Debian This forum is for the discussion of Debian Linux.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
#1
LQ Newbie
Registered: Feb 2014
Posts: 6
Rep:
wget certificate error
I have a Debian 7.4 system with wget, openssl and ca-certificates installed. I experience problems running the following command:
Code:
wget https://sso.emu.dk/unilogin
Code:
Resolving sso.emu.dk (sso.emu.dk)... 80.209.175.14
Connecting to sso.emu.dk (sso.emu.dk)|80.209.175.14|:443... connected.
ERROR: The certificate of `sso.emu.dk' is not trusted.
ERROR: The certificate of `sso.emu.dk' hasn't got a known issuer.
When running the exact same command on Ubuntu 12.04.4 the page is downloaded without any errors. For security reasons I do not want to use the wget argument
--no-check-certificate .
How can I solve this issue?
#2
Senior Member
Registered: Dec 2005
Posts: 1,686
Rep:
Not. Contact the tech support of the emu.dk domain and request them to update their certificate(s). Alternatively, use http instead of https .
#3
LQ Newbie
Registered: Feb 2014
Posts: 6
Original Poster
Rep:
I do believe the problem is because of either misconfiguration of my system or a bug in Debian. When downloading the page with a Ubuntu system the certificate is validated correctly. If the problem was releated to the website, the certificate validation should also fail on Ubuntu.
#4
Moderator
Registered: May 2001
Posts: 29,415
Quote:
Originally Posted by
Dutch Master
Alternatively, use http instead of https .
The OP stated clearly he didn't want to use the common workaround of supplying
--no-check-certificate so what makes you believe he would want to use HTTP instead of HTTPS?..
Quote:
Originally Posted by
Dutch Master
Not. Contact the tech support of the emu.dk domain and request them to update their certificate(s).
Did you actually try to verify the certificate chain yourself with sslshopper or ssllabs .com or any other on-line tool before offering that advice?
Quote:
Originally Posted by
z9721
I do believe the problem is because of either misconfiguration of my system or a bug in Debian. When downloading the page with a Ubuntu system the certificate is validated correctly. If the problem was releated to the website, the certificate validation should also fail on Ubuntu.
Exactly. The "hasn't got a known issuer" message means your system wasn't able to verify the certificate chain leading up to the issuing Certificate Authority. On a server that could point to a certificate being installed without intermediates, on a home system this could point to missing the common CA certificates: check if you have the "ca-certificates" package installed on both systems.
#5
LQ Newbie
Registered: Feb 2014
Posts: 6
Original Poster
Rep:
Quote:
Originally Posted by
unSpawn
Exactly. The "hasn't got a known issuer" message means your system wasn't able to verify the certificate chain leading up to the issuing Certificate Authority. On a server that could point to a certificate being installed without intermediates, on a home system this could point to missing the common CA certificates: check if you have the "ca-certificates" package installed on both systems.
The "ca-certificates" package is installed and the same certificates are present on both systems. I have also installed a virtual standard Debian desktop system with all the default packages, but I get the exact same error when running the command on this system.
#6
Moderator
Registered: May 2001
Posts: 29,415
Sorry, it appears I didn't read your OP well. Please check, on both systems:
#7
LQ Newbie
Registered: Feb 2014
Posts: 6
Original Poster
Rep:
Apparently wget on Debian is compiled against GnuTLS, and wget on Ubuntu is compiled against OpenSSL.
diff -y ubuntu-ca-certificates.conf debian-ca-certificates.conf (the highlighted certificate is the one used for validation on the Ubuntu system)
Code:
Ubuntu 12.04.4: Debian 7.4:
cacert.org/cacert.org.crt cacert.org/cacert.org.crt
debconf.org/ca.crt debconf.org/ca.crt
mozilla/A-Trust-nQual-03.crt mozilla/A-Trust-nQual-03.crt
mozilla/ACEDICOM_Root.crt mozilla/ACEDICOM_Root.crt
mozilla/AC_Raíz_Certicámara_S.A..crt mozilla/AC_Raíz_Certicámara_S.A..crt
> mozilla/Actalis_Authentication_Root_CA.crt
mozilla/AddTrust_External_Root.crt mozilla/AddTrust_External_Root.crt
mozilla/AddTrust_Low-Value_Services_Root.crt mozilla/AddTrust_Low-Value_Services_Root.crt
mozilla/AddTrust_Public_Services_Root.crt mozilla/AddTrust_Public_Services_Root.crt
mozilla/AddTrust_Qualified_Certificates_Root.crt mozilla/AddTrust_Qualified_Certificates_Root.crt
mozilla/AffirmTrust_Commercial.crt mozilla/AffirmTrust_Commercial.crt
mozilla/AffirmTrust_Networking.crt mozilla/AffirmTrust_Networking.crt
mozilla/AffirmTrust_Premium.crt mozilla/AffirmTrust_Premium.crt
mozilla/AffirmTrust_Premium_ECC.crt mozilla/AffirmTrust_Premium_ECC.crt
mozilla/America_Online_Root_Certification_Authority_1 mozilla/America_Online_Root_Certification_Authority_1
mozilla/America_Online_Root_Certification_Authority_2 mozilla/America_Online_Root_Certification_Authority_2
mozilla/ApplicationCA_-_Japanese_Government.crt mozilla/ApplicationCA_-_Japanese_Government.crt
mozilla/Autoridad_de_Certificacion_Firmaprofesional_C mozilla/Autoridad_de_Certificacion_Firmaprofesional_C
mozilla/Baltimore_CyberTrust_Root.crt mozilla/Baltimore_CyberTrust_Root.crt
mozilla/Buypass_Class_2_CA_1.crt mozilla/Buypass_Class_2_CA_1.crt
> mozilla/Buypass_Class_2_Root_CA.crt
mozilla/Buypass_Class_3_CA_1.crt mozilla/Buypass_Class_3_CA_1.crt
> mozilla/Buypass_Class_3_Root_CA.crt
mozilla/CA_Disig.crt mozilla/CA_Disig.crt
mozilla/CNNIC_ROOT.crt mozilla/CNNIC_ROOT.crt
mozilla/COMODO_Certification_Authority.crt mozilla/COMODO_Certification_Authority.crt
mozilla/COMODO_ECC_Certification_Authority.crt mozilla/COMODO_ECC_Certification_Authority.crt
mozilla/Camerfirma_Chambers_of_Commerce_Root.crt mozilla/Camerfirma_Chambers_of_Commerce_Root.crt
mozilla/Camerfirma_Global_Chambersign_Root.crt mozilla/Camerfirma_Global_Chambersign_Root.crt
mozilla/Certigna.crt mozilla/Certigna.crt
mozilla/Certinomis_-_Autorité_Racine.crt mozilla/Certinomis_-_Autorité_Racine.crt
mozilla/Certplus_Class_2_Primary_CA.crt mozilla/Certplus_Class_2_Primary_CA.crt
mozilla/Certum_Root_CA.crt mozilla/Certum_Root_CA.crt
mozilla/Certum_Trusted_Network_CA.crt mozilla/Certum_Trusted_Network_CA.crt
mozilla/Chambers_of_Commerce_Root_-_2008.crt mozilla/Chambers_of_Commerce_Root_-_2008.crt
mozilla/ComSign_CA.crt mozilla/ComSign_CA.crt
mozilla/ComSign_Secured_CA.crt mozilla/ComSign_Secured_CA.crt
mozilla/Comodo_AAA_Services_root.crt mozilla/Comodo_AAA_Services_root.crt
mozilla/Comodo_Secure_Services_root.crt mozilla/Comodo_Secure_Services_root.crt
mozilla/Comodo_Trusted_Services_root.crt mozilla/Comodo_Trusted_Services_root.crt
mozilla/Cybertrust_Global_Root.crt mozilla/Cybertrust_Global_Root.crt
mozilla/DST_ACES_CA_X6.crt mozilla/DST_ACES_CA_X6.crt
mozilla/DST_Root_CA_X3.crt mozilla/DST_Root_CA_X3.crt
mozilla/Deutsche_Telekom_Root_CA_2.crt mozilla/Deutsche_Telekom_Root_CA_2.crt
mozilla/DigiCert_Assured_ID_Root_CA.crt mozilla/DigiCert_Assured_ID_Root_CA.crt
mozilla/DigiCert_Global_Root_CA.crt mozilla/DigiCert_Global_Root_CA.crt
mozilla/DigiCert_High_Assurance_EV_Root_CA.crt mozilla/DigiCert_High_Assurance_EV_Root_CA.crt
mozilla/Digital_Signature_Trust_Co._Global_CA_1.crt mozilla/Digital_Signature_Trust_Co._Global_CA_1.crt
mozilla/Digital_Signature_Trust_Co._Global_CA_3.crt mozilla/Digital_Signature_Trust_Co._Global_CA_3.crt
mozilla/E-Guven_Kok_Elektronik_Sertifika_Hizmet_Sagla mozilla/E-Guven_Kok_Elektronik_Sertifika_Hizmet_Sagla
mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.c mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.c
> mozilla/EC-ACC.crt
> mozilla/EE_Certification_Centre_Root_CA.crt
mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt
mozilla/Entrust.net_Secure_Server_CA.crt mozilla/Entrust.net_Secure_Server_CA.crt
mozilla/Entrust_Root_Certification_Authority.crt mozilla/Entrust_Root_Certification_Authority.crt
mozilla/Equifax_Secure_CA.crt mozilla/Equifax_Secure_CA.crt
mozilla/Equifax_Secure_Global_eBusiness_CA.crt mozilla/Equifax_Secure_Global_eBusiness_CA.crt
mozilla/Equifax_Secure_eBusiness_CA_1.crt mozilla/Equifax_Secure_eBusiness_CA_1.crt
mozilla/Equifax_Secure_eBusiness_CA_2.crt mozilla/Equifax_Secure_eBusiness_CA_2.crt
mozilla/Firmaprofesional_Root_CA.crt mozilla/Firmaprofesional_Root_CA.crt
mozilla/GTE_CyberTrust_Global_Root.crt mozilla/GTE_CyberTrust_Global_Root.crt
mozilla/GeoTrust_Global_CA.crt mozilla/GeoTrust_Global_CA.crt
mozilla/GeoTrust_Global_CA_2.crt mozilla/GeoTrust_Global_CA_2.crt
mozilla/GeoTrust_Primary_Certification_Authority.crt mozilla/GeoTrust_Primary_Certification_Authority.crt
mozilla/GeoTrust_Primary_Certification_Authority_-_G2 mozilla/GeoTrust_Primary_Certification_Authority_-_G2
mozilla/GeoTrust_Primary_Certification_Authority_-_G3 mozilla/GeoTrust_Primary_Certification_Authority_-_G3
mozilla/GeoTrust_Universal_CA.crt mozilla/GeoTrust_Universal_CA.crt
mozilla/GeoTrust_Universal_CA_2.crt mozilla/GeoTrust_Universal_CA_2.crt
mozilla/GlobalSign_Root_CA.crt mozilla/GlobalSign_Root_CA.crt
mozilla/GlobalSign_Root_CA_-_R2.crt mozilla/GlobalSign_Root_CA_-_R2.crt
mozilla/GlobalSign_Root_CA_-_R3.crt mozilla/GlobalSign_Root_CA_-_R3.crt
mozilla/Global_Chambersign_Root_-_2008.crt mozilla/Global_Chambersign_Root_-_2008.crt
mozilla/Go_Daddy_Class_2_CA.crt mozilla/Go_Daddy_Class_2_CA.crt
mozilla/Go_Daddy_Root_Certificate_Authority_-_G2.crt mozilla/Go_Daddy_Root_Certificate_Authority_-_G2.crt
> mozilla/Hellenic_Academic_and_Research_Institutions_R
mozilla/Hongkong_Post_Root_CA_1.crt mozilla/Hongkong_Post_Root_CA_1.crt
mozilla/IGC_A.crt mozilla/IGC_A.crt
mozilla/Izenpe.com.crt mozilla/Izenpe.com.crt
mozilla/Juur-SK.crt mozilla/Juur-SK.crt
mozilla/Microsec_e-Szigno_Root_CA.crt mozilla/Microsec_e-Szigno_Root_CA.crt
mozilla/Microsec_e-Szigno_Root_CA_2009.crt mozilla/Microsec_e-Szigno_Root_CA_2009.crt
mozilla/NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt mozilla/NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt
mozilla/NetLock_Business_=Class_B=_Root.crt mozilla/NetLock_Business_=Class_B=_Root.crt
mozilla/NetLock_Express_=Class_C=_Root.crt mozilla/NetLock_Express_=Class_C=_Root.crt
mozilla/NetLock_Notary_=Class_A=_Root.crt mozilla/NetLock_Notary_=Class_A=_Root.crt
mozilla/NetLock_Qualified_=Class_QA=_Root.crt mozilla/NetLock_Qualified_=Class_QA=_Root.crt
mozilla/Network_Solutions_Certificate_Authority.crt mozilla/Network_Solutions_Certificate_Authority.crt
mozilla/OISTE_WISeKey_Global_Root_GA_CA.crt mozilla/OISTE_WISeKey_Global_Root_GA_CA.crt
mozilla/QuoVadis_Root_CA.crt mozilla/QuoVadis_Root_CA.crt
mozilla/QuoVadis_Root_CA_2.crt mozilla/QuoVadis_Root_CA_2.crt
mozilla/QuoVadis_Root_CA_3.crt mozilla/QuoVadis_Root_CA_3.crt
mozilla/RSA_Root_Certificate_1.crt mozilla/RSA_Root_Certificate_1.crt
mozilla/RSA_Security_2048_v3.crt mozilla/RSA_Security_2048_v3.crt
mozilla/Root_CA_Generalitat_Valenciana.crt mozilla/Root_CA_Generalitat_Valenciana.crt
mozilla/S-TRUST_Authentication_and_Encryption_Root_CA mozilla/S-TRUST_Authentication_and_Encryption_Root_CA
mozilla/SecureSign_RootCA11.crt mozilla/SecureSign_RootCA11.crt
mozilla/SecureTrust_CA.crt mozilla/SecureTrust_CA.crt
mozilla/Secure_Global_CA.crt mozilla/Secure_Global_CA.crt
mozilla/Security_Communication_EV_RootCA1.crt mozilla/Security_Communication_EV_RootCA1.crt
> mozilla/Security_Communication_RootCA2.crt
mozilla/Security_Communication_Root_CA.crt mozilla/Security_Communication_Root_CA.crt
mozilla/Sonera_Class_1_Root_CA.crt mozilla/Sonera_Class_1_Root_CA.crt
mozilla/Sonera_Class_2_Root_CA.crt mozilla/Sonera_Class_2_Root_CA.crt
mozilla/Staat_der_Nederlanden_Root_CA.crt mozilla/Staat_der_Nederlanden_Root_CA.crt
mozilla/Staat_der_Nederlanden_Root_CA_-_G2.crt mozilla/Staat_der_Nederlanden_Root_CA_-_G2.crt
mozilla/Starfield_Class_2_CA.crt mozilla/Starfield_Class_2_CA.crt
mozilla/Starfield_Root_Certificate_Authority_-_G2.crt mozilla/Starfield_Root_Certificate_Authority_-_G2.crt
mozilla/Starfield_Services_Root_Certificate_Authority mozilla/Starfield_Services_Root_Certificate_Authority
mozilla/StartCom_Certification_Authority.crt mozilla/StartCom_Certification_Authority.crt
> mozilla/StartCom_Certification_Authority_G2.crt
mozilla/SwissSign_Gold_CA_-_G2.crt mozilla/SwissSign_Gold_CA_-_G2.crt
mozilla/SwissSign_Platinum_CA_-_G2.crt mozilla/SwissSign_Platinum_CA_-_G2.crt
mozilla/SwissSign_Silver_CA_-_G2.crt mozilla/SwissSign_Silver_CA_-_G2.crt
mozilla/Swisscom_Root_CA_1.crt mozilla/Swisscom_Root_CA_1.crt
> mozilla/T-TeleSec_GlobalRoot_Class_3.crt
mozilla/TC_TrustCenter_Class_2_CA_II.crt mozilla/TC_TrustCenter_Class_2_CA_II.crt
mozilla/TC_TrustCenter_Class_3_CA_II.crt mozilla/TC_TrustCenter_Class_3_CA_II.crt
mozilla/TC_TrustCenter_Universal_CA_I.crt mozilla/TC_TrustCenter_Universal_CA_I.crt
mozilla/TC_TrustCenter_Universal_CA_III.crt mozilla/TC_TrustCenter_Universal_CA_III.crt
mozilla/TC_TrustCenter__Germany__Class_2_CA.crt <
mozilla/TC_TrustCenter__Germany__Class_3_CA.crt <
mozilla/TDC_Internet_Root_CA.crt mozilla/TDC_Internet_Root_CA.crt
mozilla/TDC_OCES_Root_CA.crt mozilla/TDC_OCES_Root_CA.crt
mozilla/TURKTRUST_Certificate_Services_Provider_Root_ mozilla/TURKTRUST_Certificate_Services_Provider_Root_
mozilla/TURKTRUST_Certificate_Services_Provider_Root_ mozilla/TURKTRUST_Certificate_Services_Provider_Root_
mozilla/TWCA_Root_Certification_Authority.crt mozilla/TWCA_Root_Certification_Authority.crt
mozilla/Taiwan_GRCA.crt mozilla/Taiwan_GRCA.crt
mozilla/Thawte_Premium_Server_CA.crt mozilla/Thawte_Premium_Server_CA.crt
mozilla/Thawte_Server_CA.crt mozilla/Thawte_Server_CA.crt
> mozilla/Trustis_FPS_Root_CA.crt
mozilla/TÜBİTAK_UEKAE_Kök_Sertifika_Hizmet_Sağlayıcıs mozilla/TÜBİTAK_UEKAE_Kök_Sertifika_Hizmet_Sağlayıcıs
mozilla/UTN_DATACorp_SGC_Root_CA.crt mozilla/UTN_DATACorp_SGC_Root_CA.crt
mozilla/UTN_USERFirst_Email_Root_CA.crt mozilla/UTN_USERFirst_Email_Root_CA.crt
mozilla/UTN_USERFirst_Hardware_Root_CA.crt mozilla/UTN_USERFirst_Hardware_Root_CA.crt
mozilla/ValiCert_Class_1_VA.crt mozilla/ValiCert_Class_1_VA.crt
mozilla/ValiCert_Class_2_VA.crt mozilla/ValiCert_Class_2_VA.crt
mozilla/VeriSign_Class_3_Public_Primary_Certification mozilla/VeriSign_Class_3_Public_Primary_Certification
mozilla/VeriSign_Class_3_Public_Primary_Certification mozilla/VeriSign_Class_3_Public_Primary_Certification
mozilla/VeriSign_Universal_Root_Certification_Authori mozilla/VeriSign_Universal_Root_Certification_Authori
mozilla/Verisign_Class_1_Public_Primary_Certification mozilla/Verisign_Class_1_Public_Primary_Certification
mozilla/Verisign_Class_1_Public_Primary_Certification mozilla/Verisign_Class_1_Public_Primary_Certification
mozilla/Verisign_Class_1_Public_Primary_Certification mozilla/Verisign_Class_1_Public_Primary_Certification
mozilla/Verisign_Class_2_Public_Primary_Certification <
mozilla/Verisign_Class_2_Public_Primary_Certification mozilla/Verisign_Class_2_Public_Primary_Certification
mozilla/Verisign_Class_2_Public_Primary_Certification mozilla/Verisign_Class_2_Public_Primary_Certification
mozilla/Verisign_Class_3_Public_Primary_Certification mozilla/Verisign_Class_3_Public_Primary_Certification
mozilla/Verisign_Class_3_Public_Primary_Certification mozilla/Verisign_Class_3_Public_Primary_Certification
mozilla/Verisign_Class_3_Public_Primary_Certification mozilla/Verisign_Class_3_Public_Primary_Certification
mozilla/Verisign_Class_4_Public_Primary_Certification <
mozilla/Verisign_Class_4_Public_Primary_Certification mozilla/Verisign_Class_4_Public_Primary_Certification
mozilla/Visa_eCommerce_Root.crt mozilla/Visa_eCommerce_Root.crt
mozilla/WellsSecure_Public_Root_Certificate_Authority mozilla/WellsSecure_Public_Root_Certificate_Authority
mozilla/Wells_Fargo_Root_CA.crt mozilla/Wells_Fargo_Root_CA.crt
mozilla/XRamp_Global_CA_Root.crt mozilla/XRamp_Global_CA_Root.crt
mozilla/certSIGN_ROOT_CA.crt mozilla/certSIGN_ROOT_CA.crt
mozilla/ePKI_Root_Certification_Authority.crt mozilla/ePKI_Root_Certification_Authority.crt
mozilla/thawte_Primary_Root_CA.crt mozilla/thawte_Primary_Root_CA.crt
mozilla/thawte_Primary_Root_CA_-_G2.crt mozilla/thawte_Primary_Root_CA_-_G2.crt
mozilla/thawte_Primary_Root_CA_-_G3.crt mozilla/thawte_Primary_Root_CA_-_G3.crt
spi-inc.org/spi-ca-2003.crt spi-inc.org/spi-ca-2003.crt
spi-inc.org/spi-cacert-2008.crt spi-inc.org/spi-cacert-2008.crt
Ubuntu 12.04.4 LTS (no wget certificate errors):
ldd /usr/bin/wget | egrep "(ssl|crypto)"
Code:
libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007f8770d9a000)
libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007f87709bf000)
wget -v -d https://sso.emu.dk/unilogin
Code:
DEBUG output created by Wget 1.13.4 on linux-gnu.
URI encoding = `UTF-8'
--2014-02-23 01:35:02-- https://sso.emu.dk/unilogin
Resolving sso.emu.dk (sso.emu.dk)... 80.209.175.14
Caching sso.emu.dk => 80.209.175.14
Connecting to sso.emu.dk (sso.emu.dk)|80.209.175.14|:443... connected.
Created socket 3.
Releasing 0x000000000250e9e0 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x000000000250ec40
certificate:
subject: /OU=Domain Control Validated/CN=*.emu.dk
issuer: /C=NL/O=TERENA/CN=TERENA SSL CA
X509 certificate successfully verified and matches host sso.emu.dk
---request begin---
GET /unilogin HTTP/1.1
User-Agent: Wget/1.13.4 (linux-gnu)
Accept: */*
Host: sso.emu.dk
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Date: Sun, 23 Feb 2014 00:35:03 GMT
Server: Apache/2.2.3 (Oracle)
Expires: Sun, 23 Feb 2014 00:35:03 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
P3P: CP="OTI DSP COR CURa ADMa DEVa TAIa OTPi OUR SAMi STP IND PHY UNI COM NAV INT DEM"
P3P: policyref="/w3c/p3p.xml"
Expires: Sun, 23 Feb 2014 00:35:03 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 739
Connection: close
Content-Type: text/html; charset=utf-8
---response end---
200 OK
URI content encoding = `utf-8'
Length: 739 [text/html]
Saving to: `unilogin'
100%[=================================================================================>] 739 --.-K/s in 0s
Closed 3/SSL 0x000000000250ec40
2014-02-23 01:35:02 (194 MB/s) - `unilogin' saved [739/739]
true | openssl s_client -connect sso.emu.dk:443 -CApath /usr/share/ca-certificates/ (/usr/local/share/ca-certificates is empty)
Code:
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network, OU = http://www.usertrust.com, CN = UTN-USERFirst-Hardware
verify return:1
depth=1 C = NL, O = TERENA, CN = TERENA SSL CA
verify return:1
depth=0 OU = Domain Control Validated, CN = *.emu.dk
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=*.emu.dk
i:/C=NL/O=TERENA/CN=TERENA SSL CA
1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
2 s:/C=NL/O=TERENA/CN=TERENA SSL CA
i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
3 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEXjCCA0agAwIBAgIRANVXu1Q+DRWoxgVamrRqk8cwDQYJKoZIhvcNAQEFBQAw
NjELMAkGA1UEBhMCTkwxDzANBgNVBAoTBlRFUkVOQTEWMBQGA1UEAxMNVEVSRU5B
IFNTTCBDQTAeFw0xMzAzMDYwMDAwMDBaFw0xNjAzMjQyMzU5NTlaMDYxITAfBgNV
BAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDERMA8GA1UEAxQIKi5lbXUuZGsw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+96oPqRIhprpOUu+UoEFv
VmbLrAx2Oqi3iyDnYC8XCuA7ZQQR2lJ171NgBBSLkkOF1Y5V4mSPWJYWEq19J9wi
KZGbSv7Td94FYtz0S/UYQRb4gv9+dWH59G5aKa4GT4GOTDA8iJjUdX5e6mbR5mzF
gS3sUO25UfTUtcm6opKN6InJJuXCqhqi9uzb2rv/sjMNLXABRfxEjxCiYpgROwGr
GSWHoK9Bp3a+dxvpDSSeZo1GWiPT5UAnqMSHrbTru3eITzpKIgskOiM0puzGC7XI
BabkA57qM9EIfZjCmhRwndc6T7vKmGoQ+vHSpdRs3TpIuDeJOUh9JHtWhnpAxwpL
AgMBAAGjggFlMIIBYTAfBgNVHSMEGDAWgBQMvZNoDPPeq6NJays3V0fqkOO57TAd
BgNVHQ4EFgQUuFr0GbZ6FCS7ebIxmrq4A8F7OVswDgYDVR0PAQH/BAQDAgWgMAwG
A1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMCIGA1Ud
IAQbMBkwDQYLKwYBBAGyMQECAh0wCAYGZ4EMAQIBMDoGA1UdHwQzMDEwL6AtoCuG
KWh0dHA6Ly9jcmwudGNzLnRlcmVuYS5vcmcvVEVSRU5BU1NMQ0EuY3JsMG0GCCsG
AQUFBwEBBGEwXzA1BggrBgEFBQcwAoYpaHR0cDovL2NydC50Y3MudGVyZW5hLm9y
Zy9URVJFTkFTU0xDQS5jcnQwJgYIKwYBBQUHMAGGGmh0dHA6Ly9vY3NwLnRjcy50
ZXJlbmEub3JnMBMGA1UdEQQMMAqCCCouZW11LmRrMA0GCSqGSIb3DQEBBQUAA4IB
AQAOluU70IrVo3fxueir8NlEPmtjHN1Irs+JD8LFg9pMg3qC26TUVEIZGgJHjuI0
pmfPsvFRMH4LW8DZqu+y9egnMIWEWtHRC/SDz25AOolexhd2u0CUtpmDKZZ1s5bs
bdW2zwpcbDshtdjRHkR0isYRsjVgn5bjdQEj7aUlWs92ybshvehB1sMbzkZH+6ME
g8LJAo93nk3aWmhT+p3yU9k8OjrcOU8ALjr1ug3SvMYrnq0Q8FIctwzNpivVdz3v
PMta/bxYcPv+6p+I9txBR0WTasnj/slhC3iXeOself7S3vN49AFaJeThPWbMB/Lq
cme4hl6EPt1VXhuopi6JGSnm
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=*.emu.dk
issuer=/C=NL/O=TERENA/CN=TERENA SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 4628 bytes and written 539 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID: B9A17DF30000000000000000000000020000897753095A0A00000000514A9814
Session-ID-ctx:
Master-Key: 87134BE92D5D9D2FACEB47990459D15337383666E4C2885C0977D1A386CA31CB585E62C35C0EAA5912D9CC6EEEDC1C7A
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1393121801
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
DONE
Debian 7.4 (wget certificate errors):
ldd /usr/bin/wget | egrep "(tls|crypt)"
Code:
libgnutls.so.26 => /usr/lib/x86_64-linux-gnu/libgnutls.so.26 (0x00007f06767f3000)
libgcrypt.so.11 => /lib/x86_64-linux-gnu/libgcrypt.so.11 (0x00007f0676575000)
wget -v -d https://sso.emu.dk/unilogin
Code:
DEBUG output created by Wget 1.13.4 on linux-gnu.
URI encoding = `UTF-8'
--2014-02-23 00:41:39-- https://sso.emu.dk/unilogin
Resolving sso.emu.dk (sso.emu.dk)... 80.209.175.14
Caching sso.emu.dk => 80.209.175.14
Connecting to sso.emu.dk (sso.emu.dk)|80.209.175.14|:443... connected.
Created socket 4.
Releasing 0x0000000001b52560 (new refcount 1).
ERROR: The certificate of `sso.emu.dk' is not trusted.
ERROR: The certificate of `sso.emu.dk' hasn't got a known issuer.
true | openssl s_client -connect sso.emu.dk:443 -CApath /usr/share/ca-certificates/ (/usr/local/share/ca-certificates is empty)
Code:
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network, OU = http://www.usertrust.com, CN = UTN-USERFirst-Hardware
verify return:1
depth=1 C = NL, O = TERENA, CN = TERENA SSL CA
verify return:1
depth=0 OU = Domain Control Validated, CN = *.emu.dk
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=*.emu.dk
i:/C=NL/O=TERENA/CN=TERENA SSL CA
1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
2 s:/C=NL/O=TERENA/CN=TERENA SSL CA
i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
3 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEXjCCA0agAwIBAgIRANVXu1Q+DRWoxgVamrRqk8cwDQYJKoZIhvcNAQEFBQAw
NjELMAkGA1UEBhMCTkwxDzANBgNVBAoTBlRFUkVOQTEWMBQGA1UEAxMNVEVSRU5B
IFNTTCBDQTAeFw0xMzAzMDYwMDAwMDBaFw0xNjAzMjQyMzU5NTlaMDYxITAfBgNV
BAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDERMA8GA1UEAxQIKi5lbXUuZGsw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+96oPqRIhprpOUu+UoEFv
VmbLrAx2Oqi3iyDnYC8XCuA7ZQQR2lJ171NgBBSLkkOF1Y5V4mSPWJYWEq19J9wi
KZGbSv7Td94FYtz0S/UYQRb4gv9+dWH59G5aKa4GT4GOTDA8iJjUdX5e6mbR5mzF
gS3sUO25UfTUtcm6opKN6InJJuXCqhqi9uzb2rv/sjMNLXABRfxEjxCiYpgROwGr
GSWHoK9Bp3a+dxvpDSSeZo1GWiPT5UAnqMSHrbTru3eITzpKIgskOiM0puzGC7XI
BabkA57qM9EIfZjCmhRwndc6T7vKmGoQ+vHSpdRs3TpIuDeJOUh9JHtWhnpAxwpL
AgMBAAGjggFlMIIBYTAfBgNVHSMEGDAWgBQMvZNoDPPeq6NJays3V0fqkOO57TAd
BgNVHQ4EFgQUuFr0GbZ6FCS7ebIxmrq4A8F7OVswDgYDVR0PAQH/BAQDAgWgMAwG
A1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMCIGA1Ud
IAQbMBkwDQYLKwYBBAGyMQECAh0wCAYGZ4EMAQIBMDoGA1UdHwQzMDEwL6AtoCuG
KWh0dHA6Ly9jcmwudGNzLnRlcmVuYS5vcmcvVEVSRU5BU1NMQ0EuY3JsMG0GCCsG
AQUFBwEBBGEwXzA1BggrBgEFBQcwAoYpaHR0cDovL2NydC50Y3MudGVyZW5hLm9y
Zy9URVJFTkFTU0xDQS5jcnQwJgYIKwYBBQUHMAGGGmh0dHA6Ly9vY3NwLnRjcy50
ZXJlbmEub3JnMBMGA1UdEQQMMAqCCCouZW11LmRrMA0GCSqGSIb3DQEBBQUAA4IB
AQAOluU70IrVo3fxueir8NlEPmtjHN1Irs+JD8LFg9pMg3qC26TUVEIZGgJHjuI0
pmfPsvFRMH4LW8DZqu+y9egnMIWEWtHRC/SDz25AOolexhd2u0CUtpmDKZZ1s5bs
bdW2zwpcbDshtdjRHkR0isYRsjVgn5bjdQEj7aUlWs92ybshvehB1sMbzkZH+6ME
g8LJAo93nk3aWmhT+p3yU9k8OjrcOU8ALjr1ug3SvMYrnq0Q8FIctwzNpivVdz3v
PMta/bxYcPv+6p+I9txBR0WTasnj/slhC3iXeOself7S3vN49AFaJeThPWbMB/Lq
cme4hl6EPt1VXhuopi6JGSnm
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=*.emu.dk
issuer=/C=NL/O=TERENA/CN=TERENA SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 4628 bytes and written 634 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID: B9A17DF30000000000000000000000020001809653095C1500000000514C982F
Session-ID-ctx:
Master-Key: 90734986F26626EE29D06D76304CC4401615B55D4AA4755700FCE3CA16292B9D1BA2F30F5FAA0A1C006311D153F693E3
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1393122324
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
DONE
#8
Moderator
Registered: May 2001
Posts: 29,415
Thanks for your reply, really helpful. It seems the error indeed stems from linking applications against GnuTLS and if you search the Debian and Ubuntu bug trackers you see they're full of similar and related problems ranging from wget and curl to Audio Scrobbler and OpenLDAP. Looking at the code it becomes clear that the GNUTLS_CERT_INVALID error (formerly GNUTLS_CERT_SIGNER_NOT_FOUND) stems from GnuTLS expecting PEM-formatted certificates in /etc/ssl/certs (or CAFILE set to "/etc/ssl/certs/ca-certificates.crt") while the "ca-certificates" package, on all platforms, seems to populate /usr/share/ca-certificates/.
#9
LQ Newbie
Registered: Feb 2014
Posts: 6
Original Poster
Rep:
Thank you very much for all your help, I really appreciate it.wget --ca-certificate=/etc/ssl/certs/ca-certificate.crt https://sso.emu.dk/unilogin
#10
Moderator
Registered: May 2001
Posts: 29,415
Quote:
Originally Posted by
z9721
It's also possible to save the emu.pem certificate in "/usr/share/ca-certificates" and adding "emu.pem" to bottom of "/etc/ca-certificates.conf". After running 'update-ca-certificates' wget can download the page successfully without any other argument that the url.
That's good to know.
Quote:
Originally Posted by
z9721
There must be something broken in the GnuTLS library. I can verify from the Ubuntu installation that 'AddTrust_External_Root.crt' is the certificate used for validation, but specifying direct path to exactly the same certificate in the Debian installation fails. What's going on here, why do I need to download a certificate manually?
I offered three suggestions. Rather than spend more time and effort I'd say option three applies: choose one of OpenSSL or GnuTLS across systems and stick with that (and open a bug tracker ticket?) until GnuTLS either conforms to standardized locations or offers a workaround.
All times are GMT -5. The time now is 07:44 AM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
