificate has expired

As you can see the download failed. The «--no-check-certificate» parameter is used to solve this problem:

foc@fedora:~$ wget --no-check-certificate https://expired.badssl.com
--2023-02-09 21:17:30--  https://expired.badssl.com/
Resolving expired.badssl.com (expired.badssl.com)... 104.154.89.105
Connecting to expired.badssl.com (expired.badssl.com)|104.154.89.105|:443... connected.
WARNING: The certificate of ‘expired.badssl.com’ is not trusted.
WARNING: The certificate of ‘expired.badssl.com’ has expired.
The certificate has expired
HTTP request sent, awaiting response... 200 OK
Length: 494 [text/html]
Saving to: ‘index.html.9’
index.html.9 100%[=============>] 494 --.-KB/s in 0s
2023-02-09 21:17:30 (7.92 MB/s) - ‘index.html.9’ saved [494/494]

The download was successful without verifying the server’s certificate. If you have used wget in your bash scripts before, it looks like you need to give this parameter to all of these commands.

The solution below will help you a lot. Create a «.wgetrc» file and type the following lines:

foc@fedora:~$ nano /usr/local/etc/wgetrc

check_certificate = off

Or you can do it in one line with echo:

echo "check_certificate = off" >> ~/.wgetrc

Try downloading with wget after this command:

foc@fedora:~$ wget https://expired.badssl.com
--2023-02-09 21:31:17--  https://expired.badssl.com/
Resolving expired.badssl.com (expired.badssl.com)... 104.154.89.105
Connecting to expired.badssl.com (expired.badssl.com)|104.154.89.105|:443... connected.
WARNING: The certificate of ‘expired.badssl.com’ is not trusted.
WARNING: The certificate of ‘expired.badssl.com’ has expired.
The certificate has expired
HTTP request sent, awaiting response... 200 OK
Length: 494 [text/html]
Saving to: ‘index.html.11’
index.html.11 100%[=============>] 494 --.-KB/s in 0s
2023-02-09 21:31:19 (12.2 MB/s) - ‘index.html.11’ saved [494/494]

You can see that the download was successful without parameters.

ALSO READ: Beginners guide to mount NFS share in Linux with examples

What’s NEXT?

15+ wget command examples in Linux [Cheat Sheet]
Tips to download file From Linux [Practical Examples]

Summary

You can get help about wget online here. For local help you can also open the -h/—help or manual page in terminal:

foc@fedora:~$ man wget

foc@fedora:~$ wget --help
...
HTTPS (SSL/TLS) options:
       --secure-protocol=PR        choose secure protocol, one of auto, SSLv2,
                                     SSLv3, TLSv1, TLSv1_1, TLSv1_2, TLSv1_3 and PFS
       --https-only                only follow secure HTTPS links
       --no-check-certificate      don't validate the server's certificate
       --certificate=FILE          client certificate file
       --certificate-type=TYPE     client certificate type, PEM or DER
       --private-key=FILE          private key file
       --private-key-type=TYPE     private key type, PEM or DER
       --ca-certificate=FILE       file with the bundle of CAs
       --ca-directory=DIR          directory where hash list of CAs is stored
...

References

stackoverflow.com — Ignore SSL Certificate Error with Wget
www.gnu.org — GNU Wget 1.21.1-dirty Manual

Didn’t find what you were looking for? Perform a quick search across GoLinuxCloud

Источник

Using the wget tool, it’s common to download files or web pages from the internet. When dealing with HTTPS sites, wget will validate the SSL certificate of the site to ensure its legitimacy.

$ wget https://www.simplified.guide
--2021-03-29 11:09:07--  https://www.simplified.guide/
Resolving www.simplified.guide (www.simplified.guide)... 127.0.0.1
Connecting to www.simplified.guide (www.simplified.guide)|127.0.0.1|:443... connected.

ERROR: cannot verify www.simplified.guide's certificate, issued by ‘CN=mkcert name@hostname (Your Name),OU=name@hostname (Your Name),O=mkcert development CA’:
  Unable to locally verify the issuer's authority.

ERROR: certificate common name ‘*.simplified.guide’ doesn't match requested host name ‘www.simplified.guide’.

To connect to www.simplified.guide insecurely, use `--no-check-certificate'.

Such certificate verification errors might occur due to a variety of reasons such as self-signed certificates, expired certificates, or domain name mismatches. Although it’s essential to validate SSL certificates to prevent man-in-the-middle attacks and maintain the confidentiality and integrity of the data, there might be occasions in controlled environments (like testing or development setups) where bypassing this check is necessary.

wget provides the option to ignore SSL certificate errors. While this can be handy for testing or troubleshooting in certain scenarios, it’s advised not to use it in production or secure environments.

Steps to bypass SSL certificate checks in Wget:

Test downloading https page using wget.

$ wget https://www.simplified.guide
--2021-03-29 11:31:11--  https://www.simplified.guide/
Resolving www.simplified.guide (www.simplified.guide)... 127.0.0.1
Connecting to www.simplified.guide (www.simplified.guide)|127.0.0.1|:443... connected.
ERROR: cannot verify www.simplified.guide's certificate, issued by ‘CN=mkcert name@hostname (Your Name),OU=name@hostname (Your Name),O=mkcert development CA’:
  Unable to locally verify the issuer's authority.
To connect to www.simplified.guide insecurely, use `--no-check-certificate'.

Use —no-check-certificate option to ignore certificate error for SSL.

$ wget --no-check-certificate https://www.simplified.guide
--2021-03-29 11:32:21--  https://www.simplified.guide/
Resolving www.simplified.guide (www.simplified.guide)... 127.0.0.1
Connecting to www.simplified.guide (www.simplified.guide)|127.0.0.1|:443... connected.
WARNING: cannot verify www.simplified.guide's certificate, issued by ‘CN=mkcert name@hostname (Your Name),OU=name@hostname (Your Name),O=mkcert development CA’:
  Unable to locally verify the issuer's authority.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’

index.html                [ <=>                     ]  31.01K  --.-KB/s    in 0s

2021-03-29 11:32:21 (100 MB/s) - ‘index.html’ saved [31755]

The same message is still displayed but as WARNING instead of ERROR and the command was a success.

--no-check-certificate
    Don't check the server certificate against the available certificate authorities.  Also don't require the URL host name to match the common name presented by the certificate.

    As of Wget 1.10, the default is to verify the server's certificate against the recognized certificate authorities, breaking the SSL handshake and aborting the download if the verification
    fails.  Although this provides more secure downloads, it does break interoperability with some sites that worked with previous Wget versions, particularly those using self-signed, expired, or
    otherwise invalid certificates.  This option forces an "insecure" mode of operation that turns the certificate verification errors into warnings and allows you to proceed.

    If you encounter "certificate verification" errors or ones saying that "common name doesn't match requested host name", you can use this option to bypass the verification and proceed with the
    download.  Only use this option if you are otherwise convinced of the site's authenticity, or if you really don't care about the validity of its certificate.  It is almost always a bad idea
    not to check the certificates when transmitting confidential or important data.

Add option to skip certificate check into config file.
```
$ echo "check-certificate = off" >> ~/.wgetrc
```
Only use this method in development setting or wherever security is not critical.

Test against https page with error again without using —no-check-certificate.

$ wget https://www.simplified.guide
--2021-03-29 11:42:29--  https://www.simplified.guide/
Resolving www.simplified.guide (www.simplified.guide)... 127.0.0.1
Connecting to www.simplified.guide (www.simplified.guide)|127.0.0.1|:443... connected.
WARNING: cannot verify www.simplified.guide's certificate, issued by ‘CN=mkcert name@hostname (Your Name),OU=name@hostname (Your Name),O=mkcert development CA’:
  Unable to locally verify the issuer's authority.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html.1’

index.html              [ <=>                     ]  31.01K  --.-KB/s    in 0s

2021-03-29 11:42:29 (115 MB/s) - ‘index.html’ saved [31755]

Discuss the article:

Comment anonymously. Login not required.

Источник

For example, running wget https://www.dropbox.com results in the following errors:

ERROR: The certificate of `www.dropbox.com' is not trusted.
ERROR: The certificate of `www.dropbox.com' hasn't got a known issuer.

asked Feb 10, 2012 at 7:35

Russell DavisRussell Davis

8,3294 gold badges40 silver badges41 bronze badges

If you don’t care about checking the validity of the certificate just add the --no-check-certificate option on the wget command-line. This worked well for me.

NOTE: This opens you up to man-in-the-middle (MitM) attacks, and is not recommended for anything where you care about security.

davr

18.9k17 gold badges77 silver badges99 bronze badges

answered Jan 8, 2013 at 15:24

Looking at current hacky solutions in here, I feel I have to describe a proper solution after all.

First, you need to install the cygwin package ca-certificates via Cygwin’s setup.exe to get the certificates.

Do NOT use curl or similar hacks to download certificates (as a neighboring answer advices) because that’s fundamentally insecure and may compromise the system.

answered Mar 6, 2013 at 16:26

ShnatselShnatsel

4,0081 gold badge24 silver badges25 bronze badges

If the problem is that a known root CA is missing and when you are using ubuntu or debian, then you can solve the problem with this one line:

sudo apt-get install ca-certificates

SusanW

1,5621 gold badge13 silver badges22 bronze badges

answered Nov 10, 2012 at 20:41

cguenthercguenther

1,5791 gold badge10 silver badges14 bronze badges

May be this will help:

wget --no-check-certificate https://blah-blah.tld/path/filename

4b0

22k30 gold badges95 silver badges142 bronze badges

answered Jun 4, 2018 at 5:10

First, the SSL certificates need to be installed. Instructions (based on https://stackoverflow.com/a/4454754/278488):

pushd /usr/ssl/certs
curl http://curl.haxx.se/ca/cacert.pem | awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > "cert" n ".pem"}'
c_rehash

The above is enough to fix curl, but wget requires an extra symlink:

ln -sT /usr/ssl /etc/ssl

answered Feb 10, 2012 at 7:40

Russell DavisRussell Davis

8,3294 gold badges40 silver badges41 bronze badges

apt-get install ca-certificates

The s makes the difference

Milo

3,3659 gold badges30 silver badges44 bronze badges

answered Jan 16, 2018 at 17:12

PetePete

591 silver badge1 bronze badge

Wget from Cygwin does not know anything about AV root certificate, so when it finds that website’s certificate was signed with non trust certificate it prints that error.

answered Oct 28, 2018 at 23:15

Denis BakharevDenis Bakharev

9591 gold badge9 silver badges7 bronze badges

In my case, on raspberry pi 3B the timing was in the future (2025) that I need to update to the current local time using ntpdate by passing the time to the past and it solved the issue.

 $ sudo date +%Y%m%d -s "20210101"
 $ sudo ntpdate times1.mike.fi

answered Jul 17, 2021 at 15:04

I had a similar problem with wget to my own live web site returning errors after installing a new SSL certificate. I’d already checked several browsers and they didn’t report any errors:

wget --no-cache -O - "https://example.com/..." ERROR: The certificate of ‘example.com’ is not trusted. ERROR: The certificate of ‘example.com’ hasn't got a known issuer.

`SSL Cert: Issuer GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1

CA: Subject GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1
Valid from 16/Jul/2020 to 31/May/2023
Issuer DigiCert Global Root CA`

answered Oct 3, 2020 at 23:24

answered Apr 19, 2021 at 19:16

Uncle IrohUncle Iroh

5,7486 gold badges48 silver badges61 bronze badges

Not exactly the same issue. On docker, I was mounting my host filesystem to /etc where OpenSSL certs were already installed which gets overwritten.

Changing the mounting to different filesystem fixed it.

answered Feb 27, 2022 at 0:53

viggy28viggy28

7601 gold badge10 silver badges21 bronze badges

Thanks to Denis Bakharev I’ve solved that case.

Get root certificate from your AV (I got mine with browser: open any https web-site, check it’s certificate, go to Certification Path tab, click on Root certificate. Then click View certificate button, go to Details tab and click Copy to File... button. Default settings are fine for saving certificate in *.cer file).
Convert *.cer to *.crt. You can use Cygwin’s OpenSSL with the following command:

openssl x509 -inform DER -in <your *.cer certificate file> -out <new cert>.crt

Move new *.crt file to ca-directory (in my case it was /etc/pki/tls/certs/).

That was enough for me to get wget working.

answered May 31, 2022 at 12:13

answered Aug 20, 2014 at 3:13

Just do

apt-get install ca-certificate

Pang

9,614146 gold badges81 silver badges122 bronze badges

answered Jul 29, 2017 at 6:50

tekintiantekintian

2873 silver badges3 bronze badges

Источник

I have a problem with my Fedora 8 installation. It looks that wget doesn’t know how to verify SSL certificates any more. It’s strange because I have another Fedora 8 box which I believe has the same configuration and it works!

How can I make it work without using --no-check-certificate switch?

This is a sample output:

wget https://www.google.com
--2011-09-23 00:11:13--  https://www.google.com/
Resolving www.google.com... 74.125.230.146, 74.125.230.147, 74.125.230.148, ...
Connecting to www.google.com|74.125.230.146|:443... connected.
ERROR: cannot verify www.google.com's certificate, issued by `/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA':
  Unable to locally verify the issuer's authority.
To connect to www.google.com insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.

EDIT

I have this file /etc/pki/tls/certs/ca-bundle.crt file and when I run wget with --ca-certificate switch pointing to this file everything goes fine. Where should this file be placed so that I don’t need to use the switch?

BTW: curl and links work fine, but lynx also complains: «SSL error:unable to get local issuer certificate» so this is not only wget‘s issue…

Источник