# [SOLVED] wget ssl certificate problems

## scubed

I have a script that updates my dyndns dns entries periodically.

Today it just mysteriously stopped working.

I investigated and found that wget spontaneously

decided that it didn't like the certificate.

This is the command:

wget -O dyndns.log https://${user}:${pass}@members.dyndns.org/nic/update?${newinfo}

It gives this message:

Connecting to members.dyndns.org|63.208.196.95|:443... connected.

ERROR: Certificate verification error for members.dyndns.org: unable to get local issuer certificate

To connect to members.dyndns.org insecurely, use `--no-check-certificate'.

Unable to establish SSL connection.

~>wget --version

GNU Wget 1.10.2

I looked with Mozilla and curl and both were able to connect by https just fine.

I tried re-emerging wget, but that didn't help.

I tried using the --ca-certificate option and pointing it to curl's CAs, but that had no effect.

I looked and saw that members.dyndns.org's certificate is signed by Equifax Secure CA.

So, I extracted just that certificate from curl's certificates, but that still didn't work.

Why would wget suddenly not like this site?

Its certificate still appears to be good.

How do I get it to recognize the certificate?Last edited by scubed on Tue Nov 01, 2005 5:15 pm; edited 1 time in total

----------

## hanj

Hello

I think this happening due to the recent upgrade of wget.

```
Fri Oct 21 08:50:07 2005 >>> net-misc/wget-1.10.2
```

It looks like it's failing on the local issuer check of the cert. The cert there definitely is missing the local issuer. I think you could just added the '--no-check-certificate'. I believe this still uses the cert, but will not check it prior to using it.

```
wget -O dyndns.log https://${user}:${pass}@members.dyndns.org/nic/update?${newinfo} --np-check-certificate
```

Here is how you can view that cert...

```
 openssl s_client -connect members.dyndns.org:443
```

Useful information from output:

```
CONNECTED(00000003)

depth=0 /C=US/O=members.dyndns.org/OU=https://services.choicepoint.net/get.jsp?80401367/OU=See www.geotrust.com/quickssl/cps (c)04/OU=Domain Control Validated - This is a GeoTrust QuickSSL(R) Certificate/CN=members.dyndns.org

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 /C=US/O=members.dyndns.org/OU=https://services.choicepoint.net/get.jsp?80401367/OU=See www.geotrust.com/quickssl/cps (c)04/OU=Domain Control Validated - This is a GeoTrust QuickSSL(R) Certificate/CN=members.dyndns.org

verify error:num=27:certificate not trusted

verify return:1

depth=0 /C=US/O=members.dyndns.org/OU=https://services.choicepoint.net/get.jsp?80401367/OU=See www.geotrust.com/quickssl/cps (c)04/OU=Domain Control Validated - This is a GeoTrust QuickSSL(R) Certificate/CN=members.dyndns.org

verify error:num=21:unable to verify the first certificate

verify return:1

```

Hope this helps

hanji

----------

## scubed

*** Duplicate post ***Last edited by scubed on Tue Nov 01, 2005 4:20 pm; edited 1 time in total

----------

## scubed

Thank you for your reply.

What are the security implications of

--no-check-certificate

?  Wouldn't that make me vulnerable to a man-in-the-middle attack?

I used the command you gave to get the certificate for members.dyndns.org.

You are saying that the problem is that the certificate is missing a field or something?

Is there a way that I can mark it that wget should use it anyways?

I am interested in being able to do it the 'right' way,

not just the 'right-now' way.

----------

## hanj

I'm not sure.. but it looks like their cert is slightly messed up. May be work showing the output of the openssl command to them.. and see what they can do about it.

This is from man wget....

 *Quote:*   

> --no-check-certificate
> 
>            Don't check the server certificate against the available certificate authorities.  Also don't require the URL host name to
> 
>            match the common name presented by the certificate.
> ...

 

hanji

----------

## scubed

I messed with it some more.

It appears to be a bug in wget 1.10.

It works fine in wget 1.9.

I tried another site with 1.10, and it worked fine.

Maybe wget 1.10 + my version of openssl don't get along?

OpenSSL 0.9.7e 25 Oct 2004

So, wget 1.10 + weird certificate?Last edited by scubed on Tue Nov 01, 2005 5:14 pm; edited 1 time in total

----------

## hanj

 *Quote:*   

> It appears to be a bug in wget 1.10.
> 
> It works fine in wget 1.9. 

 

The no-check-certificate was added in 1.10.. this is not a bug.. it use to 'not' check it.

hanji

----------

## scubed

So, it is just doing extra checking and it is safe to use that option?

I guess that that settles it.

Thank you.

----------

