Ubuntu – wget fails by a certificate problem

certificatesnetworkingopensslwget

Same problem as wget interrupted by a certificate problem:

After do-release-upgrade from 16.04 to 18.01

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. 
Check your Internet connection or proxy settings

wget https://changelogs.ubuntu.com/meta-release-lts

--2018-09-15 08:03:41--  https://changelogs.ubuntu.com/meta-release-lts
Resolving changelogs.ubuntu.com (changelogs.ubuntu.com)... 91.189.95.15, 2001:67c:1560:8008::11
Connecting to changelogs.ubuntu.com (changelogs.ubuntu.com)|91.189.95.15|:443... connected.
ERROR: cannot verify changelogs.ubuntu.com's certificate, issued by ‘CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US’:
  Unable to locally verify the issuer's authority.
To connect to changelogs.ubuntu.com insecurely, use `--no-check-certificate'.

Also (as root):

# update-ca-certificates

Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

# wget https://www.google.com/

--2018-09-16 16:54:31--  https://www.google.com/
Resolving www.google.com (www.google.com)... 216.58.201.164, 2a00:1450:4003:80a::2004
Connecting to www.google.com (www.google.com)|216.58.201.164|:443... connected.
ERROR: cannot verify www.google.com's certificate, issued by ‘CN=Google Internet Authority G3,O=Google Trust Services,C=US’:
  Unable to locally verify the issuer's authority.
To connect to www.google.com insecurely, use `--no-check-certificate'.

Update 2018-10-23:

openssl s_client -connect www.google.com:443 -debug

fails

openssl s_client  -connect www.google.com:443 --debug --CApath /etc/ssl/certs/

works

 wget https://www.google.com/  --ca-directory=/etc/ssl/certs/

works, so why is the default ca-directory not /etc/ssl/certs/? and do I set it?

New Update and solved:

strace -e openat wget https://your-url

I saw that it was using /usr/local/lib/libssl.so.1.1, so I found one openssl installed on /usr/local, and after deleting it, the problem was fixed.

Thanks

Best Answer

The thread: Problem with certificates helped me to solve the problem.

user mirabilos explain the commands to reinstall the ca-certificates

sudo apt-get install --reinstall ca-certificates
sudo apt-get -f install
sudo dpkg --purge --force-depends ca-certificates
sudo apt-get -f install

Related Solutions

Ubuntu – OpenSSL not picking up CAs in certs folder

There are several cryptographic libraries on your system:

OpenSSL (the gold standard, with a BSD-style (very free) licence that includes a somewhat problematic clause (preventing GPL compatibility, but nothing “bad”) limiting its adoption in the GNU world)
GnuTLS (the replacement from the FSF; comes in two flavours, LGPLv2-licenced (but unmaintained) and LGPLv3-licenced (and thus incompatible with GPLv2-only programs); historically not as featureful as OpenSSL, a bit more buggy, but more strict too, which enhances security)
NSS (Netscape/Mozilla's library, rarely used outside; slow to adopt new standards)
minor ones like PolarSSL, MatrixSSL, NaCl/Salt

All of them have, of course, similarities and differences. Software that uses them (for cryptographic purposes, or to use SSL/TLS) sometimes supports using more than one of these libraries (for example Lynx, the web browser, is normally linked against OpenSSL but supports GnuTLS too (just not as good) in order to appease the GNU people).

cURL also is one of the projects supporting using either of the three major crypto libraries. This is mostly because cURL is, primary, a library intended to be used by yet other programs when they want to download (or even upload) things using http, ftp, etc. connections. The curl command-line tool can come from either of these variants.

Now, I'm fairly sure that the problem you're seeing with the not-freshly-installed system is the following:

OpenSSL and GnuTLS both support using /etc/ssl/certs/<hash>.<number>-style CA directories. OpenSSL version 0.x and GnuTLS however use a different algorithm to calculate the aforementioned hash than OpenSSL version 1.x uses. (Both can coëxist on a system; if different certificates have the same hash you just use a differing number for them. But for some reason, Debian/Ubuntu's ca-certificates package doesn't seem to do this.) Additionally, some versions of GnuTLS did not support using the directory, but only using a file /etc/ssl/certs/ca-certificates.crt (which is also usually managed by the ca-certificates package's maintainer scripts, but can deviate); you seem to be using an older version, so this may be the thing you hit.

openssl s_client by default (i.e. without the -CApath or -CAfile option) does not look anywhere for certificates.

Your curl from the upgraded installation most likely uses a different crypto library than the curl from the fresh installation.

Try openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect the-problem-site.com:443 in addition to openssl s_client -CApath /etc/ssl/certs -connect the-problem-site.com:443 to mimic the behaviour of older GnuTLS versions.

Double-check if there's an OpenSSL 1.x anywhere on your system (Ubuntu is known for sneaking major updates even into LTS versions), and if yes, check the hash of the file:

openssl x509 -noout -hash -in /etc/ssl/certs/GeoTrust_Global_CA.pem
openssl x509 -noout -subject_hash_old -in /etc/ssl/certs/GeoTrust_Global_CA.pem
openssl x509 -noout -subject_hash -in /etc/ssl/certs/GeoTrust_Global_CA.pem

Normally, either, the second and third command should fail (OpenSSL 0.x), or the first and third command should display the same hash but the second one should display a different hash (OpenSSL 1.x). GnuTLS would use the output from the second command (if OpenSSL 1.x is installed); if OpenSSL 0.x is installed that's the same hash. You can create such symlinks manually.

I can update this posting once you provide debugging feedback.

Ubuntu – Wget interrupted by a certificate problem

You can preconfigure your wget calls in /etc/wgetrc or for a specific user in ~/.wgetrc. Perhaps on your friend's PC one of these files contained the directive

check_certificate = on/off

Further options see https://www.gnu.org/software/wget/manual/wget.html#Startup-File

Best Answer

Related Solutions

Ubuntu – OpenSSL not picking up CAs in certs folder

Ubuntu – Wget interrupted by a certificate problem

Related Question