Ubuntu
wget package

wget fails verifying X509 certificate

Asked by Michael Junker

Hello together,

on Ubuntu 12.04LTS I'm trying to download the latest OWASP modsecurity rules with wget which fails because wget cannot verify the web sites certificate. If I run the same command on Ubuntu 10.04LTS it works fine. I compared the related cerificates (Digicert*) on both machines and they look identical. I already tried "sudo apt-get --reinstall install ca-certificates". So my feeling is that wget fails.

Can someone verify this or give some advice how to fix my problem? Thanks in advance.

The following line causes the problem:

michel@vSERVER-2010:/tmp$ wget --debug https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master

Output on Ubuntu 12.04LTS (with error):

DEBUG output created by Wget 1.13.4 on linux-gnu.

URI encoding = `ANSI_X3.4-1968'
--2014-05-11 12:42:05-- https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master
Resolving github.com (github.com)... 192.30.252.129
Caching github.com => 192.30.252.129
Connecting to github.com (github.com)|192.30.252.129|:443... connected.
Created socket 3.
Releasing 0x089381f8 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x08938330
certificate:
  subject: /businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
  issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
ERROR: cannot verify github.com's certificate, issued by `/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA':
  Unable to locally verify the issuer's authority.
To connect to github.com insecurely, use `--no-check-certificate'.
Closed 3/SSL 0x08938330

Output on Ubuntu 10.04LTS (without error):

DEBUG output created by Wget 1.12 on linux-gnu.

--2014-05-11 12:42:23-- https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master
Resolving github.com... 192.30.252.129
Caching github.com => 192.30.252.129
Connecting to github.com|192.30.252.129|:443... connected.
Created socket 3.
Releasing 0x09b6d1b0 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x09b6d288
certificate:
  subject: /2.5.4.15=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/streetAddress=548 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
  issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
X509 certificate successfully verified and matches host github.com

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu wget Edit question
Assignee:
No assignee Edit question
Solved by:
Michael Junker
Solved:
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#1

I suggest you report a bug

Revision history for this message
Michael Junker (m-junker) said : 		#2

Update: I could solve the problem:

Short version:
sudo update-ca-certificates --fresh

Long version:
I did a fresh install of Ubuntu 12.04LTS and there wget was working. After some further investigation I found that a link was missing in /etc/ssl/certs: 244b5494.0 -> DigiCert_High_Assurance_EV_Root_CA.pem

However it was not so easy to get this link back:
sudo dpkg-reconfigure ca-certificates
sudo update-ca-certificates
Both is NOT working. Working is only:
sudo update-ca-certificates --fresh

Maybe this will help someone in the future.