Re: wget certificates
On Thu, 02 Jun 2011 16:58:23 +0200, Kamil Jońca wrote: Camaleón noela...@gmail.com writes: (...) Just for testing purposes, what happens when you run this? wget --no-check-certificate https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90lang=pl Works. (note that should still getting through the encrypted channel) Moreover, are you getting the same error with another https://; site? I.e.: wget https://www.google.com Works. Hum... so it fails with one site but not all. Curious. Let me make some tests in my wheezy box: test@debian:~$ wget https://www.centrum24.pl/bzwbkonline/eSmart.html? typ=90lang=pl [1] 4632 test@debian:~$ --2011-06-03 15:04:20-- https://www.centrum24.pl/ bzwbkonline/eSmart.html?typ=90 Resolving www.centrum24.pl... 195.20.110.130 Connecting to www.centrum24.pl|195.20.110.130|:443... connected. ERROR: cannot verify www.centrum24.pl's certificate, issued by `/C=US/ O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https:// www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA': Unable to locally verify the issuer's authority. To connect to www.centrum24.pl insecurely, use `--no-check-certificate'. Wow, here it fails! In lenny it worked perfectly :-O Okay, let's see what curl says: test@debian:~$ curl https://www.centrum24.pl/bzwbkonline/eSmart.html? typ=90lang=pl [1] 4634 test@debian:~$ curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html It also fails here, but the message can be of help because Google returns a bunch of results pointing to some sort of bug here (openssl?). What to do? Dunno, but in the meantime you can safely connect to the site using wget --no-check-certificate because the cert is valid (you already know that because firefox told you so) and traffic is still being sent through SSL. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2011.06.03.13.14...@gmail.com
Re: wget certificates
On Thu, 19 May 2011 07:27:34 +0200, Kamil Jońca wrote: I have strange problem with wget: (...) Validation SSL SGC CA': Unable to locally verify the issuer's authority. To connect to www.centrum24.pl insecurely, use `--no-check-certificate'. Wget cannot validate the CA and thus drops the connection. You can: 1/ Discard https://; and use plain http (unencrypted channel) as suggested (don't do this unless you trust the site you are connecting to). 2/ Install ca-certificates package and point wget so it can find it (wget --ca-certificate=/usr/share/ca-certificates/cacert.org/ cacert.org.crt ...) Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2011.06.02.11.53...@gmail.com
Re: wget certificates
Camaleón noela...@gmail.com writes: On Thu, 19 May 2011 07:27:34 +0200, Kamil Jońca wrote: I have strange problem with wget: (...) Validation SSL SGC CA': Unable to locally verify the issuer's authority. To connect to www.centrum24.pl insecurely, use `--no-check-certificate'. Wget cannot validate the CA and thus drops the connection. You can: 1/ Discard https://; and use plain http (unencrypted channel) as suggested (don't do this unless you trust the site you are connecting to) I want to use encrypted channel. 2/ Install ca-certificates package and point wget so it can find it (wget --ca-certificate=/usr/share/ca-certificates/cacert.org/ cacert.org.crt ...) ca-certificates were installed earlier. MOreover using --ca-certificate option (ie. --8---cut here---start-8--- wget -v -x --ca-certificate=/usr/share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt 'https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90lang=pl' --8---cut here---end---8--- doesn't change wget's behavior; still wants to open /usr/lib/ssl/certs/415660c1.? ) Moreover i noticed that fetchmail on one of my accounts shows the same - cannot validate CA :( KJ -- http://modnebzdury.wordpress.com/2009/10/01/niewiarygodny-list-prof-majewskiej-wprowadzenie/ kondensator - kondensatorych - kondensatoremu (odmiana słowa kondensator według MS Word 6.0) -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87ipsos6zd.fsf@alfa.kjonca
Re: wget certificates
On Thu, 02 Jun 2011 15:22:46 +0200, Kamil Jońca wrote: Camaleón noela...@gmail.com writes: On Thu, 19 May 2011 07:27:34 +0200, Kamil Jońca wrote: Validation SSL SGC CA': Unable to locally verify the issuer's authority. To connect to www.centrum24.pl insecurely, use `--no-check-certificate'. Wget cannot validate the CA and thus drops the connection. You can: 1/ Discard https://; and use plain http (unencrypted channel) as suggested (don't do this unless you trust the site you are connecting to) I want to use encrypted channel. Fair enough :-) Just for testing purposes, what happens when you run this? wget --no-check-certificate https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90lang=pl (note that should still getting through the encrypted channel) Moreover, are you getting the same error with another https://; site? I.e.: wget https://www.google.com 2/ Install ca-certificates package and point wget so it can find it (wget --ca-certificate=/usr/share/ca-certificates/cacert.org/ cacert.org.crt ...) ca-certificates were installed earlier. MOreover using --ca-certificate option (ie. --8---cut here---start-8--- wget -v -x --ca-certificate=/usr/share/ca-certificates/mozilla/ VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt 'https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90lang=pl' --8---cut here---end---8--- doesn't change wget's behavior; still wants to open /usr/lib/ssl/certs/415660c1.? ) Why are you pointing to that cert specifically? :-? Moreover i noticed that fetchmail on one of my accounts shows the same - cannot validate CA :( That's weird. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2011.06.02.14.02...@gmail.com
Re: wget certificates
Camaleón noela...@gmail.com writes: On Thu, 02 Jun 2011 15:22:46 +0200, Kamil Jońca wrote: Camaleón noela...@gmail.com writes: On Thu, 19 May 2011 07:27:34 +0200, Kamil Jońca wrote: Validation SSL SGC CA': Unable to locally verify the issuer's authority. To connect to www.centrum24.pl insecurely, use `--no-check-certificate'. Wget cannot validate the CA and thus drops the connection. You can: 1/ Discard https://; and use plain http (unencrypted channel) as suggested (don't do this unless you trust the site you are connecting to) I want to use encrypted channel. Fair enough :-) Just for testing purposes, what happens when you run this? wget --no-check-certificate https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90lang=pl Works. (note that should still getting through the encrypted channel) Moreover, are you getting the same error with another https://; site? I.e.: wget https://www.google.com Works. 2/ Install ca-certificates package and point wget so it can find it (wget --ca-certificate=/usr/share/ca-certificates/cacert.org/ cacert.org.crt ...) ca-certificates were installed earlier. MOreover using --ca-certificate option (ie. --8---cut here---start-8--- wget -v -x --ca-certificate=/usr/share/ca-certificates/mozilla/ VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt 'https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90lang=pl' --8---cut here---end---8--- doesn't change wget's behavior; still wants to open /usr/lib/ssl/certs/415660c1.? ) Why are you pointing to that cert specifically? :-? As I wrote earlier - mozilla shows this as final CA for this site. KJ -- http://modnebzdury.wordpress.com/2009/10/01/niewiarygodny-list-prof-majewskiej-wprowadzenie/ Zanim wlaczysz komputer, zastanow sie: Czy jestes absolutnie pewien(na), ze nie jest podlaczany do wyrzutni rakiet? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87aae0s2k0.fsf@alfa.kjonca
Re: wget certificates
David Sastre d.sastre.med...@gmail.com writes: On Thu, May 19, 2011 at 07:27:34AM +0200, Kamil Jońca wrote: I have strange problem with wget: $wget -e background = off -v -x 'https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90lang=pl' --8---cut here---start-8--- --2011-05-19 07:26:00-- https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90lang=pl Resolving www.centrum24.pl... 195.20.110.130 Connecting to www.centrum24.pl|195.20.110.130|:443... connected. ERROR: cannot verify www.centrum24.pl's certificate, issued by `/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA': Unable to locally verify the issuer's authority. To connect to www.centrum24.pl insecurely, use `--no-check-certificate'. --8---cut here---end---8--- Connecting with iceweasel seems ok? What is wrong, what to check? KJ Check that your version supports https. It should be listed in the output of 'wget -V'. wget-1.12-2.1 from the squeeze repos supports it. Wget -V --8---cut here---start-8--- GNU Wget 1.12 built on linux-gnu. +digest +ipv6 +nls +ntlm +opie +md5/openssl +https -gnutls +openssl -iri Wgetrc: /home/kjonca/.wgetrc (user) /etc/wgetrc (system) Locale: /usr/share/locale Compile: gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC=/etc/wgetrc -DLOCALEDIR=/usr/share/locale -I. -I../lib -g -O2 -DNO_SSLv2 -D_FILE_OFFSET_BITS=64 -O2 -g -Wall Link: gcc -g -O2 -DNO_SSLv2 -D_FILE_OFFSET_BITS=64 -O2 -g -Wall /usr/lib/libssl.so /usr/lib/libcrypto.so -ldl -lrt ftp-opie.o openssl.o http-ntlm.o gen-md5.o ../lib/libgnu.a --8---cut here---end---8--- /etc/wgetrc - exists, but whole file is commented out ~/.wgetrc - only use_proxy = on When I connect to site via Firefox[1], I ends with certificate: --8---cut here---start-8--- S/N 18:DA:D1:9E:26:7D:E8:BB:4A:21:58:CD:CC:6B:3B:4A Subject: CN = VeriSign Class 3 Public Primary Certification Authority - G5 OU = (c) 2006 VeriSign, Inc. - For authorized use only OU = VeriSign Trust Network O = VeriSign, Inc. C = US --8---cut here---end---8--- I have this cert under /usr/share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt and after c_rehash I have: --8---cut here---start-8--- ll $(find -type l -lname *VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5*) lrwxrwxrwx 1 root root 64 Jun 2 05:07 ./b204d74a.0 - VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt lrwxrwxrwx 1 root root 64 Jun 2 05:07 ./facacbc6.0 - VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt lrwxrwxrwx 1 root root 99 Jun 2 04:52 ./VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt - /usr/share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt lrwxrwxrwx 1 root root 99 Jun 2 05:04 ./VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem - /usr/share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt --8---cut here---end---8--- but stracing wget shows that it try to open completely different file --8---cut here---start-8--- [...] stat(/usr/lib/ssl/certs/415660c1.0, {st_mode=S_IFREG|0644, st_size=834, ...}) = 0 open(/usr/lib/ssl/certs/415660c1.0, O_RDONLY) = 5 [...] --8---cut here---end---8--- (/usr/lib/ssl/certs is symlink to /etc/ssl/certs) Any ideas? KJ [1] - it's Fx4 from http://mozilla.debian.net/ -- http://sporothrix.wordpress.com/2011/01/16/usa-sie-krztusza-kto-nastepny/ Spokojnie... To tylko prowokacja. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/877h94udjv.fsf@alfa.kjonca
Re: wget certificates
On Thu, May 19, 2011 at 07:27:34AM +0200, Kamil Jońca wrote: I have strange problem with wget: $wget -e background = off -v -x 'https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90lang=pl' --8---cut here---start-8--- --2011-05-19 07:26:00-- https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90lang=pl Resolving www.centrum24.pl... 195.20.110.130 Connecting to www.centrum24.pl|195.20.110.130|:443... connected. ERROR: cannot verify www.centrum24.pl's certificate, issued by `/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA': Unable to locally verify the issuer's authority. To connect to www.centrum24.pl insecurely, use `--no-check-certificate'. --8---cut here---end---8--- Connecting with iceweasel seems ok? What is wrong, what to check? KJ Check that your version supports https. It should be listed in the output of 'wget -V'. wget-1.12-2.1 from the squeeze repos supports it. I have tried that URL without problem: $ LANG=C; wget -e background = off -v -x 'https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90lang=pl' --2011-05-19 11:29:20-- https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90lang=pl Resolving www.centrum24.pl... 195.20.110.130 Connecting to www.centrum24.pl|195.20.110.130|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: `www.centrum24.pl/bzwbkonline/eSmart.html?typ=90lang=pl' [ = ] 29,601 --.-K/s in 0.1s 2011-05-19 11:29:20 (275 KB/s) - `www.centrum24.pl/bzwbkonline/eSmart.html?typ=90lang=pl' saved [29601] Not knowing the contents of your .wgetrc (if any), I'd check ca_certificate and ca_directory. Failing that, try adding --no-check-certificate. -- Huella de clave primaria: AD8F BDC0 5A2C FD5F A179 60E7 F79B AB04 5299 EC56 signature.asc Description: Digital signature
wget certificates
I have strange problem with wget: $wget -e background = off -v -x 'https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90lang=pl' --8---cut here---start-8--- --2011-05-19 07:26:00-- https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90lang=pl Resolving www.centrum24.pl... 195.20.110.130 Connecting to www.centrum24.pl|195.20.110.130|:443... connected. ERROR: cannot verify www.centrum24.pl's certificate, issued by `/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA': Unable to locally verify the issuer's authority. To connect to www.centrum24.pl insecurely, use `--no-check-certificate'. --8---cut here---end---8--- Connecting with iceweasel seems ok? What is wrong, what to check? KJ -- http://modnebzdury.wordpress.com/2009/10/01/niewiarygodny-list-prof-majewskiej-wprowadzenie/ In order to form an immaculate member of a flock of sheep one must, above all, be a sheep - Albert Einstein -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87y623xnsp.fsf@alfa.kjonca