Teaching wget About Root Certificates
Wednesday, August 27th, 2008I am setting up some temporary tinderboxes to repack localization builds. Because I don’t trust the DNS service from my home ISP, I wanted to download builds from ftp.mozilla.org using HTTPS. It turns out this was quite the challenging task, due to the following cute and relatively useless error message:
ERROR: Certificate verification error for ftp.mozilla.org: unable to get local issuer certificate
To connect to ftp.mozilla.org insecurely, use '--no-check-certificate'.
What this really means is “your copy of wget/OpenSSL didn’t come with any root certificates, and HTTPS just isn’t going to work until you get them and I know about them.”
Getting Root Certificates
The best way to get the root certificates you need is at this website. It has a tool that will convert the root certificates built-in to Mozilla NSS into the PEM format that OpenSSL expects. It also has pre-converted PEM files available for download if you’re lazy.
Installing cacert.pem into MozillaBuild (Windows)
To install cacert.pem so that it works with MozillaBuild:
- Copy cacert.pem to c:/mozilla-build/wget/cacert.pem
- Create the following configuration file at c:/mozilla-build/wget/wget.ini:
ca_certificate=c:/mozilla-build/wget/cacert.pem
Ted filed a bug about setting this up automatically for a future version of MozillaBuild.
Installing cacert.pem on Mac:
The following instructions assume you got your wget from macports using port install wget.
- Copy cacert.pem to /opt/local/etc/cacert.pem
- Create the following configuration file at /opt/local/etc/wgetrc:
ca_certificate=/opt/local/etc/cacert.pem