Greetings, Lee! > On 8/5/18, Andrey Repin wrote: >> Greetings, All!
> Greetings, Andrey Repin! >> $ wget https://ca.rootdir.org/ca.crl >> --2018-08-05 20:05:28-- https://ca.rootdir.org/ca.crl >> Resolving ca.rootdir.org (ca.rootdir.org)... 192.168.1.6 >> Connecting to ca.rootdir.org (ca.rootdir.org)|192.168.1.6|:443... >> connected. >> ERROR: The certificate of ‘ca.rootdir.org’ is not trusted. >> ERROR: The certificate of ‘ca.rootdir.org’ hasn't got a known issuer. >> >> $ "$( which wget )" --version >> GNU Wget 1.19.1 built on cygwin. >> >> -cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls +ntlm >> +opie +psl +ssl/gnutls >> >> The root CA certificate is correctly installed and hashed. > Apparently not. curl and openssl sees it. Both Cygwin and native openssl. > Does it work if you tell wget to use your root CA cert? > ‘--ca-certificate=FILE’ It does, of course, but why doesn't it see the PKI by itself? $ wget --ca-certificate=/etc/ssl/certs/dd07c56a.0 https://ca.rootdir.org/ca.crl --2018-08-06 12:46:14-- https://ca.rootdir.org/ca.crl Loaded CA certificate '/etc/ssl/certs/dd07c56a.0' Resolving ca.rootdir.org (ca.rootdir.org)... 192.168.1.6 Connecting to ca.rootdir.org (ca.rootdir.org)|192.168.1.6|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 872 [application/octet-stream] Saving to: ‘ca.crl’ ca.crl 100%[================================>] 872 --.-KB/s in 0s 2018-08-06 12:46:14 (18.0 MB/s) - ‘ca.crl’ saved [872/872] > Use FILE as the file with the bundle of certificate authorities > (“CA”) to verify the peers. The certificates must be in PEM > format. > Without this option Wget looks for CA certificates at the > system-specified locations, chosen at OpenSSL installation time. > & you probably have, but to be sure.. you looked at 'info > update-ca-trust' - right? No. Hashing /etc/ssl/certs has been enough for a long while. I followed the directions, and it indeed fixed the issue, but I'm surprised by the change in behavior. -- With best regards, Andrey Repin Monday, August 6, 2018 12:44:13 Sorry for my terrible english...
