Discussion:
Strange certificate problem with wget
Neuer User
2014-05-19 09:25:28 UTC
Permalink
Hello

I need to use wget with https support in my image. So I added "wget" to
my packages.

The problem is that it doesn't seem to find the installed certificates:

# wget https://www.google.com
--2014-05-19 11:20:42-- https://www.google.com/
Resolving www.google.com... 173.194.113.242, 173.194.113.241,
173.194.113.244, ...
Connecting to www.google.com|173.194.113.242|:443... connected.
ERROR: cannot verify www.google.com's certificate, issued by
'/C=US/O=Google Inc/CN=Google Internet Authority G2':
Unable to locally verify the issuer's authority.
To connect to www.google.com insecurely, use `--no-check-certificate'.


No problem, when using curl instead.

Seems, I am missing something pretty obvious. Can anybody hint me into
the right direction?

Thanks

Michael

--
Burton, Ross
2014-05-19 09:32:50 UTC
Permalink
Post by Neuer User
I need to use wget with https support in my image. So I added "wget" to
my packages.
By "installed certificates" you mean that you installed
ca-certificates into the image, right?

Ross
--
Neuer User
2014-05-19 09:35:14 UTC
Permalink
Post by Burton, Ross
Post by Neuer User
I need to use wget with https support in my image. So I added "wget" to
my packages.
By "installed certificates" you mean that you installed
ca-certificates into the image, right?
Ross
Yeah, exactly.

--
Paul Barker
2014-05-19 10:56:41 UTC
Permalink
Post by Neuer User
Post by Burton, Ross
Post by Neuer User
I need to use wget with https support in my image. So I added "wget" to
my packages.
By "installed certificates" you mean that you installed
ca-certificates into the image, right?
Ross
Yeah, exactly.
If you run 'wget --version' you should be able to find out if you're
running busybox wget or gnu wget. I assume you're expecting gnu wget
as you added wget to your packages, but it's worth quickly checking
that the correct binary is being executed.

Thanks,
--
Paul Barker

Email: paul-/Pkq+***@public.gmane.org
http://www.paulbarker.me.uk
--
Neuer User
2014-05-19 12:02:37 UTC
Permalink
Post by Paul Barker
Post by Neuer User
Post by Burton, Ross
Post by Neuer User
I need to use wget with https support in my image. So I added "wget" to
my packages.
By "installed certificates" you mean that you installed
ca-certificates into the image, right?
Ross
Yeah, exactly.
If you run 'wget --version' you should be able to find out if you're
running busybox wget or gnu wget. I assume you're expecting gnu wget
as you added wget to your packages, but it's worth quickly checking
that the correct binary is being executed.
Thanks,
~# wget --version
GNU Wget 1.14 built on linux-gnueabi.

+digest +https +ipv6 -iri -large-file +nls +ntlm +opie +ssl/openssl

Wgetrc:
/etc/wgetrc (system)
Locale: /usr/share/locale
Compile: arm-poky-linux-gnueabi-gcc -march=armv7-a -mthumb-interwork
-mfloat-abi=hard -mfpu=neon -mtune=cortex-a9
--sysroot=/home/ubuntu/yocto/build/tmp/sysroots/cubox-i
-DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc"
-DLOCALEDIR="/usr/share/locale" -I.

-I/home/ubuntu/yocto/build/tmp/work/cortexa9hf-vfp-neon-poky-linux-gnueabi/wget/1.14-r16.0/wget-1.14/src
-I../lib
-I/home/ubuntu/yocto/build/tmp/work/cortexa9hf-vfp-neon-poky-linux-gnueabi/wget/1.14-r16.0/wget-1.14/lib
-O2 -pipe -g -feliminate-unused-debug-types
Link: arm-poky-linux-gnueabi-gcc -march=armv7-a -mthumb-interwork
-mfloat-abi=hard -mfpu=neon -mtune=cortex-a9
--sysroot=/home/ubuntu/yocto/build/tmp/sysroots/cubox-i -O2 -pipe
-g -feliminate-unused-debug-types -Wl,-O1 -Wl,--hash-style=gnu
-Wl,--as-needed -lssl
/home/ubuntu/yocto/build/tmp/sysroots/cubox-i/lib/libcrypto.so -lz
-ldl -lz -lz -lpcre ftp-opie.o openssl.o http-ntlm.o
../lib/libgnu.a

Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://www.gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Originally written by Hrvoje Niksic <hniksic-Sn97VrDLz2sdnm+***@public.gmane.org>.
Please send bug reports and questions to <bug-wget-mXXj517/***@public.gmane.org>.


Looks, as if I get the right one, but strangely without working
certificates check...


--
Neuer User
2014-05-21 09:37:50 UTC
Permalink
Nobody any idea?

I really need certificate support in wget. What am I missing? I guess,
it is a very stupid error on my side, but I just don't know which.

Michael
Post by Neuer User
Post by Paul Barker
Post by Neuer User
Post by Burton, Ross
Post by Neuer User
I need to use wget with https support in my image. So I added "wget" to
my packages.
By "installed certificates" you mean that you installed
ca-certificates into the image, right?
Ross
Yeah, exactly.
If you run 'wget --version' you should be able to find out if you're
running busybox wget or gnu wget. I assume you're expecting gnu wget
as you added wget to your packages, but it's worth quickly checking
that the correct binary is being executed.
Thanks,
~# wget --version
GNU Wget 1.14 built on linux-gnueabi.
+digest +https +ipv6 -iri -large-file +nls +ntlm +opie +ssl/openssl
/etc/wgetrc (system)
Locale: /usr/share/locale
Compile: arm-poky-linux-gnueabi-gcc -march=armv7-a -mthumb-interwork
-mfloat-abi=hard -mfpu=neon -mtune=cortex-a9
--sysroot=/home/ubuntu/yocto/build/tmp/sysroots/cubox-i
-DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc"
-DLOCALEDIR="/usr/share/locale" -I.
-I/home/ubuntu/yocto/build/tmp/work/cortexa9hf-vfp-neon-poky-linux-gnueabi/wget/1.14-r16.0/wget-1.14/src
-I../lib
-I/home/ubuntu/yocto/build/tmp/work/cortexa9hf-vfp-neon-poky-linux-gnueabi/wget/1.14-r16.0/wget-1.14/lib
-O2 -pipe -g -feliminate-unused-debug-types
Link: arm-poky-linux-gnueabi-gcc -march=armv7-a -mthumb-interwork
-mfloat-abi=hard -mfpu=neon -mtune=cortex-a9
--sysroot=/home/ubuntu/yocto/build/tmp/sysroots/cubox-i -O2 -pipe
-g -feliminate-unused-debug-types -Wl,-O1 -Wl,--hash-style=gnu
-Wl,--as-needed -lssl
/home/ubuntu/yocto/build/tmp/sysroots/cubox-i/lib/libcrypto.so -lz
-ldl -lz -lz -lpcre ftp-opie.o openssl.o http-ntlm.o
../lib/libgnu.a
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://www.gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Looks, as if I get the right one, but strangely without working
certificates check...
--
Burton, Ross
2014-05-21 10:27:27 UTC
Permalink
Post by Neuer User
I really need certificate support in wget. What am I missing? I guess,
it is a very stupid error on my side, but I just don't know which.
Try passing --ca-certificate=/etc/ssl/certs/ca-certificates.crt to
verify that wget works if you tell it exactly where the certificate
bundle is.

Ross
--
Neuer User
2014-05-21 10:56:20 UTC
Permalink
Thanks Paul.

That's it. It does't seem to know where they are. If I add the option
with the path, it works.

Do I miss something in my local.conf?

Cheers

Michael
Post by Burton, Ross
Post by Neuer User
I really need certificate support in wget. What am I missing? I guess,
it is a very stupid error on my side, but I just don't know which.
Try passing --ca-certificate=/etc/ssl/certs/ca-certificates.crt to
verify that wget works if you tell it exactly where the certificate
bundle is.
Ross
--
Neuer User
2014-05-21 11:25:45 UTC
Permalink
Very sorry for mixing up your name with Pauls, Ross.

Sorry,

Michael

------------------------------------------------------

Thanks Paul.

That's it. It does't seem to know where they are. If I add the option
with the path, it works.

Do I miss something in my local.conf?

Cheers

Michael
Post by Burton, Ross
Post by Neuer User
I really need certificate support in wget. What am I missing? I guess,
it is a very stupid error on my side, but I just don't know which.
Try passing --ca-certificate=/etc/ssl/certs/ca-certificates.crt to
verify that wget works if you tell it exactly where the certificate
bundle is.
Ross
--
Burton, Ross
2014-05-21 15:02:21 UTC
Permalink
Post by Neuer User
That's it. It does't seem to know where they are. If I add the option
with the path, it works.
Do I miss something in my local.conf?
No, OpenSSL should know where they are out of this, this is probably a
problem with the OpenSSL recipe.

GnuTLS is known to integrate better in general, so you might want to
try applying this patch to switch wget to GnuTLS:

http://git.yoctoproject.org/cgit/cgit.cgi/poky-contrib/commit/?id=8f42471e4bd5505a1f2766bbc675d23e078dfdc7

Ross
--

Loading...