Re: wget certificates
On Thu, 02 Jun 2011 16:58:23 +0200, Kamil Jońca wrote: Camaleón noela...@gmail.com writes: (...) Just for testing purposes, what happens when you run this? wget --no-check-certificate https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90lang=pl Works. (note that should still getting through the encrypted channel) Moreover, are you getting the same error with another https://; site? I.e.: wget https://www.google.com Works. Hum... so it fails with one site but not all. Curious. Let me make some tests in my wheezy box: test@debian:~$ wget https://www.centrum24.pl/bzwbkonline/eSmart.html? typ=90lang=pl [1] 4632 test@debian:~$ --2011-06-03 15:04:20-- https://www.centrum24.pl/ bzwbkonline/eSmart.html?typ=90 Resolving www.centrum24.pl... 195.20.110.130 Connecting to www.centrum24.pl|195.20.110.130|:443... connected. ERROR: cannot verify www.centrum24.pl's certificate, issued by `/C=US/ O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https:// www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA': Unable to locally verify the issuer's authority. To connect to www.centrum24.pl insecurely, use `--no-check-certificate'. Wow, here it fails! In lenny it worked perfectly :-O Okay, let's see what curl says: test@debian:~$ curl https://www.centrum24.pl/bzwbkonline/eSmart.html? typ=90lang=pl [1] 4634 test@debian:~$ curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html It also fails here, but the message can be of help because Google returns a bunch of results pointing to some sort of bug here (openssl?). What to do? Dunno, but in the meantime you can safely connect to the site using wget --no-check-certificate because the cert is valid (you already know that because firefox told you so) and traffic is still being sent through SSL. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2011.06.03.13.14...@gmail.com
Re: wget certificates
On Thu, 19 May 2011 07:27:34 +0200, Kamil Jońca wrote: I have strange problem with wget: (...) Validation SSL SGC CA': Unable to locally verify the issuer's authority. To connect to www.centrum24.pl insecurely, use `--no-check-certificate'. Wget cannot validate the CA and thus drops the connection. You can: 1/ Discard https://; and use plain http (unencrypted channel) as suggested (don't do this unless you trust the site you are connecting to). 2/ Install ca-certificates package and point wget so it can find it (wget --ca-certificate=/usr/share/ca-certificates/cacert.org/ cacert.org.crt ...) Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2011.06.02.11.53...@gmail.com
Re: wget certificates
Camaleón noela...@gmail.com writes: On Thu, 19 May 2011 07:27:34 +0200, Kamil Jońca wrote: I have strange problem with wget: (...) Validation SSL SGC CA': Unable to locally verify the issuer's authority. To connect to www.centrum24.pl insecurely, use `--no-check-certificate'. Wget cannot validate the CA and thus drops the connection. You can: 1/ Discard https://; and use plain http (unencrypted channel) as suggested (don't do this unless you trust the site you are connecting to) I want to use encrypted channel. 2/ Install ca-certificates package and point wget so it can find it (wget --ca-certificate=/usr/share/ca-certificates/cacert.org/ cacert.org.crt ...) ca-certificates were installed earlier. MOreover using --ca-certificate option (ie. --8---cut here---start-8--- wget -v -x --ca-certificate=/usr/share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt 'https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90lang=pl' --8---cut here---end---8--- doesn't change wget's behavior; still wants to open /usr/lib/ssl/certs/415660c1.? ) Moreover i noticed that fetchmail on one of my accounts shows the same - cannot validate CA :( KJ -- http://modnebzdury.wordpress.com/2009/10/01/niewiarygodny-list-prof-majewskiej-wprowadzenie/ kondensator - kondensatorych - kondensatoremu (odmiana słowa kondensator według MS Word 6.0) -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87ipsos6zd.fsf@alfa.kjonca
Re: wget certificates
On Thu, 02 Jun 2011 15:22:46 +0200, Kamil Jońca wrote: Camaleón noela...@gmail.com writes: On Thu, 19 May 2011 07:27:34 +0200, Kamil Jońca wrote: Validation SSL SGC CA': Unable to locally verify the issuer's authority. To connect to www.centrum24.pl insecurely, use `--no-check-certificate'. Wget cannot validate the CA and thus drops the connection. You can: 1/ Discard https://; and use plain http (unencrypted channel) as suggested (don't do this unless you trust the site you are connecting to) I want to use encrypted channel. Fair enough :-) Just for testing purposes, what happens when you run this? wget --no-check-certificate https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90lang=pl (note that should still getting through the encrypted channel) Moreover, are you getting the same error with another https://; site? I.e.: wget https://www.google.com 2/ Install ca-certificates package and point wget so it can find it (wget --ca-certificate=/usr/share/ca-certificates/cacert.org/ cacert.org.crt ...) ca-certificates were installed earlier. MOreover using --ca-certificate option (ie. --8---cut here---start-8--- wget -v -x --ca-certificate=/usr/share/ca-certificates/mozilla/ VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt 'https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90lang=pl' --8---cut here---end---8--- doesn't change wget's behavior; still wants to open /usr/lib/ssl/certs/415660c1.? ) Why are you pointing to that cert specifically? :-? Moreover i noticed that fetchmail on one of my accounts shows the same - cannot validate CA :( That's weird. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2011.06.02.14.02...@gmail.com
Re: wget certificates
Camaleón noela...@gmail.com writes: On Thu, 02 Jun 2011 15:22:46 +0200, Kamil Jońca wrote: Camaleón noela...@gmail.com writes: On Thu, 19 May 2011 07:27:34 +0200, Kamil Jońca wrote: Validation SSL SGC CA': Unable to locally verify the issuer's authority. To connect to www.centrum24.pl insecurely, use `--no-check-certificate'. Wget cannot validate the CA and thus drops the connection. You can: 1/ Discard https://; and use plain http (unencrypted channel) as suggested (don't do this unless you trust the site you are connecting to) I want to use encrypted channel. Fair enough :-) Just for testing purposes, what happens when you run this? wget --no-check-certificate https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90lang=pl Works. (note that should still getting through the encrypted channel) Moreover, are you getting the same error with another https://; site? I.e.: wget https://www.google.com Works. 2/ Install ca-certificates package and point wget so it can find it (wget --ca-certificate=/usr/share/ca-certificates/cacert.org/ cacert.org.crt ...) ca-certificates were installed earlier. MOreover using --ca-certificate option (ie. --8---cut here---start-8--- wget -v -x --ca-certificate=/usr/share/ca-certificates/mozilla/ VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt 'https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90lang=pl' --8---cut here---end---8--- doesn't change wget's behavior; still wants to open /usr/lib/ssl/certs/415660c1.? ) Why are you pointing to that cert specifically? :-? As I wrote earlier - mozilla shows this as final CA for this site. KJ -- http://modnebzdury.wordpress.com/2009/10/01/niewiarygodny-list-prof-majewskiej-wprowadzenie/ Zanim wlaczysz komputer, zastanow sie: Czy jestes absolutnie pewien(na), ze nie jest podlaczany do wyrzutni rakiet? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87aae0s2k0.fsf@alfa.kjonca
Re: wget certificates
David Sastre d.sastre.med...@gmail.com writes:
On Thu, May 19, 2011 at 07:27:34AM +0200, Kamil Jońca wrote:
I have strange problem with wget:
$wget -e background = off -v -x
'https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90lang=pl'
--8---cut here---start-8---
--2011-05-19 07:26:00--
https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90lang=pl
Resolving www.centrum24.pl... 195.20.110.130
Connecting to www.centrum24.pl|195.20.110.130|:443... connected.
ERROR: cannot verify www.centrum24.pl's certificate, issued by
`/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation
SSL SGC CA':
Unable to locally verify the issuer's authority.
To connect to www.centrum24.pl insecurely, use `--no-check-certificate'.
--8---cut here---end---8---
Connecting with iceweasel seems ok?
What is wrong, what to check?
KJ
Check that your version supports https. It should be listed in the
output of 'wget -V'. wget-1.12-2.1 from the squeeze repos supports it.
Wget -V
--8---cut here---start-8---
GNU Wget 1.12 built on linux-gnu.
+digest +ipv6 +nls +ntlm +opie +md5/openssl +https -gnutls +openssl
-iri
Wgetrc:
/home/kjonca/.wgetrc (user)
/etc/wgetrc (system)
Locale: /usr/share/locale
Compile: gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC=/etc/wgetrc
-DLOCALEDIR=/usr/share/locale -I. -I../lib -g -O2 -DNO_SSLv2
-D_FILE_OFFSET_BITS=64 -O2 -g -Wall
Link: gcc -g -O2 -DNO_SSLv2 -D_FILE_OFFSET_BITS=64 -O2 -g -Wall
/usr/lib/libssl.so /usr/lib/libcrypto.so -ldl -lrt ftp-opie.o
openssl.o http-ntlm.o gen-md5.o ../lib/libgnu.a
--8---cut here---end---8---
/etc/wgetrc - exists, but whole file is commented out
~/.wgetrc - only use_proxy = on
When I connect to site via Firefox[1], I ends with certificate:
--8---cut here---start-8---
S/N 18:DA:D1:9E:26:7D:E8:BB:4A:21:58:CD:CC:6B:3B:4A
Subject:
CN = VeriSign Class 3 Public Primary Certification Authority - G5
OU = (c) 2006 VeriSign, Inc. - For authorized use only
OU = VeriSign Trust Network
O = VeriSign, Inc.
C = US
--8---cut here---end---8---
I have this cert under
/usr/share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt
and after c_rehash I have:
--8---cut here---start-8---
ll $(find -type l -lname
*VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5*)
lrwxrwxrwx 1 root root 64 Jun 2 05:07 ./b204d74a.0 -
VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt
lrwxrwxrwx 1 root root 64 Jun 2 05:07 ./facacbc6.0 -
VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt
lrwxrwxrwx 1 root root 99 Jun 2 04:52
./VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt -
/usr/share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt
lrwxrwxrwx 1 root root 99 Jun 2 05:04
./VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem -
/usr/share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt
--8---cut here---end---8---
but stracing wget shows that it try to open completely different file
--8---cut here---start-8---
[...]
stat(/usr/lib/ssl/certs/415660c1.0, {st_mode=S_IFREG|0644, st_size=834, ...})
= 0
open(/usr/lib/ssl/certs/415660c1.0, O_RDONLY) = 5
[...]
--8---cut here---end---8---
(/usr/lib/ssl/certs is symlink to /etc/ssl/certs)
Any ideas?
KJ
[1] - it's Fx4 from http://mozilla.debian.net/
--
http://sporothrix.wordpress.com/2011/01/16/usa-sie-krztusza-kto-nastepny/
Spokojnie... To tylko prowokacja.
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/877h94udjv.fsf@alfa.kjonca
Re: wget certificates
On Thu, May 19, 2011 at 07:27:34AM +0200, Kamil Jońca wrote: I have strange problem with wget: $wget -e background = off -v -x 'https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90lang=pl' --8---cut here---start-8--- --2011-05-19 07:26:00-- https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90lang=pl Resolving www.centrum24.pl... 195.20.110.130 Connecting to www.centrum24.pl|195.20.110.130|:443... connected. ERROR: cannot verify www.centrum24.pl's certificate, issued by `/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA': Unable to locally verify the issuer's authority. To connect to www.centrum24.pl insecurely, use `--no-check-certificate'. --8---cut here---end---8--- Connecting with iceweasel seems ok? What is wrong, what to check? KJ Check that your version supports https. It should be listed in the output of 'wget -V'. wget-1.12-2.1 from the squeeze repos supports it. I have tried that URL without problem: $ LANG=C; wget -e background = off -v -x 'https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90lang=pl' --2011-05-19 11:29:20-- https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90lang=pl Resolving www.centrum24.pl... 195.20.110.130 Connecting to www.centrum24.pl|195.20.110.130|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: `www.centrum24.pl/bzwbkonline/eSmart.html?typ=90lang=pl' [ = ] 29,601 --.-K/s in 0.1s 2011-05-19 11:29:20 (275 KB/s) - `www.centrum24.pl/bzwbkonline/eSmart.html?typ=90lang=pl' saved [29601] Not knowing the contents of your .wgetrc (if any), I'd check ca_certificate and ca_directory. Failing that, try adding --no-check-certificate. -- Huella de clave primaria: AD8F BDC0 5A2C FD5F A179 60E7 F79B AB04 5299 EC56 signature.asc Description: Digital signature
wget certificates
I have strange problem with wget: $wget -e background = off -v -x 'https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90lang=pl' --8---cut here---start-8--- --2011-05-19 07:26:00-- https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90lang=pl Resolving www.centrum24.pl... 195.20.110.130 Connecting to www.centrum24.pl|195.20.110.130|:443... connected. ERROR: cannot verify www.centrum24.pl's certificate, issued by `/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA': Unable to locally verify the issuer's authority. To connect to www.centrum24.pl insecurely, use `--no-check-certificate'. --8---cut here---end---8--- Connecting with iceweasel seems ok? What is wrong, what to check? KJ -- http://modnebzdury.wordpress.com/2009/10/01/niewiarygodny-list-prof-majewskiej-wprowadzenie/ In order to form an immaculate member of a flock of sheep one must, above all, be a sheep - Albert Einstein -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87y623xnsp.fsf@alfa.kjonca
