Re: wget does not recognize PKI?
On 2018-08-05 14:03, Csaba Raduly wrote: > On Sun, Aug 5, 2018 at 7:36 PM, Marco Atzeri wrote: >> Am 05.08.2018 um 19:12 schrieb Andrey Repin: >>> $ wget https://ca.rootdir.org/ca.crl >>> --2018-08-05 20:05:28-- https://ca.rootdir.org/ca.crl >>> Resolving ca.rootdir.org (ca.rootdir.org)... 192.168.1.6 >>> Connecting to ca.rootdir.org (ca.rootdir.org)|192.168.1.6|:443... >>> connected. >>> ERROR: The certificate of ‘ca.rootdir.org’ is not trusted. >>> ERROR: The certificate of ‘ca.rootdir.org’ hasn't got a known issuer. >>> What's going on? >> It seems not a cygwin issue: >> "This connection is not secure >> The owner of ca.rootdir.org did not properly configure the site. Firefox has >> not affiliated with this site to protect your information from theft." > And not just Firefox : > $ curl -v https://ca.rootdir.org/ca.crl > * STATE: INIT => CONNECT handle 0x600057990; line 1404 (connection #-5000) > * Added connection 0. The cache now contains 1 members > * STATE: CONNECT => WAITRESOLVE handle 0x600057990; line 1440 (connection #0) > * Trying 77.50.25.68... > * TCP_NODELAY set > * STATE: WAITRESOLVE => WAITCONNECT handle 0x600057990; line 1521 > (connection #0) > * Connected to ca.rootdir.org (77.50.25.68) port 443 (#0) > * STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x600057990; line 1573 > (connection #0) > * Marked for [keep alive]: HTTP default > * ALPN, offering h2 > * ALPN, offering http/1.1 > * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH > * successfully set certificate verify locations: > CAfile: /etc/pki/tls/certs/ca-bundle.crt > CApath: none > * TLSv1.2 (OUT), TLS header, Certificate Status (22): > * TLSv1.2 (OUT), TLS handshake, Client hello (1): > * STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x600057990; line > 1587 (connection #0) > * TLSv1.2 (IN), TLS handshake, Server hello (2): > * TLSv1.2 (IN), TLS handshake, Certificate (11): > * TLSv1.2 (OUT), TLS alert, Server hello (2): > * SSL certificate problem: self signed certificate in certificate chain > * Marked for [closure]: Failed HTTPS connection > * multi_done > * stopped the pause stream! > * Closing connection 0 > * The cache now contains 0 members > * Expire cleared > curl: (60) SSL certificate problem: self signed certificate in certificate > chain > More details here: https://curl.haxx.se/docs/sslcerts.html > curl failed to verify the legitimacy of the server and therefore could not > establish a secure connection to it. To learn more about this situation and > how to fix it, please visit the web page mentioned above. Given that it's his own domain and root cert, not surprising it's not in Mozilla's root CA list. Lots of business gets done using counterparty certs with organization CA roots not in any public or central repos, or just self-signed: avoids accessing or giving CAs any info or money and dealing with fallout from vendor issues. -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: wget does not recognize PKI?
Greetings, Lee! > On 8/5/18, Andrey Repin wrote: >> Greetings, All! > Greetings, Andrey Repin! >> $ wget https://ca.rootdir.org/ca.crl >> --2018-08-05 20:05:28-- https://ca.rootdir.org/ca.crl >> Resolving ca.rootdir.org (ca.rootdir.org)... 192.168.1.6 >> Connecting to ca.rootdir.org (ca.rootdir.org)|192.168.1.6|:443... >> connected. >> ERROR: The certificate of ‘ca.rootdir.org’ is not trusted. >> ERROR: The certificate of ‘ca.rootdir.org’ hasn't got a known issuer. >> >> $ "$( which wget )" --version >> GNU Wget 1.19.1 built on cygwin. >> >> -cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls +ntlm >> +opie +psl +ssl/gnutls >> >> The root CA certificate is correctly installed and hashed. > Apparently not. curl and openssl sees it. Both Cygwin and native openssl. > Does it work if you tell wget to use your root CA cert? > ‘--ca-certificate=FILE’ It does, of course, but why doesn't it see the PKI by itself? $ wget --ca-certificate=/etc/ssl/certs/dd07c56a.0 https://ca.rootdir.org/ca.crl --2018-08-06 12:46:14-- https://ca.rootdir.org/ca.crl Loaded CA certificate '/etc/ssl/certs/dd07c56a.0' Resolving ca.rootdir.org (ca.rootdir.org)... 192.168.1.6 Connecting to ca.rootdir.org (ca.rootdir.org)|192.168.1.6|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 872 [application/octet-stream] Saving to: ‘ca.crl’ ca.crl 100%[>] 872 --.-KB/sin 0s 2018-08-06 12:46:14 (18.0 MB/s) - ‘ca.crl’ saved [872/872] > Use FILE as the file with the bundle of certificate authorities > (“CA”) to verify the peers. The certificates must be in PEM > format. > Without this option Wget looks for CA certificates at the > system-specified locations, chosen at OpenSSL installation time. > & you probably have, but to be sure.. you looked at 'info > update-ca-trust' - right? No. Hashing /etc/ssl/certs has been enough for a long while. I followed the directions, and it indeed fixed the issue, but I'm surprised by the change in behavior. -- With best regards, Andrey Repin Monday, August 6, 2018 12:44:13 Sorry for my terrible english...
Re: wget does not recognize PKI?
Greetings, Csaba Raduly! > On Sun, Aug 5, 2018 at 7:36 PM, Marco Atzeri wrote: >> Am 05.08.2018 um 19:12 schrieb Andrey Repin: >>> >>> Greetings, All! >>> >>> $ wget https://ca.rootdir.org/ca.crl >>> --2018-08-05 20:05:28-- https://ca.rootdir.org/ca.crl >>> Resolving ca.rootdir.org (ca.rootdir.org)... 192.168.1.6 >>> Connecting to ca.rootdir.org (ca.rootdir.org)|192.168.1.6|:443... >>> connected. >>> ERROR: The certificate of ‘ca.rootdir.org’ is not trusted. >>> ERROR: The certificate of ‘ca.rootdir.org’ hasn't got a known issuer. >>> >> >>> >>> What's going on? >>> >> >> It seems not a cygwin issue: >> >> "This connection is not secure >> >> The owner of ca.rootdir.org did not properly configure the site. Firefox has >> not affiliated with this site to protect your information from theft." >> As I said, the root CA certificate is properly installed. > And not just Firefox : > $ curl -v https://ca.rootdir.org/ca.crl $ curl -v https://ca.rootdir.org/ca.crl * STATE: INIT => CONNECT handle 0x600057ac0; line 1404 (connection #-5000) * Added connection 0. The cache now contains 1 members * STATE: CONNECT => WAITRESOLVE handle 0x600057ac0; line 1440 (connection #0) * Trying 192.168.1.6... * TCP_NODELAY set * STATE: WAITRESOLVE => WAITCONNECT handle 0x600057ac0; line 1521 (connection #0) * Connected to ca.rootdir.org (192.168.1.6) port 443 (#0) * STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x600057ac0; line 1573 (connection #0) * Marked for [keep alive]: HTTP default * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: /etc/ssl/certs * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x600057ac0; line 1587 (connection #0) * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Client hello (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: C=RU; ST=RF; L=Moscow; CN=Rootdir CA webserver * start date: Nov 21 17:47:29 2017 GMT * expire date: Nov 22 17:47:29 2018 GMT * subjectAltName: host "ca.rootdir.org" matched cert's "ca.rootdir.org" * issuer: C=RU; L=Moscow; CN=Andrey Repin; emailAddress=anrdae...@rootdir.org * SSL certificate verify ok. * STATE: PROTOCONNECT => DO handle 0x600057ac0; line 1608 (connection #0) * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x600057ac0) > GET /ca.crl HTTP/2 > Host: ca.rootdir.org > User-Agent: curl/7.59.0 > Accept: */* > * STATE: DO => DO_DONE handle 0x600057ac0; line 1670 (connection #0) * multi changed, check CONNECT_PEND queue! * STATE: DO_DONE => WAITPERFORM handle 0x600057ac0; line 1795 (connection #0) * STATE: WAITPERFORM => PERFORM handle 0x600057ac0; line 1811 (connection #0) * Connection state changed (MAX_CONCURRENT_STREAMS == 128)! * multi changed, check CONNECT_PEND queue! * HTTP/2 found, allow multiplexing < HTTP/2 200 < server: nginx/1.14.0 < date: Mon, 06 Aug 2018 09:41:25 GMT < content-type: application/octet-stream < content-length: 872 < last-modified: Sun, 05 Aug 2018 16:51:59 GMT < etag: "5b672b2f-368" < accept-ranges: bytes < Warning: Binary output can mess up your terminal. Use "--output -" to tell Warning: curl to output it to your terminal anyway, or consider "--output Warning: " to save to a file. * Failed writing body (0 != 872) * Kill stream: Transfer returned error * multi_done * Connection #0 to host ca.rootdir.org left intact * Expire cleared [23]anrdaemon@daemon2:xterm:~ $ "$( which curl )" --version curl 7.59.0 (x86_64-unknown-cygwin) libcurl/7.59.0 OpenSSL/1.0.2o zlib/1.2.11 libidn2/2.0.4 libpsl/0.18.0 (+libidn2/2.0.2) libssh2/1.7.0 nghttp2/1.31.0 Release-Date: 2018-03-14 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp Features: AsynchDNS Debug IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL Metalink -- With best regards, Andrey Repin Monday, August 6, 2018 12:41:08 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#un
Re: wget does not recognize PKI?
On 8/5/18, Andrey Repin wrote:
> Greetings, All!
Greetings, Andrey Repin!
> $ wget https://ca.rootdir.org/ca.crl
> --2018-08-05 20:05:28-- https://ca.rootdir.org/ca.crl
> Resolving ca.rootdir.org (ca.rootdir.org)... 192.168.1.6
> Connecting to ca.rootdir.org (ca.rootdir.org)|192.168.1.6|:443...
> connected.
> ERROR: The certificate of ‘ca.rootdir.org’ is not trusted.
> ERROR: The certificate of ‘ca.rootdir.org’ hasn't got a known issuer.
>
> $ "$( which wget )" --version
> GNU Wget 1.19.1 built on cygwin.
>
> -cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls +ntlm
> +opie +psl +ssl/gnutls
>
> The root CA certificate is correctly installed and hashed.
Apparently not. Does it work if you tell wget to use your root CA cert?
‘--ca-certificate=FILE’
Use FILE as the file with the bundle of certificate authorities
(“CA”) to verify the peers. The certificates must be in PEM
format.
Without this option Wget looks for CA certificates at the
system-specified locations, chosen at OpenSSL installation time.
& you probably have, but to be sure.. you looked at 'info
update-ca-trust' - right?
This might help verify your trust store:
$ cat listcerts.sh
#!/bin/sh
# ref:
https://serverfault.com/questions/590870/how-to-view-all-ssl-certificates-in-a-bundle
if [ $# -eq 1 ]; then
# bundle specified
FILE="$1"
if [ ! -r $FILE ]; then
echo "p1 unreadable: $FILE"
exit 1
fi
else
FILE="/usr/ssl/certs/ca-bundle.crt"
# FILE="/etc/pki/tls/certs/ca-bundle.crt"
# FILE="/etc/pki/tls/certs/ca-bundle.trust.crt"
fi
cat $FILE |\
awk -v cmd="openssl x509 -noout -subject " '
/^-BEGIN/ { c = $0; next }
{ c = c "\n" $0 }
/^-END/ { print c|cmd; close(cmd); c = "" }
'
# openssl x509 -noout -text
# to see all the certificate info
# oopenssl x509 -noout -subject
# to see just the subject
$
Regards,
Lee
>
> $ ls -l /etc/ssl/certs/
> total 3
> lrwxrwxrwx 1 anrdaemon None 13 мар 31 01:30 a94d09e5.0 -> ca-bundle.crt
> lrwxrwxrwx 1 anrdaemon None 49 мар 12 02:29 ca-bundle.crt ->
> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
> lrwxrwxrwx 1 anrdaemon None 55 мар 12 02:29 ca-bundle.trust.crt ->
> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
> lrwxrwxrwx 1 anrdaemon None 18 мар 31 01:30 dd07c56a.0 ->
> Rootdir.org_CA.crt
> drwxr-xr-x+ 1 anrdaemon None 0 апр 22 16:50 demo
> drwxr-xr-x+ 1 anrdaemon None 0 апр 22 16:50 expired
> -rw-r--r-- 1 anrdaemon None 165 апр 3 14:04 README.RootCerts
> lrwxrwxrwx 1 anrdaemon None 29 фев 14 04:41 Rootdir.org_CA.crt ->
> /etc/ssl/ca-20120530-0121.crt
>
> What's going on?
>
>
> --
> With best regards,
> Andrey Repin
> Sunday, August 5, 2018 20:07:02
>
> Sorry for my terrible english...
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: wget does not recognize PKI?
On Sun, Aug 5, 2018 at 7:36 PM, Marco Atzeri wrote: > Am 05.08.2018 um 19:12 schrieb Andrey Repin: >> >> Greetings, All! >> >> $ wget https://ca.rootdir.org/ca.crl >> --2018-08-05 20:05:28-- https://ca.rootdir.org/ca.crl >> Resolving ca.rootdir.org (ca.rootdir.org)... 192.168.1.6 >> Connecting to ca.rootdir.org (ca.rootdir.org)|192.168.1.6|:443... >> connected. >> ERROR: The certificate of ‘ca.rootdir.org’ is not trusted. >> ERROR: The certificate of ‘ca.rootdir.org’ hasn't got a known issuer. >> > >> >> What's going on? >> > > It seems not a cygwin issue: > > "This connection is not secure > > The owner of ca.rootdir.org did not properly configure the site. Firefox has > not affiliated with this site to protect your information from theft." > And not just Firefox : $ curl -v https://ca.rootdir.org/ca.crl * STATE: INIT => CONNECT handle 0x600057990; line 1404 (connection #-5000) * Added connection 0. The cache now contains 1 members * STATE: CONNECT => WAITRESOLVE handle 0x600057990; line 1440 (connection #0) * Trying 77.50.25.68... * TCP_NODELAY set * STATE: WAITRESOLVE => WAITCONNECT handle 0x600057990; line 1521 (connection #0) * Connected to ca.rootdir.org (77.50.25.68) port 443 (#0) * STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x600057990; line 1573 (connection #0) * Marked for [keep alive]: HTTP default * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x600057990; line 1587 (connection #0) * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (OUT), TLS alert, Server hello (2): * SSL certificate problem: self signed certificate in certificate chain * Marked for [closure]: Failed HTTPS connection * multi_done * stopped the pause stream! * Closing connection 0 * The cache now contains 0 members * Expire cleared curl: (60) SSL certificate problem: self signed certificate in certificate chain More details here: https://curl.haxx.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. Csaba -- You can get very substantial performance improvements by not doing the right thing. - Scott Meyers, An Effective C++11/14 Sampler So if you're looking for a completely portable, 100% standards-conformat way to get the wrong information: this is what you want. - Scott Meyers (C++TDaWYK) -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Re: wget does not recognize PKI?
Am 05.08.2018 um 19:12 schrieb Andrey Repin: Greetings, All! $ wget https://ca.rootdir.org/ca.crl --2018-08-05 20:05:28-- https://ca.rootdir.org/ca.crl Resolving ca.rootdir.org (ca.rootdir.org)... 192.168.1.6 Connecting to ca.rootdir.org (ca.rootdir.org)|192.168.1.6|:443... connected. ERROR: The certificate of ‘ca.rootdir.org’ is not trusted. ERROR: The certificate of ‘ca.rootdir.org’ hasn't got a known issuer. What's going on? It seems not a cygwin issue: "This connection is not secure The owner of ca.rootdir.org did not properly configure the site. Firefox has not affiliated with this site to protect your information from theft." --- Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft. https://www.avast.com/antivirus -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
wget does not recognize PKI?
Greetings, All! $ wget https://ca.rootdir.org/ca.crl --2018-08-05 20:05:28-- https://ca.rootdir.org/ca.crl Resolving ca.rootdir.org (ca.rootdir.org)... 192.168.1.6 Connecting to ca.rootdir.org (ca.rootdir.org)|192.168.1.6|:443... connected. ERROR: The certificate of ‘ca.rootdir.org’ is not trusted. ERROR: The certificate of ‘ca.rootdir.org’ hasn't got a known issuer. $ "$( which wget )" --version GNU Wget 1.19.1 built on cygwin. -cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls +ntlm +opie +psl +ssl/gnutls The root CA certificate is correctly installed and hashed. $ ls -l /etc/ssl/certs/ total 3 lrwxrwxrwx 1 anrdaemon None 13 мар 31 01:30 a94d09e5.0 -> ca-bundle.crt lrwxrwxrwx 1 anrdaemon None 49 мар 12 02:29 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem lrwxrwxrwx 1 anrdaemon None 55 мар 12 02:29 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt lrwxrwxrwx 1 anrdaemon None 18 мар 31 01:30 dd07c56a.0 -> Rootdir.org_CA.crt drwxr-xr-x+ 1 anrdaemon None 0 апр 22 16:50 demo drwxr-xr-x+ 1 anrdaemon None 0 апр 22 16:50 expired -rw-r--r-- 1 anrdaemon None 165 апр 3 14:04 README.RootCerts lrwxrwxrwx 1 anrdaemon None 29 фев 14 04:41 Rootdir.org_CA.crt -> /etc/ssl/ca-20120530-0121.crt What's going on? -- With best regards, Andrey Repin Sunday, August 5, 2018 20:07:02 Sorry for my terrible english...
