Hi, Using mTLS with self signed certificates with various tools, it seems wget misbehaves and does not add a legitimate self signed CA provided with the --ca-certificate flag to the ca pool used internally. (I expect that the same issue exists with TLS).
The CA pem is legitimate and well structured as it is used successfully with other tools: (1) curl (see below), (2) standard go client and server. Wget indicates "Self-signed certificate encountered" as an output although the CA pem is provided using --ca-certificate Wget provides the same response with and without the --ca-certificate... Here is an example: ---------------------------- % ./hack/ping.sh Connect to remote server using mTLS and self signed certificates Try Curl: + curl https://myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud --key prk.pem --cert cert.pem --cacert ca.pem Hello little client, happy to serve you today + set +x Try Wget: + wget https://myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud --private-key prk.pem --certificate cert.pem --ca-certificate ca.pem --2023-12-09 08:43:37-- https://myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud/ Resolving myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud (myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud)... 169.63.244.138 Connecting to myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud (myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud)|169.63.244.138|:443... connected. ERROR: cannot verify myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud's certificate, issued by ‘CN=test,O=test.research.ibm.com’: Self-signed certificate encountered. To connect to myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud insecurely, use `--no-check-certificate'. + set +x When running with debug mode: ./hack/ping.sh Connect to remote server using mTLS and self signed certificates Try Curl: + curl -v https://myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud --key prk.pem --cert cert.pem --cacert ca.pem * Trying 169.63.244.138:443... * Connected to myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud (169.63.244.138) port 443 (#0) * ALPN: offers h2,http/1.1 * (304) (OUT), TLS handshake, Client hello (1): * CAfile: ca.pem * CApath: none * (304) (IN), TLS handshake, Server hello (2): * (304) (IN), TLS handshake, Unknown (8): * (304) (IN), TLS handshake, Request CERT (13): * (304) (IN), TLS handshake, Certificate (11): * (304) (IN), TLS handshake, CERT verify (15): * (304) (IN), TLS handshake, Finished (20): * (304) (OUT), TLS handshake, Certificate (11): * (304) (OUT), TLS handshake, CERT verify (15): * (304) (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 * ALPN: server accepted h2 * Server certificate: * subject: O=test.research.ibm.com; CN=test * start date: Dec 9 06:42:29 2023 GMT * expire date: Jan 8 06:42:29 2024 GMT * subjectAltName: host "myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud" matched cert's "myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud" * issuer: O=test.research.ibm.com; CN=test * SSL certificate verify ok. * using HTTP/2 * h2 [:method: GET] * h2 [:scheme: https] * h2 [:authority: myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud] * h2 [:path: /] * h2 [user-agent: curl/8.1.2] * h2 [accept: */*] * Using Stream ID: 1 (easy handle 0x147811e00) > GET / HTTP/2 > Host: myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud > User-Agent: curl/8.1.2 > Accept: */* > < HTTP/2 200 < content-type: text/plain; charset=utf-8 < content-length: 51 < date: Sat, 09 Dec 2023 06:53:45 GMT < Hello little client, happy to serve you today * Connection #0 to host myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud left intact + set +x Try Wget: + wget -d https://myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud --private-key prk.pem --certificate cert.pem --ca-certificate ca.pem Setting --private-key (privatekey) to prk.pem Setting --certificate (certificate) to cert.pem Setting --ca-certificate (cacertificate) to ca.pem DEBUG output created by Wget 1.21.4 on darwin22.4.0. Reading HSTS entries from /Users/davidhadas/.wget-hsts URI encoding = ‘UTF-8’ Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8) --2023-12-09 08:53:45-- https://myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud/ Resolving myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud (myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud)... 169.63.244.138 Caching myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud => 169.63.244.138 Connecting to myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud (myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud)|169.63.244.138|:443... connected. Created socket 5. Releasing 0x0000600003c62480 (new refcount 1). Initiating SSL handshake. Handshake successful; connected socket 5 to SSL handle 0x0000000143008200 certificate: subject: CN=test,O=test.research.ibm.com issuer: CN=test,O=test.research.ibm.com ERROR: cannot verify myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud's certificate, issued by ‘CN=test,O=test.research.ibm.com’: Self-signed certificate encountered. To connect to myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud insecurely, use `--no-check-certificate'. Closed 5/SSL 0x0000000143008200 + set +x Tnx, David Hadas