Wget fails to verify the issuer's authority?

Tomoaki Nishiyama tomoakin@staff.kanazawa-u.ac.jp

2018-04-04

Summary: get a new ca-bundle.trust.crt and specify in .wgetrc

Here is a transcript when trying access to an authentic web site. 

$ wget https://www.nii.ac.jp
--2018-04-04 16:21:41--  https://www.nii.ac.jp/
Resolving www.nii.ac.jp... 13.113.64.123, 13.112.254.25
Connecting to www.nii.ac.jp|13.113.64.123|:443... connected.
ERROR: cannot verify www.nii.ac.jp's certificate, issued by `/C=JP/L=Academe/O=National Institute of Informatics/CN=NII Open Domain CA - G4':
  Unable to locally verify the issuer's authority.
To connect to www.nii.ac.jp insecurely, use `--no-check-certificate'.

In this case, we are not really atacked by someone, nor the target web site misconfigured.

The real problem appears that the wget do not find the right data to verify the issuer's authority. The data is usually controlled by the system and wget just refers to it. However the data needs updated and on systems where the data is not updated, the wget will evntually fail to verify the issuer's authority.

Then, what a user can do for it? For one thing, ask the system administator to update the data which riside in /etc/pki/tls/certs/ca-bundle.trust.crt

The other thing is get a new copy of the file ca-bundle.trust.crt and specify its location with .wgetrc.

The respective file in CentOS release 6.9 is 

$ ls -l /etc/pki/tls/certs/ca-bundle.trust.crt
-rw-r--r--. 1 root root 1058960 May 10  2017 /etc/pki/tls/certs/ca-bundle.trust.crt

Then copy this file to your home directory under $HOME/crt/, and write a single line in $HOME/.wgetrc

echo  ca-certificate=$HOME/crt/ca-bundle.trust.crt >> $HOME/.wgetrc

Now, you will be able to download like

$  wget https://www.nii.ac.jp
--2018-04-04 16:38:46--  https://www.nii.ac.jp/
Resolving www.nii.ac.jp... 13.113.64.123, 13.112.254.25
Connecting to www.nii.ac.jp|13.113.64.123|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: "index.html"

    [ <=>                                                                                               ] 36,842      --.-K/s   in 0.001s  

2018-04-04 16:38:46 (40.2 MB/s) - "index.html" saved [36842]