Teaching wget About Root Certificates

I am setting up some temporary tinderboxes to repack localization builds. Because I don’t trust the DNS service from my home ISP, I wanted to download builds from ftp.mozilla.org using HTTPS. It turns out this was quite the challenging task, due to the following cute and relatively useless error message:

ERROR: Certificate verification error for ftp.mozilla.org: unable to get local issuer certificate
To connect to ftp.mozilla.org insecurely, use '--no-check-certificate'.

What this really means is “your copy of wget/OpenSSL didn’t come with any root certificates, and HTTPS just isn’t going to work until you get them and I know about them.”

Getting Root Certificates

The best way to get the root certificates you need is at this website. It has a tool that will convert the root certificates built-in to Mozilla NSS into the PEM format that OpenSSL expects. It also has pre-converted PEM files available for download if you’re lazy.

Installing cacert.pem into MozillaBuild (Windows)

To install cacert.pem so that it works with MozillaBuild:

  1. Copy cacert.pem to c:/mozilla-build/wget/cacert.pem
  2. Create the following configuration file at c:/mozilla-build/wget/wget.ini:

Ted filed a bug about setting this up automatically for a future version of MozillaBuild.

Installing cacert.pem on Mac:

The following instructions assume you got your wget from macports using port install wget.

  1. Copy cacert.pem to /opt/local/etc/cacert.pem
  2. Create the following configuration file at /opt/local/etc/wgetrc:

Atom Feed for Comments 11 Responses to “Teaching wget About Root Certificates”

  1. Jonas Sicking Says:

    It’s a pity that curl.haxx.se is hosted on a http site. This means that you can get man-in-the-middled as you are downloading the tool which means that you can’t really trust the certificates that the tool is generating.

    Sorry, attending blackhat/defcon makes you paranoid :)

  2. Jesse Ruderman Says:

    This approach requires me to download a list of certs (or worse, download software), from a site I’ve never heard of, whose domain name happens to be “haxx.se”, over http (not https). I’ll stick to using |curl|, which came with a set of root certs, instead of |wget|, which comes with no certs and has misleading error messages.

  3. Wolf Says:

    Except, that the website is the homepage of the curl project and the software is in the curl/libcurl version control repository. (A quick google search seems to verify this. though they have a fair number of mirrors.) So using curl while not trusting that site seems a bit.. contradictory.

  4. James Says:

    Jesse: Funnily enough, curl.haxx.se is the curl website, and curl doesn’t ship CA certs any more (link includes script to extract certs from firefox). Meanwhile, adding a CA to a firefox install (not profile) requires a recompile due to NSS suckage.

  5. Mook Says:

    As Jesse mentioned, it makes more sense to just grab the root cert via Firefox (which has the root cert already) from https://www.geotrust.com/resources/root_certificates/index.asp. From there google for the right openssl command (since you’re running things with files you have already, you don’t have to worry about being mislead): openssl x509 -inform der -in Equifax_Secure_Certificate_Authority_DER.cer -out equifax.pem

    The .pem can then be installed into openssl (in the MozillaBuild case, into /usr/ssl/certs). And make it a copy with ${name-of-hash}.0 in there (the hash as found by $(openssl x509 -noout -hash -in *.pem). At least, so says http://gagravarr.org/writing/openssl-certs/others.shtml and it seems to work ;)

    Jesse: Using curl instead of wget, instead of trusting curl’s site is, umm, weird. Of course, the fact that that’s still http sucks.

  6. Stefan Möbius Says:

    Jesse: You’re partly right, even if curl.haxx.se is the official site of curl, which you seem to trust. The invalid ssl certificate for the site doesn’t help much there…
    On the other hand, you could download the Perl script linked there, evaluate what it does and run it. It’s downloading the certs from Mozilla, which I believe you do trust ;-)

  7. Ted Mielczarek Says:

    Jesse: wget uses OpenSSL, just like curl. On Linux it should all just work, if your distro is not stupid about things. Unfortunately on Mac/Windows, you clearly can’t rely on the system copy of OpenSSL to be setup correctly.

    Also, irony, you’re dissing the curl homepage while espousing the benefits of curl. :)

  8. Benjamin Smedberg Says:

    Wow folks, didn’t mean to cause a ruckus! MozillaBuild 1) doesn’t have curl 2) the wget is not an msys program, so putting PEM files in /usr/ssl/certs isn’t going to help.

    FWIW, wget on my Fedora install has root certificates and curl doesn’t, so using curl would require me to install root certs on Windows and Linux, instead of Windows and Mac, which doesn’t seem much better.

  9. crowder Says:

    Thanks, this was handy for me, at any rate. :) I fiddled with something along these lines a few months ago, but didn’t know the magic incantations for OpenSSL (which Mook provided above), and didn’t have time to sort them out, so I punted. Having this documented somewhere cleanly is very nice.

  10. Man Reader Says:

    You can always use the –cacert option in curl to point to an already-installed cert bundle.

  11. Jeff G Says:

    For Solaris 10, wget is provided in /usr/sfw/bin and the default wgetrc is located in /etc.

    I added an entry to the /etc/wgetrc as follows:


    and created a cacert.pem file with the signing CAs that I needed.

    It worked like a champ!


    Jeff G

Leave a Reply