wget rejects the site's SSL certificate

Question

So I accidentally stumbled upon this error on my server while debugging.

When I request an API url via wget with wget https://example.com/, I get the The certificate of «example.com» is not trusted. (The URL is, of course, different)

I did a quick search for a solution and found this question on SO.

The ca-certificates package was already installed. I've ran update-ca-certificates and got the following:

Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.

I also ran c_rehash, which did add several missing links, but didn't change the outcome.

I checked the server's certificate via https://www.ssllabs.com/ssltest/ and it passes with flying colors (gives an A+ grade, the certificate issuer is listed as COMODO RSA Domain Validation Secure Server CA). Also, requesting the same document via PHP on the same server works fine.

I also tried explicitly setting --ca-directory=/etc/ssl/certs parameter for wget, but the result is the same.

I have no idea how to troubleshoot this issue further and I'm afraid it might cause issues in the future.

I'm running Debian 7.9 with OpenSSL 1.0.1e 11 Feb 2013.

My guess is that it is related to the problem with multiple trust path I've described in http://stackoverflow.com/questions/27804710/python-urllib2-ssl-error/27826829#27826829. But to be sure one would need to know the exact hostname. — Steffen Ullrich, Dec 29 '15 at 15:50
@SteffenUllrich, you mean the hostname of the server which causes an issue with wget, right? — Anton Suprun, Dec 30 '15 at 16:18
Yes, I mean the hostname so one can reproduce the problem and look deeper into it. — Steffen Ullrich, Dec 30 '15 at 16:56

score 0 · Answer 1 · edited May 23 '17 at 10:29

I had this same problem. My site worked fine in a browser and got a passing grade from www.ssllabs.com but wget would error out complaining of an invalid certificate.

The issue is that the "COMODO RSA Domain Validation Secure Server CA" intermediate certificate is signed by multiple certificates (as Steffen Ullrich alluded to) one of which is included in more trust stores than the other.

Some OSs do not by default trust the "COMODO RSA Certification Authority" self-signed certificate even though it is trusted by most web browsers. The "AddTrust External CA Root" certificate, however, is trusted by most OSs.

Make sure you have not just the "COMODO RSA Certification Authority" certificate chain correct but that the "AddTrust External CA Root" chain is also correct.

If www.slllabs.com reports "Chain issues: None" then your wget shouldn't give you any certificate errors.

score -3 · Answer 2 · answered Dec 29 '15 at 20:58

-3

You can use "--no-check-certificate" parameter on wget to avoid the check

answered Dec 29 '15 at 20:58

Carlos Albornoz

106
4

2

That doesn't solve the problem, though, and I don't need a workaround – Anton Suprun Dec 30 '15 at 16:07

wget rejects the site's SSL certificate

2 Answers2