Wget cannot validate https://ftp.gnu.org?

up vote
7
down vote

favorite

I'm working on Solaris and trying to upgrade Git by building Git and all of its dependencies from sources. Wget is failing to download a dependency, which is located at https://ftp.gnu.org/gnu/libunistring/libunistring-0.9.7.tar.gz.

$ wget --ca-certificate="$HOME/.cacert/lets-encrypt-root-x3.pem" "https://ftp.gnu.org/gnu/libunistring/libunistring-0.9.7.tar.gz" -O libunistring-0.9.7.tar.gz
--2017-10-14 17:59:40-- https://ftp.gnu.org/gnu/libunistring/libunistring-0.9.7.tar.gz
Resolving ftp.gnu.org (ftp.gnu.org)... 208.118.235.20, 2001:4830:134:3::b
Connecting to ftp.gnu.org (ftp.gnu.org)|208.118.235.20|:443... connected.
ERROR: cannot verify ftp.gnu.org's certificate, issued by 'CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US':
 unable to get issuer certificate
To connect to ftp.gnu.org insecurely, use `--no-check-certificate'.

Below is the chain as seen by OpenSSL, and it verifies the subject and issuers. It is also the same certificate listed at Let's Encrypt Chain of Trust | LetÃ¢Â€Â™s Encrypt Authority X3 (IdenTrust cross-signed).

I can duplicate the problem on Linux with Fedora 26. And the equivalent cURL command works as expected.

How do I tell Wget to use CN=Let's Encrypt Authority X3 as the trust point for the download?

This version of Wget was already upgraded by building from sources.

$ wget -V
GNU Wget 1.19.1 built on solaris2.11.

-cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls
+ntlm +opie -psl +ssl/openssl

Wgetrc:
 /usr/local/etc/wgetrc (system)
Locale:
 /usr/local/share/locale
Compile:
 gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/usr/local/etc/wgetrc"
 -DLOCALEDIR="/usr/local/share/locale" -I. -I../lib -I../lib
 -I/usr/local/include -DNDEBUG -D_REENTRANT -I/usr/include/pcre
 -DNDEBUG -m64
Link:
 gcc -I/usr/include/pcre -DNDEBUG -m64 -m64
 -Wl,-rpath,/usr/local/lib64 -L/usr/local/lib64 -lpcre -luuid -lidn2
 /usr/local/lib64/libssl.so /usr/local/lib64/libcrypto.so
 -R/usr/local/lib64 -ldl -lz -lssl -lcrypto -ldl -lpthread
 ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a -lsocket -lnsl
 -lnsl -lnsl -lsocket -lsocket /usr/local/lib64/libiconv.so
 -R/usr/local/lib64 /usr/local/lib64/libunistring.so
 /usr/local/lib64/libiconv.so -ldl -lpthread -R/usr/local/lib64
 -lsocket
...

The equivalent cURL command works as expected. The problem is, Wget is always available, but cURL may need to be installed. I don't want to depend on a program that may (or may not) be installed.

$ curl --cacert "$HOME/.cacert/lets-encrypt-root-x3.pem" "https://ftp.gnu.org/gnu/libunistring/libunistring-0.9.7.tar.gz" -o libunistring-0.9.7.tar.gz
 % Total % Received % Xferd Average Speed Time Time Time Current
 Dload Upload Total Spent Left Speed
100 3505k 100 3505k 0 0 3505k 0 0:00:01 0:00:01 --:--:-- 3249k

$ openssl x509 -in ~/.cacert/lets-encrypt-root-x3.pem -text -noout
Certificate:
 Data:
 Version: 3 (0x2)
 Serial Number:
 0a:01:41:42:00:00:01:53:85:73:6a:0b:85:ec:a7:08
 Signature Algorithm: sha256WithRSAEncryption
 Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
 Validity
 Not Before: Mar 17 16:40:46 2016 GMT
 Not After : Mar 17 16:40:46 2021 GMT
 Subject: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
 Subject Public Key Info:
 Public Key Algorithm: rsaEncryption
 Public-Key: (2048 bit)
 Modulus:
 00:9c:d3:0c:f0:5a:e5:2e:47:b7:72:5d:37:83:b3:
 68:63:30:ea:d7:35:26:19:25:e1:bd:be:35:f1:70:
 92:2f:b7:b8:4b:41:05:ab:a9:9e:35:08:58:ec:b1:
 2a:c4:68:87:0b:a3:e3:75:e4:e6:f3:a7:62:71:ba:
 79:81:60:1f:d7:91:9a:9f:f3:d0:78:67:71:c8:69:
 0e:95:91:cf:fe:e6:99:e9:60:3c:48:cc:7e:ca:4d:
 77:12:24:9d:47:1b:5a:eb:b9:ec:1e:37:00:1c:9c:
 ac:7b:a7:05:ea:ce:4a:eb:bd:41:e5:36:98:b9:cb:
 fd:6d:3c:96:68:df:23:2a:42:90:0c:86:74:67:c8:
 7f:a5:9a:b8:52:61:14:13:3f:65:e9:82:87:cb:db:
 fa:0e:56:f6:86:89:f3:85:3f:97:86:af:b0:dc:1a:
 ef:6b:0d:95:16:7d:c4:2b:a0:65:b2:99:04:36:75:
 80:6b:ac:4a:f3:1b:90:49:78:2f:a2:96:4f:2a:20:
 25:29:04:c6:74:c0:d0:31:cd:8f:31:38:95:16:ba:
 a8:33:b8:43:f1:b1:1f:c3:30:7f:a2:79:31:13:3d:
 2d:36:f8:e3:fc:f2:33:6a:b9:39:31:c5:af:c4:8d:
 0d:1d:64:16:33:aa:fa:84:29:b6:d4:0b:c0:d8:7d:
 c3:93
 Exponent: 65537 (0x10001)
 X509v3 extensions:
 X509v3 Basic Constraints: critical
 CA:TRUE, pathlen:0
 X509v3 Key Usage: critical
 Digital Signature, Certificate Sign, CRL Sign
 Authority Information Access:
 OCSP - URI:http://isrg.trustid.ocsp.identrust.com
 CA Issuers - URI:http://apps.identrust.com/roots/dstrootcax3.p7c

 X509v3 Authority Key Identifier:
 keyid:C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10

 X509v3 Certificate Policies:
 Policy: 2.23.140.1.2.1
 Policy: 1.3.6.1.4.1.44947.1.1.1
 CPS: http://cps.root-x1.letsencrypt.org

 X509v3 CRL Distribution Points:

 Full Name:
 URI:http://crl.identrust.com/DSTROOTCAX3CRL.crl

 X509v3 Subject Key Identifier:
 A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
 Signature Algorithm: sha256WithRSAEncryption
 dd:33:d7:11:f3:63:58:38:dd:18:15:fb:09:55:be:76:56:b9:
 70:48:a5:69:47:27:7b:c2:24:08:92:f1:5a:1f:4a:12:29:37:
 24:74:51:1c:62:68:b8:cd:95:70:67:e5:f7:a4:bc:4e:28:51:
 cd:9b:e8:ae:87:9d:ea:d8:ba:5a:a1:01:9a:dc:f0:dd:6a:1d:
 6a:d8:3e:57:23:9e:a6:1e:04:62:9a:ff:d7:05:ca:b7:1f:3f:
 c0:0a:48:bc:94:b0:b6:65:62:e0:c1:54:e5:a3:2a:ad:20:c4:
 e9:e6:bb:dc:c8:f6:b5:c3:32:a3:98:cc:77:a8:e6:79:65:07:
 2b:cb:28:fe:3a:16:52:81:ce:52:0c:2e:5f:83:e8:d5:06:33:
 fb:77:6c:ce:40:ea:32:9e:1f:92:5c:41:c1:74:6c:5b:5d:0a:
 5f:33:cc:4d:9f:ac:38:f0:2f:7b:2c:62:9d:d9:a3:91:6f:25:
 1b:2f:90:b1:19:46:3d:f6:7e:1b:a6:7a:87:b9:a3:7a:6d:18:
 fa:25:a5:91:87:15:e0:f2:16:2f:58:b0:06:2f:2c:68:26:c6:
 4b:98:cd:da:9f:0c:f9:7f:90:ed:43:4a:12:44:4e:6f:73:7a:
 28:ea:a4:aa:6e:7b:4c:7d:87:dd:e0:c9:02:44:a7:87:af:c3:
 34:5b:b4:42

$ openssl s_client -connect ftp.gnu.org:443 -servername ftp.gnu.org -showcerts
CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/CN=ftp.gnu.org
 i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIFCDCCA/CgAwIBAgISBCgcdNJ6TV7BCOTsFWTZTK/NMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA5MjgwOTAxMDBaFw0x
NzEyMjcwOTAxMDBaMBYxFDASBgNVBAMTC2Z0cC5nbnUub3JnMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvRG0WuiyACStwn5iyYiBCn7kn8YRbyBCdGAW
41F8UDQ8DJVKhQTz7S3IUisHGJtRQ+plfSDrYgIShaeBK76afnguVAUjzHdrvT0S
kgXFsZzq6H2w5JiqbBSsOjUUca6iUYPGM3x0EgKCIvVBb12gViSqtstXFvBaYqhf
gPXS1cNzJhyRnOmeLh2I6644fbwnm3KYlL+mq8kBRkXX0GY1v9MCWImO+brIiWLv
numOgOZOfmRcESC6QPbG99CK/2JI0SwAQ0A88vp4HEijYjvLfUCxov4GoLqFR4h8
1HYfi7CUOPfvztkY6PTSCra02be/ZI8pD1aJKHfAE7vE/bmCHQIDAQABo4ICGjCC
AhYwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTqM0F2/vX2ZoriHFSossugjaq52jAf
BgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEw
LgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcw
LwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcv
MCUGA1UdEQQeMByCDWFscGhhLmdudS5vcmeCC2Z0cC5nbnUub3JnMIH+BgNVHSAE
gfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYa
aHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhp
cyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5n
IFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZp
Y2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVw
b3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAED8DAy2DSmXGK2iWtns3XNtKgFV
XWaW9gcfkTvpZDlIg3sXfP/rLKtOp2cAOi16bRENnLUaXjSDqEh7Rod3qDz8RkPH
C1NorU9DSGMEdf8J2fBAzB1MqHK1OC37pQDI8mXfGP1Zr2cy7la3YB4gOsHFACEC
nIGRoEd4uOhSzzmr8aq2KymLRnI7K6tvw3rX9w+fFGIgmwom1m9oKd68Hev2yVip
dDSjpOnydn9EXhJhJtBoNayRJ4v0XSdn1KKJCLbvDqAKuA9TQ6E0L41bNGp0ROUP
988v5CQtaK10OF3T4h7dO2arUwU/mwxtRs9O7jl8w0WepSlVQB0pQ7/wSyU=
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=ftp.gnu.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

...

edited Oct 14 '17 at 23:22

asked Oct 14 '17 at 22:07

jww

1,43132154

Now open on the Bug-Wget mailing list: Wget cannot validate https://ftp.gnu.org? I'm fairly certain its a Wget bug because things should work, and cURL works as expected.
â€“Â jww
Oct 15 '17 at 0:05

Why is it a wget bug if openssl also presents a verification error? "verify error:num=20:unable to get local issuer certificate "
â€“Â bishop
Oct 15 '17 at 1:54

1

@bishop - Arg... Why did RFC 4158 (Path Building) restrict Trust Anchors to self-signed certificates? OpenSSL versions on all machines are the latest, which is OpenSSL 1.0.2l at the time of this writing.
â€“Â jww
Oct 15 '17 at 3:06

1

The (first) cert you show in ~/.cacert/lets-encrypt-root-x3.pem is the intermediate cert not the root. Does it also contain the root cert for DST Root CA X3? The fact curl likes it suggests so if this build of curl uses OpenSSL which not all do, and doesn't separate the trustfiles-vs-dir. OpenSSL will not validate a chain that doesn't end at a root unless it's at least 1.0.2 and for commandline you specify -partial_chain or for a program it does the equivalent (non-default) option -- and it will fail with the verifyerr you show, unable to get issuer.
â€“Â dave_thompson_085
Oct 15 '17 at 3:12

1

@dave_thompson_085 - The Let's Encrypt X3 is where I am attempting to anchor trust. It happens to be cross-certified so end-entity certificates "just work" in browsers that lack Let's Encrypt X3 root. Thanks for -partial_chain; it works around the issue in OpenSSL. I was searching for the words "anchor" and "trust" in s_client man page, so I missed "partial" and "chain". Let me try and find a similar switch in Wget.
â€“Â jww
Oct 15 '17 at 3:27

Â |Â
show 4 more comments

up vote
7
down vote

favorite

$ wget --ca-certificate="$HOME/.cacert/lets-encrypt-root-x3.pem" "https://ftp.gnu.org/gnu/libunistring/libunistring-0.9.7.tar.gz" -O libunistring-0.9.7.tar.gz
--2017-10-14 17:59:40-- https://ftp.gnu.org/gnu/libunistring/libunistring-0.9.7.tar.gz
Resolving ftp.gnu.org (ftp.gnu.org)... 208.118.235.20, 2001:4830:134:3::b
Connecting to ftp.gnu.org (ftp.gnu.org)|208.118.235.20|:443... connected.
ERROR: cannot verify ftp.gnu.org's certificate, issued by 'CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US':
 unable to get issuer certificate
To connect to ftp.gnu.org insecurely, use `--no-check-certificate'.

I can duplicate the problem on Linux with Fedora 26. And the equivalent cURL command works as expected.

How do I tell Wget to use CN=Let's Encrypt Authority X3 as the trust point for the download?

This version of Wget was already upgraded by building from sources.

$ wget -V
GNU Wget 1.19.1 built on solaris2.11.

-cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls
+ntlm +opie -psl +ssl/openssl

Wgetrc:
 /usr/local/etc/wgetrc (system)
Locale:
 /usr/local/share/locale
Compile:
 gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/usr/local/etc/wgetrc"
 -DLOCALEDIR="/usr/local/share/locale" -I. -I../lib -I../lib
 -I/usr/local/include -DNDEBUG -D_REENTRANT -I/usr/include/pcre
 -DNDEBUG -m64
Link:
 gcc -I/usr/include/pcre -DNDEBUG -m64 -m64
 -Wl,-rpath,/usr/local/lib64 -L/usr/local/lib64 -lpcre -luuid -lidn2
 /usr/local/lib64/libssl.so /usr/local/lib64/libcrypto.so
 -R/usr/local/lib64 -ldl -lz -lssl -lcrypto -ldl -lpthread
 ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a -lsocket -lnsl
 -lnsl -lnsl -lsocket -lsocket /usr/local/lib64/libiconv.so
 -R/usr/local/lib64 /usr/local/lib64/libunistring.so
 /usr/local/lib64/libiconv.so -ldl -lpthread -R/usr/local/lib64
 -lsocket
...

The equivalent cURL command works as expected. The problem is, Wget is always available, but cURL may need to be installed. I don't want to depend on a program that may (or may not) be installed.

$ curl --cacert "$HOME/.cacert/lets-encrypt-root-x3.pem" "https://ftp.gnu.org/gnu/libunistring/libunistring-0.9.7.tar.gz" -o libunistring-0.9.7.tar.gz
 % Total % Received % Xferd Average Speed Time Time Time Current
 Dload Upload Total Spent Left Speed
100 3505k 100 3505k 0 0 3505k 0 0:00:01 0:00:01 --:--:-- 3249k

$ openssl x509 -in ~/.cacert/lets-encrypt-root-x3.pem -text -noout
Certificate:
 Data:
 Version: 3 (0x2)
 Serial Number:
 0a:01:41:42:00:00:01:53:85:73:6a:0b:85:ec:a7:08
 Signature Algorithm: sha256WithRSAEncryption
 Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
 Validity
 Not Before: Mar 17 16:40:46 2016 GMT
 Not After : Mar 17 16:40:46 2021 GMT
 Subject: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
 Subject Public Key Info:
 Public Key Algorithm: rsaEncryption
 Public-Key: (2048 bit)
 Modulus:
 00:9c:d3:0c:f0:5a:e5:2e:47:b7:72:5d:37:83:b3:
 68:63:30:ea:d7:35:26:19:25:e1:bd:be:35:f1:70:
 92:2f:b7:b8:4b:41:05:ab:a9:9e:35:08:58:ec:b1:
 2a:c4:68:87:0b:a3:e3:75:e4:e6:f3:a7:62:71:ba:
 79:81:60:1f:d7:91:9a:9f:f3:d0:78:67:71:c8:69:
 0e:95:91:cf:fe:e6:99:e9:60:3c:48:cc:7e:ca:4d:
 77:12:24:9d:47:1b:5a:eb:b9:ec:1e:37:00:1c:9c:
 ac:7b:a7:05:ea:ce:4a:eb:bd:41:e5:36:98:b9:cb:
 fd:6d:3c:96:68:df:23:2a:42:90:0c:86:74:67:c8:
 7f:a5:9a:b8:52:61:14:13:3f:65:e9:82:87:cb:db:
 fa:0e:56:f6:86:89:f3:85:3f:97:86:af:b0:dc:1a:
 ef:6b:0d:95:16:7d:c4:2b:a0:65:b2:99:04:36:75:
 80:6b:ac:4a:f3:1b:90:49:78:2f:a2:96:4f:2a:20:
 25:29:04:c6:74:c0:d0:31:cd:8f:31:38:95:16:ba:
 a8:33:b8:43:f1:b1:1f:c3:30:7f:a2:79:31:13:3d:
 2d:36:f8:e3:fc:f2:33:6a:b9:39:31:c5:af:c4:8d:
 0d:1d:64:16:33:aa:fa:84:29:b6:d4:0b:c0:d8:7d:
 c3:93
 Exponent: 65537 (0x10001)
 X509v3 extensions:
 X509v3 Basic Constraints: critical
 CA:TRUE, pathlen:0
 X509v3 Key Usage: critical
 Digital Signature, Certificate Sign, CRL Sign
 Authority Information Access:
 OCSP - URI:http://isrg.trustid.ocsp.identrust.com
 CA Issuers - URI:http://apps.identrust.com/roots/dstrootcax3.p7c

 X509v3 Authority Key Identifier:
 keyid:C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10

 X509v3 Certificate Policies:
 Policy: 2.23.140.1.2.1
 Policy: 1.3.6.1.4.1.44947.1.1.1
 CPS: http://cps.root-x1.letsencrypt.org

 X509v3 CRL Distribution Points:

 Full Name:
 URI:http://crl.identrust.com/DSTROOTCAX3CRL.crl

 X509v3 Subject Key Identifier:
 A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
 Signature Algorithm: sha256WithRSAEncryption
 dd:33:d7:11:f3:63:58:38:dd:18:15:fb:09:55:be:76:56:b9:
 70:48:a5:69:47:27:7b:c2:24:08:92:f1:5a:1f:4a:12:29:37:
 24:74:51:1c:62:68:b8:cd:95:70:67:e5:f7:a4:bc:4e:28:51:
 cd:9b:e8:ae:87:9d:ea:d8:ba:5a:a1:01:9a:dc:f0:dd:6a:1d:
 6a:d8:3e:57:23:9e:a6:1e:04:62:9a:ff:d7:05:ca:b7:1f:3f:
 c0:0a:48:bc:94:b0:b6:65:62:e0:c1:54:e5:a3:2a:ad:20:c4:
 e9:e6:bb:dc:c8:f6:b5:c3:32:a3:98:cc:77:a8:e6:79:65:07:
 2b:cb:28:fe:3a:16:52:81:ce:52:0c:2e:5f:83:e8:d5:06:33:
 fb:77:6c:ce:40:ea:32:9e:1f:92:5c:41:c1:74:6c:5b:5d:0a:
 5f:33:cc:4d:9f:ac:38:f0:2f:7b:2c:62:9d:d9:a3:91:6f:25:
 1b:2f:90:b1:19:46:3d:f6:7e:1b:a6:7a:87:b9:a3:7a:6d:18:
 fa:25:a5:91:87:15:e0:f2:16:2f:58:b0:06:2f:2c:68:26:c6:
 4b:98:cd:da:9f:0c:f9:7f:90:ed:43:4a:12:44:4e:6f:73:7a:
 28:ea:a4:aa:6e:7b:4c:7d:87:dd:e0:c9:02:44:a7:87:af:c3:
 34:5b:b4:42

$ openssl s_client -connect ftp.gnu.org:443 -servername ftp.gnu.org -showcerts
CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/CN=ftp.gnu.org
 i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIFCDCCA/CgAwIBAgISBCgcdNJ6TV7BCOTsFWTZTK/NMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA5MjgwOTAxMDBaFw0x
NzEyMjcwOTAxMDBaMBYxFDASBgNVBAMTC2Z0cC5nbnUub3JnMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvRG0WuiyACStwn5iyYiBCn7kn8YRbyBCdGAW
41F8UDQ8DJVKhQTz7S3IUisHGJtRQ+plfSDrYgIShaeBK76afnguVAUjzHdrvT0S
kgXFsZzq6H2w5JiqbBSsOjUUca6iUYPGM3x0EgKCIvVBb12gViSqtstXFvBaYqhf
gPXS1cNzJhyRnOmeLh2I6644fbwnm3KYlL+mq8kBRkXX0GY1v9MCWImO+brIiWLv
numOgOZOfmRcESC6QPbG99CK/2JI0SwAQ0A88vp4HEijYjvLfUCxov4GoLqFR4h8
1HYfi7CUOPfvztkY6PTSCra02be/ZI8pD1aJKHfAE7vE/bmCHQIDAQABo4ICGjCC
AhYwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTqM0F2/vX2ZoriHFSossugjaq52jAf
BgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEw
LgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcw
LwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcv
MCUGA1UdEQQeMByCDWFscGhhLmdudS5vcmeCC2Z0cC5nbnUub3JnMIH+BgNVHSAE
gfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYa
aHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhp
cyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5n
IFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZp
Y2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVw
b3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAED8DAy2DSmXGK2iWtns3XNtKgFV
XWaW9gcfkTvpZDlIg3sXfP/rLKtOp2cAOi16bRENnLUaXjSDqEh7Rod3qDz8RkPH
C1NorU9DSGMEdf8J2fBAzB1MqHK1OC37pQDI8mXfGP1Zr2cy7la3YB4gOsHFACEC
nIGRoEd4uOhSzzmr8aq2KymLRnI7K6tvw3rX9w+fFGIgmwom1m9oKd68Hev2yVip
dDSjpOnydn9EXhJhJtBoNayRJ4v0XSdn1KKJCLbvDqAKuA9TQ6E0L41bNGp0ROUP
988v5CQtaK10OF3T4h7dO2arUwU/mwxtRs9O7jl8w0WepSlVQB0pQ7/wSyU=
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=ftp.gnu.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

...

edited Oct 14 '17 at 23:22

asked Oct 14 '17 at 22:07

jww

1,43132154

Now open on the Bug-Wget mailing list: Wget cannot validate https://ftp.gnu.org? I'm fairly certain its a Wget bug because things should work, and cURL works as expected.
â€“Â jww
Oct 15 '17 at 0:05

Why is it a wget bug if openssl also presents a verification error? "verify error:num=20:unable to get local issuer certificate "
â€“Â bishop
Oct 15 '17 at 1:54

1

@bishop - Arg... Why did RFC 4158 (Path Building) restrict Trust Anchors to self-signed certificates? OpenSSL versions on all machines are the latest, which is OpenSSL 1.0.2l at the time of this writing.
â€“Â jww
Oct 15 '17 at 3:06

1

The (first) cert you show in ~/.cacert/lets-encrypt-root-x3.pem is the intermediate cert not the root. Does it also contain the root cert for DST Root CA X3? The fact curl likes it suggests so if this build of curl uses OpenSSL which not all do, and doesn't separate the trustfiles-vs-dir. OpenSSL will not validate a chain that doesn't end at a root unless it's at least 1.0.2 and for commandline you specify -partial_chain or for a program it does the equivalent (non-default) option -- and it will fail with the verifyerr you show, unable to get issuer.
â€“Â dave_thompson_085
Oct 15 '17 at 3:12

1

@dave_thompson_085 - The Let's Encrypt X3 is where I am attempting to anchor trust. It happens to be cross-certified so end-entity certificates "just work" in browsers that lack Let's Encrypt X3 root. Thanks for -partial_chain; it works around the issue in OpenSSL. I was searching for the words "anchor" and "trust" in s_client man page, so I missed "partial" and "chain". Let me try and find a similar switch in Wget.
â€“Â jww
Oct 15 '17 at 3:27

Â |Â
show 4 more comments

up vote
7
down vote

favorite

$ wget --ca-certificate="$HOME/.cacert/lets-encrypt-root-x3.pem" "https://ftp.gnu.org/gnu/libunistring/libunistring-0.9.7.tar.gz" -O libunistring-0.9.7.tar.gz
--2017-10-14 17:59:40-- https://ftp.gnu.org/gnu/libunistring/libunistring-0.9.7.tar.gz
Resolving ftp.gnu.org (ftp.gnu.org)... 208.118.235.20, 2001:4830:134:3::b
Connecting to ftp.gnu.org (ftp.gnu.org)|208.118.235.20|:443... connected.
ERROR: cannot verify ftp.gnu.org's certificate, issued by 'CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US':
 unable to get issuer certificate
To connect to ftp.gnu.org insecurely, use `--no-check-certificate'.

I can duplicate the problem on Linux with Fedora 26. And the equivalent cURL command works as expected.

How do I tell Wget to use CN=Let's Encrypt Authority X3 as the trust point for the download?

This version of Wget was already upgraded by building from sources.

$ wget -V
GNU Wget 1.19.1 built on solaris2.11.

-cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls
+ntlm +opie -psl +ssl/openssl

Wgetrc:
 /usr/local/etc/wgetrc (system)
Locale:
 /usr/local/share/locale
Compile:
 gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/usr/local/etc/wgetrc"
 -DLOCALEDIR="/usr/local/share/locale" -I. -I../lib -I../lib
 -I/usr/local/include -DNDEBUG -D_REENTRANT -I/usr/include/pcre
 -DNDEBUG -m64
Link:
 gcc -I/usr/include/pcre -DNDEBUG -m64 -m64
 -Wl,-rpath,/usr/local/lib64 -L/usr/local/lib64 -lpcre -luuid -lidn2
 /usr/local/lib64/libssl.so /usr/local/lib64/libcrypto.so
 -R/usr/local/lib64 -ldl -lz -lssl -lcrypto -ldl -lpthread
 ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a -lsocket -lnsl
 -lnsl -lnsl -lsocket -lsocket /usr/local/lib64/libiconv.so
 -R/usr/local/lib64 /usr/local/lib64/libunistring.so
 /usr/local/lib64/libiconv.so -ldl -lpthread -R/usr/local/lib64
 -lsocket
...

The equivalent cURL command works as expected. The problem is, Wget is always available, but cURL may need to be installed. I don't want to depend on a program that may (or may not) be installed.

$ curl --cacert "$HOME/.cacert/lets-encrypt-root-x3.pem" "https://ftp.gnu.org/gnu/libunistring/libunistring-0.9.7.tar.gz" -o libunistring-0.9.7.tar.gz
 % Total % Received % Xferd Average Speed Time Time Time Current
 Dload Upload Total Spent Left Speed
100 3505k 100 3505k 0 0 3505k 0 0:00:01 0:00:01 --:--:-- 3249k

$ openssl x509 -in ~/.cacert/lets-encrypt-root-x3.pem -text -noout
Certificate:
 Data:
 Version: 3 (0x2)
 Serial Number:
 0a:01:41:42:00:00:01:53:85:73:6a:0b:85:ec:a7:08
 Signature Algorithm: sha256WithRSAEncryption
 Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
 Validity
 Not Before: Mar 17 16:40:46 2016 GMT
 Not After : Mar 17 16:40:46 2021 GMT
 Subject: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
 Subject Public Key Info:
 Public Key Algorithm: rsaEncryption
 Public-Key: (2048 bit)
 Modulus:
 00:9c:d3:0c:f0:5a:e5:2e:47:b7:72:5d:37:83:b3:
 68:63:30:ea:d7:35:26:19:25:e1:bd:be:35:f1:70:
 92:2f:b7:b8:4b:41:05:ab:a9:9e:35:08:58:ec:b1:
 2a:c4:68:87:0b:a3:e3:75:e4:e6:f3:a7:62:71:ba:
 79:81:60:1f:d7:91:9a:9f:f3:d0:78:67:71:c8:69:
 0e:95:91:cf:fe:e6:99:e9:60:3c:48:cc:7e:ca:4d:
 77:12:24:9d:47:1b:5a:eb:b9:ec:1e:37:00:1c:9c:
 ac:7b:a7:05:ea:ce:4a:eb:bd:41:e5:36:98:b9:cb:
 fd:6d:3c:96:68:df:23:2a:42:90:0c:86:74:67:c8:
 7f:a5:9a:b8:52:61:14:13:3f:65:e9:82:87:cb:db:
 fa:0e:56:f6:86:89:f3:85:3f:97:86:af:b0:dc:1a:
 ef:6b:0d:95:16:7d:c4:2b:a0:65:b2:99:04:36:75:
 80:6b:ac:4a:f3:1b:90:49:78:2f:a2:96:4f:2a:20:
 25:29:04:c6:74:c0:d0:31:cd:8f:31:38:95:16:ba:
 a8:33:b8:43:f1:b1:1f:c3:30:7f:a2:79:31:13:3d:
 2d:36:f8:e3:fc:f2:33:6a:b9:39:31:c5:af:c4:8d:
 0d:1d:64:16:33:aa:fa:84:29:b6:d4:0b:c0:d8:7d:
 c3:93
 Exponent: 65537 (0x10001)
 X509v3 extensions:
 X509v3 Basic Constraints: critical
 CA:TRUE, pathlen:0
 X509v3 Key Usage: critical
 Digital Signature, Certificate Sign, CRL Sign
 Authority Information Access:
 OCSP - URI:http://isrg.trustid.ocsp.identrust.com
 CA Issuers - URI:http://apps.identrust.com/roots/dstrootcax3.p7c

 X509v3 Authority Key Identifier:
 keyid:C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10

 X509v3 Certificate Policies:
 Policy: 2.23.140.1.2.1
 Policy: 1.3.6.1.4.1.44947.1.1.1
 CPS: http://cps.root-x1.letsencrypt.org

 X509v3 CRL Distribution Points:

 Full Name:
 URI:http://crl.identrust.com/DSTROOTCAX3CRL.crl

 X509v3 Subject Key Identifier:
 A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
 Signature Algorithm: sha256WithRSAEncryption
 dd:33:d7:11:f3:63:58:38:dd:18:15:fb:09:55:be:76:56:b9:
 70:48:a5:69:47:27:7b:c2:24:08:92:f1:5a:1f:4a:12:29:37:
 24:74:51:1c:62:68:b8:cd:95:70:67:e5:f7:a4:bc:4e:28:51:
 cd:9b:e8:ae:87:9d:ea:d8:ba:5a:a1:01:9a:dc:f0:dd:6a:1d:
 6a:d8:3e:57:23:9e:a6:1e:04:62:9a:ff:d7:05:ca:b7:1f:3f:
 c0:0a:48:bc:94:b0:b6:65:62:e0:c1:54:e5:a3:2a:ad:20:c4:
 e9:e6:bb:dc:c8:f6:b5:c3:32:a3:98:cc:77:a8:e6:79:65:07:
 2b:cb:28:fe:3a:16:52:81:ce:52:0c:2e:5f:83:e8:d5:06:33:
 fb:77:6c:ce:40:ea:32:9e:1f:92:5c:41:c1:74:6c:5b:5d:0a:
 5f:33:cc:4d:9f:ac:38:f0:2f:7b:2c:62:9d:d9:a3:91:6f:25:
 1b:2f:90:b1:19:46:3d:f6:7e:1b:a6:7a:87:b9:a3:7a:6d:18:
 fa:25:a5:91:87:15:e0:f2:16:2f:58:b0:06:2f:2c:68:26:c6:
 4b:98:cd:da:9f:0c:f9:7f:90:ed:43:4a:12:44:4e:6f:73:7a:
 28:ea:a4:aa:6e:7b:4c:7d:87:dd:e0:c9:02:44:a7:87:af:c3:
 34:5b:b4:42

$ openssl s_client -connect ftp.gnu.org:443 -servername ftp.gnu.org -showcerts
CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/CN=ftp.gnu.org
 i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIFCDCCA/CgAwIBAgISBCgcdNJ6TV7BCOTsFWTZTK/NMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA5MjgwOTAxMDBaFw0x
NzEyMjcwOTAxMDBaMBYxFDASBgNVBAMTC2Z0cC5nbnUub3JnMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvRG0WuiyACStwn5iyYiBCn7kn8YRbyBCdGAW
41F8UDQ8DJVKhQTz7S3IUisHGJtRQ+plfSDrYgIShaeBK76afnguVAUjzHdrvT0S
kgXFsZzq6H2w5JiqbBSsOjUUca6iUYPGM3x0EgKCIvVBb12gViSqtstXFvBaYqhf
gPXS1cNzJhyRnOmeLh2I6644fbwnm3KYlL+mq8kBRkXX0GY1v9MCWImO+brIiWLv
numOgOZOfmRcESC6QPbG99CK/2JI0SwAQ0A88vp4HEijYjvLfUCxov4GoLqFR4h8
1HYfi7CUOPfvztkY6PTSCra02be/ZI8pD1aJKHfAE7vE/bmCHQIDAQABo4ICGjCC
AhYwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTqM0F2/vX2ZoriHFSossugjaq52jAf
BgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEw
LgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcw
LwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcv
MCUGA1UdEQQeMByCDWFscGhhLmdudS5vcmeCC2Z0cC5nbnUub3JnMIH+BgNVHSAE
gfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYa
aHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhp
cyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5n
IFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZp
Y2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVw
b3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAED8DAy2DSmXGK2iWtns3XNtKgFV
XWaW9gcfkTvpZDlIg3sXfP/rLKtOp2cAOi16bRENnLUaXjSDqEh7Rod3qDz8RkPH
C1NorU9DSGMEdf8J2fBAzB1MqHK1OC37pQDI8mXfGP1Zr2cy7la3YB4gOsHFACEC
nIGRoEd4uOhSzzmr8aq2KymLRnI7K6tvw3rX9w+fFGIgmwom1m9oKd68Hev2yVip
dDSjpOnydn9EXhJhJtBoNayRJ4v0XSdn1KKJCLbvDqAKuA9TQ6E0L41bNGp0ROUP
988v5CQtaK10OF3T4h7dO2arUwU/mwxtRs9O7jl8w0WepSlVQB0pQ7/wSyU=
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=ftp.gnu.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

...

edited Oct 14 '17 at 23:22

asked Oct 14 '17 at 22:07

jww

1,43132154

$ wget --ca-certificate="$HOME/.cacert/lets-encrypt-root-x3.pem" "https://ftp.gnu.org/gnu/libunistring/libunistring-0.9.7.tar.gz" -O libunistring-0.9.7.tar.gz
--2017-10-14 17:59:40-- https://ftp.gnu.org/gnu/libunistring/libunistring-0.9.7.tar.gz
Resolving ftp.gnu.org (ftp.gnu.org)... 208.118.235.20, 2001:4830:134:3::b
Connecting to ftp.gnu.org (ftp.gnu.org)|208.118.235.20|:443... connected.
ERROR: cannot verify ftp.gnu.org's certificate, issued by 'CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US':
 unable to get issuer certificate
To connect to ftp.gnu.org insecurely, use `--no-check-certificate'.

I can duplicate the problem on Linux with Fedora 26. And the equivalent cURL command works as expected.

How do I tell Wget to use CN=Let's Encrypt Authority X3 as the trust point for the download?

This version of Wget was already upgraded by building from sources.

$ wget -V
GNU Wget 1.19.1 built on solaris2.11.

-cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls
+ntlm +opie -psl +ssl/openssl

Wgetrc:
 /usr/local/etc/wgetrc (system)
Locale:
 /usr/local/share/locale
Compile:
 gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/usr/local/etc/wgetrc"
 -DLOCALEDIR="/usr/local/share/locale" -I. -I../lib -I../lib
 -I/usr/local/include -DNDEBUG -D_REENTRANT -I/usr/include/pcre
 -DNDEBUG -m64
Link:
 gcc -I/usr/include/pcre -DNDEBUG -m64 -m64
 -Wl,-rpath,/usr/local/lib64 -L/usr/local/lib64 -lpcre -luuid -lidn2
 /usr/local/lib64/libssl.so /usr/local/lib64/libcrypto.so
 -R/usr/local/lib64 -ldl -lz -lssl -lcrypto -ldl -lpthread
 ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a -lsocket -lnsl
 -lnsl -lnsl -lsocket -lsocket /usr/local/lib64/libiconv.so
 -R/usr/local/lib64 /usr/local/lib64/libunistring.so
 /usr/local/lib64/libiconv.so -ldl -lpthread -R/usr/local/lib64
 -lsocket
...

The equivalent cURL command works as expected. The problem is, Wget is always available, but cURL may need to be installed. I don't want to depend on a program that may (or may not) be installed.

$ curl --cacert "$HOME/.cacert/lets-encrypt-root-x3.pem" "https://ftp.gnu.org/gnu/libunistring/libunistring-0.9.7.tar.gz" -o libunistring-0.9.7.tar.gz
 % Total % Received % Xferd Average Speed Time Time Time Current
 Dload Upload Total Spent Left Speed
100 3505k 100 3505k 0 0 3505k 0 0:00:01 0:00:01 --:--:-- 3249k

$ openssl x509 -in ~/.cacert/lets-encrypt-root-x3.pem -text -noout
Certificate:
 Data:
 Version: 3 (0x2)
 Serial Number:
 0a:01:41:42:00:00:01:53:85:73:6a:0b:85:ec:a7:08
 Signature Algorithm: sha256WithRSAEncryption
 Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
 Validity
 Not Before: Mar 17 16:40:46 2016 GMT
 Not After : Mar 17 16:40:46 2021 GMT
 Subject: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
 Subject Public Key Info:
 Public Key Algorithm: rsaEncryption
 Public-Key: (2048 bit)
 Modulus:
 00:9c:d3:0c:f0:5a:e5:2e:47:b7:72:5d:37:83:b3:
 68:63:30:ea:d7:35:26:19:25:e1:bd:be:35:f1:70:
 92:2f:b7:b8:4b:41:05:ab:a9:9e:35:08:58:ec:b1:
 2a:c4:68:87:0b:a3:e3:75:e4:e6:f3:a7:62:71:ba:
 79:81:60:1f:d7:91:9a:9f:f3:d0:78:67:71:c8:69:
 0e:95:91:cf:fe:e6:99:e9:60:3c:48:cc:7e:ca:4d:
 77:12:24:9d:47:1b:5a:eb:b9:ec:1e:37:00:1c:9c:
 ac:7b:a7:05:ea:ce:4a:eb:bd:41:e5:36:98:b9:cb:
 fd:6d:3c:96:68:df:23:2a:42:90:0c:86:74:67:c8:
 7f:a5:9a:b8:52:61:14:13:3f:65:e9:82:87:cb:db:
 fa:0e:56:f6:86:89:f3:85:3f:97:86:af:b0:dc:1a:
 ef:6b:0d:95:16:7d:c4:2b:a0:65:b2:99:04:36:75:
 80:6b:ac:4a:f3:1b:90:49:78:2f:a2:96:4f:2a:20:
 25:29:04:c6:74:c0:d0:31:cd:8f:31:38:95:16:ba:
 a8:33:b8:43:f1:b1:1f:c3:30:7f:a2:79:31:13:3d:
 2d:36:f8:e3:fc:f2:33:6a:b9:39:31:c5:af:c4:8d:
 0d:1d:64:16:33:aa:fa:84:29:b6:d4:0b:c0:d8:7d:
 c3:93
 Exponent: 65537 (0x10001)
 X509v3 extensions:
 X509v3 Basic Constraints: critical
 CA:TRUE, pathlen:0
 X509v3 Key Usage: critical
 Digital Signature, Certificate Sign, CRL Sign
 Authority Information Access:
 OCSP - URI:http://isrg.trustid.ocsp.identrust.com
 CA Issuers - URI:http://apps.identrust.com/roots/dstrootcax3.p7c

 X509v3 Authority Key Identifier:
 keyid:C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10

 X509v3 Certificate Policies:
 Policy: 2.23.140.1.2.1
 Policy: 1.3.6.1.4.1.44947.1.1.1
 CPS: http://cps.root-x1.letsencrypt.org

 X509v3 CRL Distribution Points:

 Full Name:
 URI:http://crl.identrust.com/DSTROOTCAX3CRL.crl

 X509v3 Subject Key Identifier:
 A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
 Signature Algorithm: sha256WithRSAEncryption
 dd:33:d7:11:f3:63:58:38:dd:18:15:fb:09:55:be:76:56:b9:
 70:48:a5:69:47:27:7b:c2:24:08:92:f1:5a:1f:4a:12:29:37:
 24:74:51:1c:62:68:b8:cd:95:70:67:e5:f7:a4:bc:4e:28:51:
 cd:9b:e8:ae:87:9d:ea:d8:ba:5a:a1:01:9a:dc:f0:dd:6a:1d:
 6a:d8:3e:57:23:9e:a6:1e:04:62:9a:ff:d7:05:ca:b7:1f:3f:
 c0:0a:48:bc:94:b0:b6:65:62:e0:c1:54:e5:a3:2a:ad:20:c4:
 e9:e6:bb:dc:c8:f6:b5:c3:32:a3:98:cc:77:a8:e6:79:65:07:
 2b:cb:28:fe:3a:16:52:81:ce:52:0c:2e:5f:83:e8:d5:06:33:
 fb:77:6c:ce:40:ea:32:9e:1f:92:5c:41:c1:74:6c:5b:5d:0a:
 5f:33:cc:4d:9f:ac:38:f0:2f:7b:2c:62:9d:d9:a3:91:6f:25:
 1b:2f:90:b1:19:46:3d:f6:7e:1b:a6:7a:87:b9:a3:7a:6d:18:
 fa:25:a5:91:87:15:e0:f2:16:2f:58:b0:06:2f:2c:68:26:c6:
 4b:98:cd:da:9f:0c:f9:7f:90:ed:43:4a:12:44:4e:6f:73:7a:
 28:ea:a4:aa:6e:7b:4c:7d:87:dd:e0:c9:02:44:a7:87:af:c3:
 34:5b:b4:42

$ openssl s_client -connect ftp.gnu.org:443 -servername ftp.gnu.org -showcerts
CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/CN=ftp.gnu.org
 i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIFCDCCA/CgAwIBAgISBCgcdNJ6TV7BCOTsFWTZTK/NMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA5MjgwOTAxMDBaFw0x
NzEyMjcwOTAxMDBaMBYxFDASBgNVBAMTC2Z0cC5nbnUub3JnMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvRG0WuiyACStwn5iyYiBCn7kn8YRbyBCdGAW
41F8UDQ8DJVKhQTz7S3IUisHGJtRQ+plfSDrYgIShaeBK76afnguVAUjzHdrvT0S
kgXFsZzq6H2w5JiqbBSsOjUUca6iUYPGM3x0EgKCIvVBb12gViSqtstXFvBaYqhf
gPXS1cNzJhyRnOmeLh2I6644fbwnm3KYlL+mq8kBRkXX0GY1v9MCWImO+brIiWLv
numOgOZOfmRcESC6QPbG99CK/2JI0SwAQ0A88vp4HEijYjvLfUCxov4GoLqFR4h8
1HYfi7CUOPfvztkY6PTSCra02be/ZI8pD1aJKHfAE7vE/bmCHQIDAQABo4ICGjCC
AhYwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTqM0F2/vX2ZoriHFSossugjaq52jAf
BgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEw
LgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcw
LwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcv
MCUGA1UdEQQeMByCDWFscGhhLmdudS5vcmeCC2Z0cC5nbnUub3JnMIH+BgNVHSAE
gfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYa
aHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhp
cyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5n
IFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZp
Y2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVw
b3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAED8DAy2DSmXGK2iWtns3XNtKgFV
XWaW9gcfkTvpZDlIg3sXfP/rLKtOp2cAOi16bRENnLUaXjSDqEh7Rod3qDz8RkPH
C1NorU9DSGMEdf8J2fBAzB1MqHK1OC37pQDI8mXfGP1Zr2cy7la3YB4gOsHFACEC
nIGRoEd4uOhSzzmr8aq2KymLRnI7K6tvw3rX9w+fFGIgmwom1m9oKd68Hev2yVip
dDSjpOnydn9EXhJhJtBoNayRJ4v0XSdn1KKJCLbvDqAKuA9TQ6E0L41bNGp0ROUP
988v5CQtaK10OF3T4h7dO2arUwU/mwxtRs9O7jl8w0WepSlVQB0pQ7/wSyU=
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=ftp.gnu.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

...

edited Oct 14 '17 at 23:22

asked Oct 14 '17 at 22:07

jww

1,43132154

edited Oct 14 '17 at 23:22

asked Oct 14 '17 at 22:07

jww

1,43132154

asked Oct 14 '17 at 22:07

jww

1,43132154

asked Oct 14 '17 at 22:07

jww

1,43132154

Now open on the Bug-Wget mailing list: Wget cannot validate https://ftp.gnu.org? I'm fairly certain its a Wget bug because things should work, and cURL works as expected.
â€“Â jww
Oct 15 '17 at 0:05

Why is it a wget bug if openssl also presents a verification error? "verify error:num=20:unable to get local issuer certificate "
â€“Â bishop
Oct 15 '17 at 1:54

1

@bishop - Arg... Why did RFC 4158 (Path Building) restrict Trust Anchors to self-signed certificates? OpenSSL versions on all machines are the latest, which is OpenSSL 1.0.2l at the time of this writing.
â€“Â jww
Oct 15 '17 at 3:06

1

The (first) cert you show in ~/.cacert/lets-encrypt-root-x3.pem is the intermediate cert not the root. Does it also contain the root cert for DST Root CA X3? The fact curl likes it suggests so if this build of curl uses OpenSSL which not all do, and doesn't separate the trustfiles-vs-dir. OpenSSL will not validate a chain that doesn't end at a root unless it's at least 1.0.2 and for commandline you specify -partial_chain or for a program it does the equivalent (non-default) option -- and it will fail with the verifyerr you show, unable to get issuer.
â€“Â dave_thompson_085
Oct 15 '17 at 3:12

1

@dave_thompson_085 - The Let's Encrypt X3 is where I am attempting to anchor trust. It happens to be cross-certified so end-entity certificates "just work" in browsers that lack Let's Encrypt X3 root. Thanks for -partial_chain; it works around the issue in OpenSSL. I was searching for the words "anchor" and "trust" in s_client man page, so I missed "partial" and "chain". Let me try and find a similar switch in Wget.
â€“Â jww
Oct 15 '17 at 3:27

Â |Â
show 4 more comments

Now open on the Bug-Wget mailing list: Wget cannot validate https://ftp.gnu.org? I'm fairly certain its a Wget bug because things should work, and cURL works as expected.
â€“Â jww
Oct 15 '17 at 0:05

Why is it a wget bug if openssl also presents a verification error? "verify error:num=20:unable to get local issuer certificate "
â€“Â bishop
Oct 15 '17 at 1:54

1

@bishop - Arg... Why did RFC 4158 (Path Building) restrict Trust Anchors to self-signed certificates? OpenSSL versions on all machines are the latest, which is OpenSSL 1.0.2l at the time of this writing.
â€“Â jww
Oct 15 '17 at 3:06

1

The (first) cert you show in ~/.cacert/lets-encrypt-root-x3.pem is the intermediate cert not the root. Does it also contain the root cert for DST Root CA X3? The fact curl likes it suggests so if this build of curl uses OpenSSL which not all do, and doesn't separate the trustfiles-vs-dir. OpenSSL will not validate a chain that doesn't end at a root unless it's at least 1.0.2 and for commandline you specify -partial_chain or for a program it does the equivalent (non-default) option -- and it will fail with the verifyerr you show, unable to get issuer.
â€“Â dave_thompson_085
Oct 15 '17 at 3:12

1

@dave_thompson_085 - The Let's Encrypt X3 is where I am attempting to anchor trust. It happens to be cross-certified so end-entity certificates "just work" in browsers that lack Let's Encrypt X3 root. Thanks for -partial_chain; it works around the issue in OpenSSL. I was searching for the words "anchor" and "trust" in s_client man page, so I missed "partial" and "chain". Let me try and find a similar switch in Wget.
â€“Â jww
Oct 15 '17 at 3:27

Now open on the Bug-Wget mailing list: Wget cannot validate https://ftp.gnu.org? I'm fairly certain its a Wget bug because things should work, and cURL works as expected.
â€“Â jww
Oct 15 '17 at 0:05

Why is it a wget bug if openssl also presents a verification error? "verify error:num=20:unable to get local issuer certificate "
â€“Â bishop
Oct 15 '17 at 1:54

@bishop - Arg... Why did RFC 4158 (Path Building) restrict Trust Anchors to self-signed certificates? OpenSSL versions on all machines are the latest, which is OpenSSL 1.0.2l at the time of this writing.
â€“Â jww
Oct 15 '17 at 3:06

The (first) cert you show in ~/.cacert/lets-encrypt-root-x3.pem is the intermediate cert not the root. Does it also contain the root cert for DST Root CA X3? The fact curl likes it suggests so if this build of curl uses OpenSSL which not all do, and doesn't separate the trustfiles-vs-dir. OpenSSL will not validate a chain that doesn't end at a root unless it's at least 1.0.2 and for commandline you specify -partial_chain or for a program it does the equivalent (non-default) option -- and it will fail with the verifyerr you show, unable to get issuer.
â€“Â dave_thompson_085
Oct 15 '17 at 3:12

@dave_thompson_085 - The Let's Encrypt X3 is where I am attempting to anchor trust. It happens to be cross-certified so end-entity certificates "just work" in browsers that lack Let's Encrypt X3 root. Thanks for -partial_chain; it works around the issue in OpenSSL. I was searching for the words "anchor" and "trust" in s_client man page, so I missed "partial" and "chain". Let me try and find a similar switch in Wget.
â€“Â jww
Oct 15 '17 at 3:27

Â |Â
show 4 more comments

1 Answer
1

active

oldest

votes

up vote
0
down vote

As of xenial (Ubuntu 16.04.3 LTS) the 1.17.1-1ubuntu1.3 version of wget interoperates with that FTP site just fine, out of the box.

answered Jan 6 at 22:23

J_H

26113

The problem seems to be with building wget against OpenSSL. The distro version does not use OpenSSL. I think it uses Gcrypt or GnuPG for the crypto instead (which means OpenSSL and its verification code is not used). Also see Wget cannot validate https://ftp.gnu.org?
â€“Â jww
Jan 7 at 0:31

add a commentÂ |Â

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);

);

draft saved

draft discarded

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f398167%2fwget-cannot-validate-https-ftp-gnu-org%23new-answer', 'question_page');

);

Post as a guest

Name

1 Answer
1

active

oldest

votes

1 Answer
1

active

oldest

votes

up vote
0
down vote

As of xenial (Ubuntu 16.04.3 LTS) the 1.17.1-1ubuntu1.3 version of wget interoperates with that FTP site just fine, out of the box.

answered Jan 6 at 22:23

J_H

26113

The problem seems to be with building wget against OpenSSL. The distro version does not use OpenSSL. I think it uses Gcrypt or GnuPG for the crypto instead (which means OpenSSL and its verification code is not used). Also see Wget cannot validate https://ftp.gnu.org?
â€“Â jww
Jan 7 at 0:31

add a commentÂ |Â

up vote
0
down vote

As of xenial (Ubuntu 16.04.3 LTS) the 1.17.1-1ubuntu1.3 version of wget interoperates with that FTP site just fine, out of the box.

answered Jan 6 at 22:23

J_H

26113

The problem seems to be with building wget against OpenSSL. The distro version does not use OpenSSL. I think it uses Gcrypt or GnuPG for the crypto instead (which means OpenSSL and its verification code is not used). Also see Wget cannot validate https://ftp.gnu.org?
â€“Â jww
Jan 7 at 0:31

add a commentÂ |Â

up vote
0
down vote

As of xenial (Ubuntu 16.04.3 LTS) the 1.17.1-1ubuntu1.3 version of wget interoperates with that FTP site just fine, out of the box.

answered Jan 6 at 22:23

J_H

26113

As of xenial (Ubuntu 16.04.3 LTS) the 1.17.1-1ubuntu1.3 version of wget interoperates with that FTP site just fine, out of the box.

answered Jan 6 at 22:23

J_H

26113

answered Jan 6 at 22:23

J_H

26113

answered Jan 6 at 22:23

J_H

26113

answered Jan 6 at 22:23

J_H

26113

The problem seems to be with building wget against OpenSSL. The distro version does not use OpenSSL. I think it uses Gcrypt or GnuPG for the crypto instead (which means OpenSSL and its verification code is not used). Also see Wget cannot validate https://ftp.gnu.org?
â€“Â jww
Jan 7 at 0:31

add a commentÂ |Â

The problem seems to be with building wget against OpenSSL. The distro version does not use OpenSSL. I think it uses Gcrypt or GnuPG for the crypto instead (which means OpenSSL and its verification code is not used). Also see Wget cannot validate https://ftp.gnu.org?
â€“Â jww
Jan 7 at 0:31

The problem seems to be with building wget against OpenSSL. The distro version does not use OpenSSL. I think it uses Gcrypt or GnuPG for the crypto instead (which means OpenSSL and its verification code is not used). Also see Wget cannot validate https://ftp.gnu.org?
â€“Â jww
Jan 7 at 0:31

add a commentÂ |Â

draft saved

draft discarded

draft saved

draft discarded

Post as a guest

Name

搜尋此網誌

mjhjmtu