wget fails verifying X509 certificate

Asked by Michael Junker on 2014-05-11

Hello together,

on Ubuntu 12.04LTS I'm trying to download the latest OWASP modsecurity rules with wget which fails because wget cannot verify the web sites certificate. If I run the same command on Ubuntu 10.04LTS it works fine. I compared the related cerificates (Digicert*) on both machines and they look identical. I already tried "sudo apt-get --reinstall install ca-certificates". So my feeling is that wget fails.

Can someone verify this or give some advice how to fix my problem? Thanks in advance.

The following line causes the problem:

michel@vSERVER-2010:/tmp$ wget --debug https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master

Output on Ubuntu 12.04LTS (with error):

DEBUG output created by Wget 1.13.4 on linux-gnu.

URI encoding = `ANSI_X3.4-1968'
--2014-05-11 12:42:05-- https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master
Resolving github.com (github.com)... 192.30.252.129
Caching github.com => 192.30.252.129
Connecting to github.com (github.com)|192.30.252.129|:443... connected.
Created socket 3.
Releasing 0x089381f8 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x08938330
certificate:
  subject: /businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
  issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
ERROR: cannot verify github.com's certificate, issued by `/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA':
  Unable to locally verify the issuer's authority.
To connect to github.com insecurely, use `--no-check-certificate'.
Closed 3/SSL 0x08938330

Output on Ubuntu 10.04LTS (without error):

DEBUG output created by Wget 1.12 on linux-gnu.

--2014-05-11 12:42:23-- https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master
Resolving github.com... 192.30.252.129
Caching github.com => 192.30.252.129
Connecting to github.com|192.30.252.129|:443... connected.
Created socket 3.
Releasing 0x09b6d1b0 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x09b6d288
certificate:
  subject: /2.5.4.15=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/streetAddress=548 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
  issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
X509 certificate successfully verified and matches host github.com

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu wget Edit question
Assignee:
No assignee Edit question
Solved by:
Michael Junker
Solved:
2014-05-11
Last query:
2014-05-11
Last reply:
2014-05-11

I suggest you report a bug

Michael Junker (m-junker) said : #2

Update: I could solve the problem:

Short version:
sudo update-ca-certificates --fresh

Long version:
I did a fresh install of Ubuntu 12.04LTS and there wget was working. After some further investigation I found that a link was missing in /etc/ssl/certs: 244b5494.0 -> DigiCert_High_Assurance_EV_Root_CA.pem

However it was not so easy to get this link back:
sudo dpkg-reconfigure ca-certificates
sudo update-ca-certificates
Both is NOT working. Working is only:
sudo update-ca-certificates --fresh

Maybe this will help someone in the future.