Login/Register
How do I fix certificate errors when running wget on an HTTPS URL in Cygwin? [closed]
Asked Answered
Solved httpscygwincertificatewget
N

15

215

For example, running wget https://www.dropbox.com results in the following errors:

ERROR: The certificate of `www.dropbox.com' is not trusted.
ERROR: The certificate of `www.dropbox.com' hasn't got a known issuer.
Nod answered 10/2, 2012 at 7:35 Comment(0)
P
147

Looking at current hacky solutions in here, I feel I have to describe a proper solution after all.

First, you need to install the cygwin package ca-certificates via Cygwin's setup.exe to get the certificates.

Do NOT use curl or similar hacks to download certificates (as a neighboring answer advices) because that's fundamentally insecure and may compromise the system.

Second, you need to tell wget where your certificates are, since it doesn't pick them up by default in Cygwin environment. If you can do that either with the command-line parameter --ca-directory=/usr/ssl/certs (best for shell scripts) or by adding ca_directory = /usr/ssl/certs to ~/.wgetrc file.

You can also fix that by running ln -sT /usr/ssl /etc/ssl as pointed out in another answer, but that will work only if you have administrative access to the system. Other solutions I described do not require that.

Percussion answered 6/3, 2013 at 16:26 Comment(4)
Thanks for this answer, and especially for the reminder about the ~/.wgetrc file. As a MacPorts user, my certs are located at /opt/local/etc/openssl, a fact which I hope someone finds handy.Thetis
And for fink, they're in /sw/etc/ssl/certs/ca-bundle.crt which comes as part of the ca-bundle package -- as described here.Guncotton
Not sure if it's a typo but ln -s /etc/ssl /usr/ssl worked for me.Complain
I installed and used the command again, the terminal said I had the newer version and still doesn't trusted github, I'll run with --no-check-certificate.Accolade
C
289

If you don't care about checking the validity of the certificate just add the --no-check-certificate option on the wget command-line. This worked well for me.

NOTE: This opens you up to man-in-the-middle (MitM) attacks, and is not recommended for anything where you care about security.

Crosshead answered 8/1, 2013 at 15:24 Comment(0)
P
147

Looking at current hacky solutions in here, I feel I have to describe a proper solution after all.

First, you need to install the cygwin package ca-certificates via Cygwin's setup.exe to get the certificates.

Do NOT use curl or similar hacks to download certificates (as a neighboring answer advices) because that's fundamentally insecure and may compromise the system.

Second, you need to tell wget where your certificates are, since it doesn't pick them up by default in Cygwin environment. If you can do that either with the command-line parameter --ca-directory=/usr/ssl/certs (best for shell scripts) or by adding ca_directory = /usr/ssl/certs to ~/.wgetrc file.

You can also fix that by running ln -sT /usr/ssl /etc/ssl as pointed out in another answer, but that will work only if you have administrative access to the system. Other solutions I described do not require that.

Percussion answered 6/3, 2013 at 16:26 Comment(4)
Thanks for this answer, and especially for the reminder about the ~/.wgetrc file. As a MacPorts user, my certs are located at /opt/local/etc/openssl, a fact which I hope someone finds handy.Thetis
And for fink, they're in /sw/etc/ssl/certs/ca-bundle.crt which comes as part of the ca-bundle package -- as described here.Guncotton
Not sure if it's a typo but ln -s /etc/ssl /usr/ssl worked for me.Complain
I installed and used the command again, the terminal said I had the newer version and still doesn't trusted github, I'll run with --no-check-certificate.Accolade
F
123

If the problem is that a known root CA is missing and when you are using ubuntu or debian, then you can solve the problem with this one line:

sudo apt-get install ca-certificates
Fervent answered 10/11, 2012 at 20:41 Comment(5)
apt-get is on cygwin ? apt-get is on redgat ? ;)Oversight
ca-certificates was already installed in my computer. Running update-ca-certificates solved the problem.Procambium
This worked also on my Synology DS215j with Debian chroot.Asphaltite
@fox update-ca-certificates is a ubuntu command, not available in debian.Fillmore
@Fillmore It actually worked on my raspberry pi running debian wheezyAutoerotism
S
31

May be this will help: 

wget --no-check-certificate https://blah-blah.tld/path/filename
Selfeducated answered 4/6, 2018 at 5:10 Comment(3)
One more: This situation also possible if you are using Kaspersky AntiVirus or same soft (by default it's replacing normal verified SSL certificate of site to their own) - so, you can disable checking SSL traffic in Antivirus soft.Selfeducated
Warning: with this solution, you will be susceptible to the man-in-middle attackPyre
This does NOT fix the issue !!Kinin
N
12

First, the SSL certificates need to be installed. Instructions (based on https://mcmap.net/q/14308/-ssl-certificate-rejected-trying-to-access-github-over-https-behind-firewall):

pushd /usr/ssl/certs
curl http://curl.haxx.se/ca/cacert.pem | awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > "cert" n ".pem"}'
c_rehash

The above is enough to fix curl, but wget requires an extra symlink:

ln -sT /usr/ssl /etc/ssl
Nod answered 10/2, 2012 at 7:40 Comment(5)
Is this not insecure to install root certificate authorities from a random web site, especially with haxx in the name?Parochialism
@Parochialism curl.haxx.se that is the dev site of cURL. Pretty trustworthy folks.Jamarjamb
how do you fix it without curl?Lazes
omfg the symlink was what I missed... searched 30min for a 1 liner fix ><Coinage
This is hacky on several levels. First, you don't need to download the certificates manually because there's a Cygwin package for that called "ca-certificates". Second, symlinking will only work if you have administrative access to the system or you've installed cygwin for your user account only, which is not always the case, so the code is not reliable.Percussion
R
6

I have the similar problem and fixed it by temporarily disabling my antivirus(Kaspersky Free 18.0.0.405). This AV has HTTPS interception module that automatically self-sign all certificates it finds in HTTPS responses.

Wget from Cygwin does not know anything about AV root certificate, so when it finds that website's certificate was signed with non trust certificate it prints that error.

To fix this permanently without disabling AV you should copy the AV root certificate from Windows certificate store to /etc/pki/ca-trust/source/anchors as .pem file(base64 encoding) and run update-ca-trust

Rysler answered 28/10, 2018 at 23:15 Comment(1)
Thank you, that was extremely helpful. I didn't know much about managing certificates in Windows 10, and I found this blog post helpful in following your instructions: hex64.net/blog/browsing-error-after-kaspersky-anti-virus-updateMammilla
C
5
apt-get install ca-certificates

The s makes the difference ;)

Cenobite answered 16/1, 2018 at 17:12 Comment(2)
There is no apt-get in cygwin, so this doesn't work.Dashtikavir
@Dashtikavir Install apt-cyg and then you should be able to run tons of useful commands for installing packages. The above command translates to: $ apt-cyg install ca-certificatesExplicative
D
3

In my case, on raspberry pi 3B the timing was in the future (2025) that I need to update to the current local time using ntpdate by passing the time to the past and it solved the issue.

 $ sudo date +%Y%m%d -s "20210101"
 $ sudo ntpdate times1.mike.fi
Derte answered 17/7, 2021 at 15:4 Comment(0)
M
1

Thanks to Denis Bakharev I've solved that case.

If someone has Cygwin wget not working because 'certificate not trusted' and having ca-certificates installed AND having Antivirus that automatically self-sign all certificates it finds in HTTPS responses then you need:

  1. Get root certificate from your AV (I got mine with browser: open any https web-site, check it's certificate, go to Certification Path tab, click on Root certificate. Then click View certificate button, go to Details tab and click Copy to File... button. Default settings are fine for saving certificate in *.cer file).
  2. Convert *.cer to *.crt. You can use Cygwin's OpenSSL with the following command:

openssl x509 -inform DER -in <your *.cer certificate file> -out <new cert>.crt

  1. Move new *.crt file to ca-directory (in my case it was /etc/pki/tls/certs/).

That was enough for me to get wget working.

Muco answered 31/5, 2022 at 12:13 Comment(0)
A
1

In my case, it was happening because I was using an outdated base image. So, I changed it from java:8 to the official openjdk:8 image and I didn't get the error anymore on wget. So, you may need to change your base image or os which isn't outdated and wget should work. I think, the root cause is this: DST Root CA X3 Expiration (September 2021)

Audley answered 13/2 at 13:20 Comment(0)
W
0

I had a similar problem with wget to my own live web site returning errors after installing a new SSL certificate. I'd already checked several browsers and they didn't report any errors:

wget --no-cache -O - "https://example.com/..." ERROR: The certificate of ‘example.com’ is not trusted. ERROR: The certificate of ‘example.com’ hasn't got a known issuer.

The problem was I had installed the wrong certificate authority .pem/.crt file from the issuer. Usually they bundle the SSL certificate and CA file as a zip file, but DigiCert email you the certificate and you have to figure out the matching CA on your own. https://www.digicert.com/help/ has an SSL certificate checker which lists the SSL authority and the hopefully matching CA with a nice blue link graphic if they agree:

`SSL Cert: Issuer GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1

CA: Subject GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1 Valid from 16/Jul/2020 to 31/May/2023 Issuer DigiCert Global Root CA`

Waspish answered 3/10, 2020 at 23:24 Comment(0)
D
0

We just had this same issue come up when we installed a newly minted certificate just this last week. I've also seen it two other times...yet I'm slow to learn. In all 3 cases I had to get the "intermediate certificates" and install them. In other words My cert was good but it's signer or it's signer's signer wasn't correctly installed. Make sure you go to your certificate provider's site and get the correct intermediate certificates and install them as well on your server and then this warning will go away.

It might not JUST be the above, it could also be that clients don't have updated lists...but I would make sure it's not just you not fully installing the certificates right FIRST, and then after that going on to the clients and making sure their list is updated.

Distefano answered 19/4, 2021 at 19:16 Comment(0)
T
0

Not exactly the same issue. On docker, I was mounting my host filesystem to /etc where OpenSSL certs were already installed which gets overwritten.

Changing the mounting to different filesystem fixed it.

Taxable answered 27/2, 2022 at 0:53 Comment(0)
M
-6

If you are using windows just go to control panel, click on automatic updates then click on Windows Update Web Site link. Just follow the step. At least this works for me, no more certificates issue i.e whenever I go to https://www.dropbox.com as before.

Milkandwater answered 20/8, 2014 at 3:13 Comment(1)
This isn't related to CygwinGriffe
C
-6

Just do

apt-get install ca-certificate
City answered 29/7, 2017 at 6:50 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.