Выполняю команду:
wget https://itnan.ru
и получаю ошибку:
ERROR: The certificate of ‘itnan.ru’ is not trusted.
ERROR: The certificate of ‘itnan.ru’ hasn't got a known issuer.
Проблема связана с HTTPS.
Однако при выполнении:
wget https://google.ru
всё нормально и ошибок нет.
Если выполнить такую команду:
wget --no-check-certificate https://itnan.ru
То команда выполняется успешно, но лишь с предупреждением о таких же ошибках.
Но выполняется.
Хочу, что не нужно было использовать этот параметр —no-check-certificate
Как исправить и что сделать?
When I try to run the wget command on http urls I get this error message:
ERROR: The certificate of `url' is not trusted.
ERROR: The certificate of `url' hasn't got a known issuer.
Jeff Schaller♦
66k35 gold badges111 silver badges245 bronze badges
asked Jan 4, 2017 at 22:00
Mordechai HadadMordechai Hadad
3211 gold badge2 silver badges4 bronze badges
3
If you are using Debian or Ubuntu, install the ca-certificates package:
$ sudo apt-get install ca-certificates
If you don’t care about checking the validity of the certificate, use the --no-check-certificate option:
$ wget --no-check-certificate https://download/url
Note: The second option is not recommended because of the possibility of a man-in-the-middle attack.
Freddy
25k1 gold badge20 silver badges59 bronze badges
answered Jan 5, 2017 at 4:35
3
Per TFM for wget use the
--no-check-certificate
option.
«Don’t check the server certificate against the available certificate authorities. Also don’t require the URL host name to match the common name presented by the certificate.»
answered Jan 5, 2017 at 3:29
ivanivanivanivan
4,8401 gold badge9 silver badges20 bronze badges
1
In my case, the root caused turned out to be an incorrect system date, which happened to be out of the certificate validity date range at the time of executing pip. This is related to the SSL library and not pip itself. Thus a simple wget or curl call to the offending URL will duplicate the issue.
Of course, I was also able to work around the issue quickly with —no-check—certificate (or equivalent) for wget and pip.
This might be a common case with working with SBC like RasberryPi/BeagleBone or any other system where a real-time clock (RTC) is not present out of the box. So lesson learned: Use NTP for to keep system time up-to-date whenever possible.
answered Jul 30, 2020 at 5:34
1
You must log in to answer this question.
Not the answer you’re looking for? Browse other questions tagged
.
Not the answer you’re looking for? Browse other questions tagged
.
For example, running wget https://www.dropbox.com results in the following errors:
ERROR: The certificate of `www.dropbox.com' is not trusted.
ERROR: The certificate of `www.dropbox.com' hasn't got a known issuer.
asked Feb 10, 2012 at 7:35
Russell DavisRussell Davis
8,2714 gold badges40 silver badges41 bronze badges
0
If you don’t care about checking the validity of the certificate just add the --no-check-certificate option on the wget command-line. This worked well for me.
NOTE: This opens you up to man-in-the-middle (MitM) attacks, and is not recommended for anything where you care about security.
davr
18.8k17 gold badges76 silver badges98 bronze badges
answered Jan 8, 2013 at 15:24
1
Looking at current hacky solutions in here, I feel I have to describe a proper solution after all.
First, you need to install the cygwin package ca-certificates via Cygwin’s setup.exe to get the certificates.
Do NOT use curl or similar hacks to download certificates (as a neighboring answer advices) because that’s fundamentally insecure and may compromise the system.
Second, you need to tell wget where your certificates are, since it doesn’t pick them up by default in Cygwin environment. If you can do that either with the command-line parameter --ca-directory=/usr/ssl/certs (best for shell scripts) or by adding ca_directory = /usr/ssl/certs to ~/.wgetrc file.
You can also fix that by running ln -sT /usr/ssl /etc/ssl as pointed out in another answer, but that will work only if you have administrative access to the system. Other solutions I described do not require that.
answered Mar 6, 2013 at 16:26
ShnatselShnatsel
3,9681 gold badge24 silver badges25 bronze badges
4
If the problem is that a known root CA is missing and when you are using ubuntu or debian, then you can solve the problem with this one line:
sudo apt-get install ca-certificates
SusanW
1,5401 gold badge12 silver badges22 bronze badges
answered Nov 10, 2012 at 20:41
cguenthercguenther
1,5691 gold badge10 silver badges14 bronze badges
5
May be this will help:
wget --no-check-certificate https://blah-blah.tld/path/filename
4b0
21.8k30 gold badges95 silver badges142 bronze badges
answered Jun 4, 2018 at 5:10
3
First, the SSL certificates need to be installed. Instructions (based on https://stackoverflow.com/a/4454754/278488):
pushd /usr/ssl/certs
curl http://curl.haxx.se/ca/cacert.pem | awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > "cert" n ".pem"}'
c_rehash
The above is enough to fix curl, but wget requires an extra symlink:
ln -sT /usr/ssl /etc/ssl
answered Feb 10, 2012 at 7:40
Russell DavisRussell Davis
8,2714 gold badges40 silver badges41 bronze badges
5
apt-get install ca-certificates
The s makes the difference 
Milo
3,3459 gold badges29 silver badges44 bronze badges
answered Jan 16, 2018 at 17:12
PetePete
591 silver badge1 bronze badge
2
I have the similar problem and fixed it by temporarily disabling my antivirus(Kaspersky Free 18.0.0.405). This AV has HTTPS interception module that automatically self-sign all certificates it finds in HTTPS responses.
Wget from Cygwin does not know anything about AV root certificate, so when it finds that website’s certificate was signed with non trust certificate it prints that error.
To fix this permanently without disabling AV you should copy the AV root certificate from Windows certificate store to /etc/pki/ca-trust/source/anchors as .pem file(base64 encoding) and run update-ca-trust
answered Oct 28, 2018 at 23:15
Denis BakharevDenis Bakharev
9491 gold badge9 silver badges7 bronze badges
1
In my case, on raspberry pi 3B the timing was in the future (2025) that I need to update to the current local time using ntpdate by passing the time to the past and it solved the issue.
$ sudo date +%Y%m%d -s "20210101"
$ sudo ntpdate times1.mike.fi
answered Jul 17, 2021 at 15:04
I had a similar problem with wget to my own live web site returning errors after installing a new SSL certificate. I’d already checked several browsers and they didn’t report any errors:
wget --no-cache -O - "https://example.com/..." ERROR: The certificate of ‘example.com’ is not trusted. ERROR: The certificate of ‘example.com’ hasn't got a known issuer.
The problem was I had installed the wrong certificate authority .pem/.crt file from the issuer. Usually they bundle the SSL certificate and CA file as a zip file, but DigiCert email you the certificate and you have to figure out the matching CA on your own. https://www.digicert.com/help/ has an SSL certificate checker which lists the SSL authority and the hopefully matching CA with a nice blue link graphic if they agree:
`SSL Cert: Issuer GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1
CA: Subject GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1
Valid from 16/Jul/2020 to 31/May/2023
Issuer DigiCert Global Root CA`
answered Oct 3, 2020 at 23:24
We just had this same issue come up when we installed a newly minted certificate just this last week. I’ve also seen it two other times…yet I’m slow to learn. In all 3 cases I had to get the «intermediate certificates» and install them. In other words My cert was good but it’s signer or it’s signer’s signer wasn’t correctly installed. Make sure you go to your certificate provider’s site and get the correct intermediate certificates and install them as well on your server and then this warning will go away.
It might not JUST be the above, it could also be that clients don’t have updated lists…but I would make sure it’s not just you not fully installing the certificates right FIRST, and then after that going on to the clients and making sure their list is updated.
answered Apr 19, 2021 at 19:16
Uncle IrohUncle Iroh
5,6986 gold badges48 silver badges61 bronze badges
Not exactly the same issue. On docker, I was mounting my host filesystem to /etc where OpenSSL certs were already installed which gets overwritten.
Changing the mounting to different filesystem fixed it.
answered Feb 27, 2022 at 0:53
viggy28viggy28
7401 gold badge9 silver badges21 bronze badges
Thanks to Denis Bakharev I’ve solved that case.
If someone has Cygwin wget not working because ‘certificate not trusted’ and having ca-certificates installed AND having Antivirus that automatically self-sign all certificates it finds in HTTPS responses then you need:
- Get root certificate from your AV (I got mine with browser: open any https web-site, check it’s certificate, go to
Certification Pathtab, click on Root certificate. Then clickView certificatebutton, go toDetailstab and clickCopy to File...button. Default settings are fine for saving certificate in *.cer file). - Convert *.cer to *.crt. You can use Cygwin’s OpenSSL with the following command:
openssl x509 -inform DER -in <your *.cer certificate file> -out <new cert>.crt
- Move new *.crt file to ca-directory (in my case it was
/etc/pki/tls/certs/).
That was enough for me to get wget working.
answered May 31, 2022 at 12:13
If you are using windows just go to control panel, click on automatic updates then click on Windows Update Web Site link. Just follow the step. At least this works for me, no more certificates issue i.e whenever I go to https://www.dropbox.com as before.
answered Aug 20, 2014 at 3:13
1
Just do
apt-get install ca-certificate
Pang
9,491146 gold badges81 silver badges122 bronze badges
answered Jul 29, 2017 at 6:50
tekintiantekintian
2773 silver badges3 bronze badges
For example, running wget https://www.dropbox.com results in the following errors:
ERROR: The certificate of `www.dropbox.com' is not trusted.
ERROR: The certificate of `www.dropbox.com' hasn't got a known issuer.
asked Feb 10, 2012 at 7:35
Russell DavisRussell Davis
8,1854 gold badges39 silver badges41 bronze badges
0
If you don’t care about checking the validity of the certificate just add the --no-check-certificate option on the wget command-line. This worked well for me.
NOTE: This opens you up to man-in-the-middle (MitM) attacks, and is not recommended for anything where you care about security.
davr
18.7k17 gold badges76 silver badges98 bronze badges
answered Jan 8, 2013 at 15:24
1
Looking at current hacky solutions in here, I feel I have to describe a proper solution after all.
First, you need to install the cygwin package ca-certificates via Cygwin’s setup.exe to get the certificates.
Do NOT use curl or similar hacks to download certificates (as a neighboring answer advices) because that’s fundamentally insecure and may compromise the system.
Second, you need to tell wget where your certificates are, since it doesn’t pick them up by default in Cygwin environment. If you can do that either with the command-line parameter --ca-directory=/usr/ssl/certs (best for shell scripts) or by adding ca_directory = /usr/ssl/certs to ~/.wgetrc file.
You can also fix that by running ln -sT /usr/ssl /etc/ssl as pointed out in another answer, but that will work only if you have administrative access to the system. Other solutions I described do not require that.
answered Mar 6, 2013 at 16:26
ShnatselShnatsel
3,9381 gold badge24 silver badges24 bronze badges
4
If the problem is that a known root CA is missing and when you are using ubuntu or debian, then you can solve the problem with this one line:
sudo apt-get install ca-certificates
SusanW
1,5401 gold badge12 silver badges22 bronze badges
answered Nov 10, 2012 at 20:41
cguenthercguenther
1,5491 gold badge10 silver badges14 bronze badges
5
May be this will help:
wget --no-check-certificate https://blah-blah.tld/path/filename
4b0
21.4k30 gold badges95 silver badges139 bronze badges
answered Jun 4, 2018 at 5:10
3
First, the SSL certificates need to be installed. Instructions (based on https://stackoverflow.com/a/4454754/278488):
pushd /usr/ssl/certs
curl http://curl.haxx.se/ca/cacert.pem | awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > "cert" n ".pem"}'
c_rehash
The above is enough to fix curl, but wget requires an extra symlink:
ln -sT /usr/ssl /etc/ssl
answered Feb 10, 2012 at 7:40
Russell DavisRussell Davis
8,1854 gold badges39 silver badges41 bronze badges
5
apt-get install ca-certificates
The s makes the difference
Milo
3,2979 gold badges28 silver badges43 bronze badges
answered Jan 16, 2018 at 17:12
PetePete
591 silver badge1 bronze badge
2
I have the similar problem and fixed it by temporarily disabling my antivirus(Kaspersky Free 18.0.0.405). This AV has HTTPS interception module that automatically self-sign all certificates it finds in HTTPS responses.
Wget from Cygwin does not know anything about AV root certificate, so when it finds that website’s certificate was signed with non trust certificate it prints that error.
To fix this permanently without disabling AV you should copy the AV root certificate from Windows certificate store to /etc/pki/ca-trust/source/anchors as .pem file(base64 encoding) and run update-ca-trust
answered Oct 28, 2018 at 23:15
Denis BakharevDenis Bakharev
9391 gold badge9 silver badges7 bronze badges
1
In my case, on raspberry pi 3B the timing was in the future (2025) that I need to update to the current local time using ntpdate by passing the time to the past and it solved the issue.
$ sudo date +%Y%m%d -s "20210101"
$ sudo ntpdate times1.mike.fi
answered Jul 17, 2021 at 15:04
I had a similar problem with wget to my own live web site returning errors after installing a new SSL certificate. I’d already checked several browsers and they didn’t report any errors:
wget --no-cache -O - "https://example.com/..." ERROR: The certificate of ‘example.com’ is not trusted. ERROR: The certificate of ‘example.com’ hasn't got a known issuer.
The problem was I had installed the wrong certificate authority .pem/.crt file from the issuer. Usually they bundle the SSL certificate and CA file as a zip file, but DigiCert email you the certificate and you have to figure out the matching CA on your own. https://www.digicert.com/help/ has an SSL certificate checker which lists the SSL authority and the hopefully matching CA with a nice blue link graphic if they agree:
`SSL Cert: Issuer GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1
CA: Subject GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1
Valid from 16/Jul/2020 to 31/May/2023
Issuer DigiCert Global Root CA`
answered Oct 3, 2020 at 23:24
We just had this same issue come up when we installed a newly minted certificate just this last week. I’ve also seen it two other times…yet I’m slow to learn. In all 3 cases I had to get the «intermediate certificates» and install them. In other words My cert was good but it’s signer or it’s signer’s signer wasn’t correctly installed. Make sure you go to your certificate provider’s site and get the correct intermediate certificates and install them as well on your server and then this warning will go away.
It might not JUST be the above, it could also be that clients don’t have updated lists…but I would make sure it’s not just you not fully installing the certificates right FIRST, and then after that going on to the clients and making sure their list is updated.
answered Apr 19, 2021 at 19:16
Uncle IrohUncle Iroh
5,6626 gold badges49 silver badges60 bronze badges
Not exactly the same issue. On docker, I was mounting my host filesystem to /etc where OpenSSL certs were already installed which gets overwritten.
Changing the mounting to different filesystem fixed it.
answered Feb 27, 2022 at 0:53
viggy28viggy28
7109 silver badges21 bronze badges
Thanks to Denis Bakharev I’ve solved that case.
If someone has Cygwin wget not working because ‘certificate not trusted’ and having ca-certificates installed AND having Antivirus that automatically self-sign all certificates it finds in HTTPS responses then you need:
- Get root certificate from your AV (I got mine with browser: open any https web-site, check it’s certificate, go to
Certification Pathtab, click on Root certificate. Then clickView certificatebutton, go toDetailstab and clickCopy to File...button. Default settings are fine for saving certificate in *.cer file). - Convert *.cer to *.crt. You can use Cygwin’s OpenSSL with the following command:
openssl x509 -inform DER -in <your *.cer certificate file> -out <new cert>.crt
- Move new *.crt file to ca-directory (in my case it was
/etc/pki/tls/certs/).
That was enough for me to get wget working.
answered May 31, 2022 at 12:13
Just do
apt-get install ca-certificate
Pang
9,335146 gold badges85 silver badges121 bronze badges
answered Jul 29, 2017 at 6:50
tekintiantekintian
2793 silver badges3 bronze badges
If you are using windows just go to control panel, click on automatic updates then click on Windows Update Web Site link. Just follow the step. At least this works for me, no more certificates issue i.e whenever I go to https://www.dropbox.com as before.
answered Aug 20, 2014 at 3:13
1
For example, running wget https://www.dropbox.com results in the following errors:
ERROR: The certificate of `www.dropbox.com' is not trusted.
ERROR: The certificate of `www.dropbox.com' hasn't got a known issuer.
asked Feb 10, 2012 at 7:35
Russell DavisRussell Davis
8,1854 gold badges39 silver badges41 bronze badges
0
If you don’t care about checking the validity of the certificate just add the --no-check-certificate option on the wget command-line. This worked well for me.
NOTE: This opens you up to man-in-the-middle (MitM) attacks, and is not recommended for anything where you care about security.
davr
18.7k17 gold badges76 silver badges98 bronze badges
answered Jan 8, 2013 at 15:24
1
Looking at current hacky solutions in here, I feel I have to describe a proper solution after all.
First, you need to install the cygwin package ca-certificates via Cygwin’s setup.exe to get the certificates.
Do NOT use curl or similar hacks to download certificates (as a neighboring answer advices) because that’s fundamentally insecure and may compromise the system.
Second, you need to tell wget where your certificates are, since it doesn’t pick them up by default in Cygwin environment. If you can do that either with the command-line parameter --ca-directory=/usr/ssl/certs (best for shell scripts) or by adding ca_directory = /usr/ssl/certs to ~/.wgetrc file.
You can also fix that by running ln -sT /usr/ssl /etc/ssl as pointed out in another answer, but that will work only if you have administrative access to the system. Other solutions I described do not require that.
answered Mar 6, 2013 at 16:26
ShnatselShnatsel
3,9381 gold badge24 silver badges24 bronze badges
4
If the problem is that a known root CA is missing and when you are using ubuntu or debian, then you can solve the problem with this one line:
sudo apt-get install ca-certificates
SusanW
1,5401 gold badge12 silver badges22 bronze badges
answered Nov 10, 2012 at 20:41
cguenthercguenther
1,5491 gold badge10 silver badges14 bronze badges
5
May be this will help:
wget --no-check-certificate https://blah-blah.tld/path/filename
4b0
21.4k30 gold badges95 silver badges139 bronze badges
answered Jun 4, 2018 at 5:10
3
First, the SSL certificates need to be installed. Instructions (based on https://stackoverflow.com/a/4454754/278488):
pushd /usr/ssl/certs
curl http://curl.haxx.se/ca/cacert.pem | awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > "cert" n ".pem"}'
c_rehash
The above is enough to fix curl, but wget requires an extra symlink:
ln -sT /usr/ssl /etc/ssl
answered Feb 10, 2012 at 7:40
Russell DavisRussell Davis
8,1854 gold badges39 silver badges41 bronze badges
5
apt-get install ca-certificates
The s makes the difference
Milo
3,2979 gold badges28 silver badges43 bronze badges
answered Jan 16, 2018 at 17:12
PetePete
591 silver badge1 bronze badge
2
I have the similar problem and fixed it by temporarily disabling my antivirus(Kaspersky Free 18.0.0.405). This AV has HTTPS interception module that automatically self-sign all certificates it finds in HTTPS responses.
Wget from Cygwin does not know anything about AV root certificate, so when it finds that website’s certificate was signed with non trust certificate it prints that error.
To fix this permanently without disabling AV you should copy the AV root certificate from Windows certificate store to /etc/pki/ca-trust/source/anchors as .pem file(base64 encoding) and run update-ca-trust
answered Oct 28, 2018 at 23:15
Denis BakharevDenis Bakharev
9391 gold badge9 silver badges7 bronze badges
1
In my case, on raspberry pi 3B the timing was in the future (2025) that I need to update to the current local time using ntpdate by passing the time to the past and it solved the issue.
$ sudo date +%Y%m%d -s "20210101"
$ sudo ntpdate times1.mike.fi
answered Jul 17, 2021 at 15:04
I had a similar problem with wget to my own live web site returning errors after installing a new SSL certificate. I’d already checked several browsers and they didn’t report any errors:
wget --no-cache -O - "https://example.com/..." ERROR: The certificate of ‘example.com’ is not trusted. ERROR: The certificate of ‘example.com’ hasn't got a known issuer.
The problem was I had installed the wrong certificate authority .pem/.crt file from the issuer. Usually they bundle the SSL certificate and CA file as a zip file, but DigiCert email you the certificate and you have to figure out the matching CA on your own. https://www.digicert.com/help/ has an SSL certificate checker which lists the SSL authority and the hopefully matching CA with a nice blue link graphic if they agree:
`SSL Cert: Issuer GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1
CA: Subject GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1
Valid from 16/Jul/2020 to 31/May/2023
Issuer DigiCert Global Root CA`
answered Oct 3, 2020 at 23:24
We just had this same issue come up when we installed a newly minted certificate just this last week. I’ve also seen it two other times…yet I’m slow to learn. In all 3 cases I had to get the «intermediate certificates» and install them. In other words My cert was good but it’s signer or it’s signer’s signer wasn’t correctly installed. Make sure you go to your certificate provider’s site and get the correct intermediate certificates and install them as well on your server and then this warning will go away.
It might not JUST be the above, it could also be that clients don’t have updated lists…but I would make sure it’s not just you not fully installing the certificates right FIRST, and then after that going on to the clients and making sure their list is updated.
answered Apr 19, 2021 at 19:16
Uncle IrohUncle Iroh
5,6626 gold badges49 silver badges60 bronze badges
Not exactly the same issue. On docker, I was mounting my host filesystem to /etc where OpenSSL certs were already installed which gets overwritten.
Changing the mounting to different filesystem fixed it.
answered Feb 27, 2022 at 0:53
viggy28viggy28
7109 silver badges21 bronze badges
Thanks to Denis Bakharev I’ve solved that case.
If someone has Cygwin wget not working because ‘certificate not trusted’ and having ca-certificates installed AND having Antivirus that automatically self-sign all certificates it finds in HTTPS responses then you need:
- Get root certificate from your AV (I got mine with browser: open any https web-site, check it’s certificate, go to
Certification Pathtab, click on Root certificate. Then clickView certificatebutton, go toDetailstab and clickCopy to File...button. Default settings are fine for saving certificate in *.cer file). - Convert *.cer to *.crt. You can use Cygwin’s OpenSSL with the following command:
openssl x509 -inform DER -in <your *.cer certificate file> -out <new cert>.crt
- Move new *.crt file to ca-directory (in my case it was
/etc/pki/tls/certs/).
That was enough for me to get wget working.
answered May 31, 2022 at 12:13
Just do
apt-get install ca-certificate
Pang
9,335146 gold badges85 silver badges121 bronze badges
answered Jul 29, 2017 at 6:50
tekintiantekintian
2793 silver badges3 bronze badges
If you are using windows just go to control panel, click on automatic updates then click on Windows Update Web Site link. Just follow the step. At least this works for me, no more certificates issue i.e whenever I go to https://www.dropbox.com as before.
answered Aug 20, 2014 at 3:13
1
For example, running wget https://www.dropbox.com results in the following errors:
ERROR: The certificate of `www.dropbox.com' is not trusted.
ERROR: The certificate of `www.dropbox.com' hasn't got a known issuer.
asked Feb 10, 2012 at 7:35
Russell DavisRussell Davis
8,1854 gold badges39 silver badges41 bronze badges
0
If you don’t care about checking the validity of the certificate just add the --no-check-certificate option on the wget command-line. This worked well for me.
NOTE: This opens you up to man-in-the-middle (MitM) attacks, and is not recommended for anything where you care about security.
davr
18.7k17 gold badges76 silver badges98 bronze badges
answered Jan 8, 2013 at 15:24
1
Looking at current hacky solutions in here, I feel I have to describe a proper solution after all.
First, you need to install the cygwin package ca-certificates via Cygwin’s setup.exe to get the certificates.
Do NOT use curl or similar hacks to download certificates (as a neighboring answer advices) because that’s fundamentally insecure and may compromise the system.
Second, you need to tell wget where your certificates are, since it doesn’t pick them up by default in Cygwin environment. If you can do that either with the command-line parameter --ca-directory=/usr/ssl/certs (best for shell scripts) or by adding ca_directory = /usr/ssl/certs to ~/.wgetrc file.
You can also fix that by running ln -sT /usr/ssl /etc/ssl as pointed out in another answer, but that will work only if you have administrative access to the system. Other solutions I described do not require that.
answered Mar 6, 2013 at 16:26
ShnatselShnatsel
3,9381 gold badge24 silver badges24 bronze badges
4
If the problem is that a known root CA is missing and when you are using ubuntu or debian, then you can solve the problem with this one line:
sudo apt-get install ca-certificates
SusanW
1,5401 gold badge12 silver badges22 bronze badges
answered Nov 10, 2012 at 20:41
cguenthercguenther
1,5491 gold badge10 silver badges14 bronze badges
5
May be this will help:
wget --no-check-certificate https://blah-blah.tld/path/filename
4b0
21.4k30 gold badges95 silver badges139 bronze badges
answered Jun 4, 2018 at 5:10
3
First, the SSL certificates need to be installed. Instructions (based on https://stackoverflow.com/a/4454754/278488):
pushd /usr/ssl/certs
curl http://curl.haxx.se/ca/cacert.pem | awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > "cert" n ".pem"}'
c_rehash
The above is enough to fix curl, but wget requires an extra symlink:
ln -sT /usr/ssl /etc/ssl
answered Feb 10, 2012 at 7:40
Russell DavisRussell Davis
8,1854 gold badges39 silver badges41 bronze badges
5
apt-get install ca-certificates
The s makes the difference
Milo
3,2979 gold badges28 silver badges43 bronze badges
answered Jan 16, 2018 at 17:12
PetePete
591 silver badge1 bronze badge
2
I have the similar problem and fixed it by temporarily disabling my antivirus(Kaspersky Free 18.0.0.405). This AV has HTTPS interception module that automatically self-sign all certificates it finds in HTTPS responses.
Wget from Cygwin does not know anything about AV root certificate, so when it finds that website’s certificate was signed with non trust certificate it prints that error.
To fix this permanently without disabling AV you should copy the AV root certificate from Windows certificate store to /etc/pki/ca-trust/source/anchors as .pem file(base64 encoding) and run update-ca-trust
answered Oct 28, 2018 at 23:15
Denis BakharevDenis Bakharev
9391 gold badge9 silver badges7 bronze badges
1
In my case, on raspberry pi 3B the timing was in the future (2025) that I need to update to the current local time using ntpdate by passing the time to the past and it solved the issue.
$ sudo date +%Y%m%d -s "20210101"
$ sudo ntpdate times1.mike.fi
answered Jul 17, 2021 at 15:04
I had a similar problem with wget to my own live web site returning errors after installing a new SSL certificate. I’d already checked several browsers and they didn’t report any errors:
wget --no-cache -O - "https://example.com/..." ERROR: The certificate of ‘example.com’ is not trusted. ERROR: The certificate of ‘example.com’ hasn't got a known issuer.
The problem was I had installed the wrong certificate authority .pem/.crt file from the issuer. Usually they bundle the SSL certificate and CA file as a zip file, but DigiCert email you the certificate and you have to figure out the matching CA on your own. https://www.digicert.com/help/ has an SSL certificate checker which lists the SSL authority and the hopefully matching CA with a nice blue link graphic if they agree:
`SSL Cert: Issuer GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1
CA: Subject GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1
Valid from 16/Jul/2020 to 31/May/2023
Issuer DigiCert Global Root CA`
answered Oct 3, 2020 at 23:24
We just had this same issue come up when we installed a newly minted certificate just this last week. I’ve also seen it two other times…yet I’m slow to learn. In all 3 cases I had to get the «intermediate certificates» and install them. In other words My cert was good but it’s signer or it’s signer’s signer wasn’t correctly installed. Make sure you go to your certificate provider’s site and get the correct intermediate certificates and install them as well on your server and then this warning will go away.
It might not JUST be the above, it could also be that clients don’t have updated lists…but I would make sure it’s not just you not fully installing the certificates right FIRST, and then after that going on to the clients and making sure their list is updated.
answered Apr 19, 2021 at 19:16
Uncle IrohUncle Iroh
5,6626 gold badges49 silver badges60 bronze badges
Not exactly the same issue. On docker, I was mounting my host filesystem to /etc where OpenSSL certs were already installed which gets overwritten.
Changing the mounting to different filesystem fixed it.
answered Feb 27, 2022 at 0:53
viggy28viggy28
7109 silver badges21 bronze badges
Thanks to Denis Bakharev I’ve solved that case.
If someone has Cygwin wget not working because ‘certificate not trusted’ and having ca-certificates installed AND having Antivirus that automatically self-sign all certificates it finds in HTTPS responses then you need:
- Get root certificate from your AV (I got mine with browser: open any https web-site, check it’s certificate, go to
Certification Pathtab, click on Root certificate. Then clickView certificatebutton, go toDetailstab and clickCopy to File...button. Default settings are fine for saving certificate in *.cer file). - Convert *.cer to *.crt. You can use Cygwin’s OpenSSL with the following command:
openssl x509 -inform DER -in <your *.cer certificate file> -out <new cert>.crt
- Move new *.crt file to ca-directory (in my case it was
/etc/pki/tls/certs/).
That was enough for me to get wget working.
answered May 31, 2022 at 12:13
Just do
apt-get install ca-certificate
Pang
9,335146 gold badges85 silver badges121 bronze badges
answered Jul 29, 2017 at 6:50
tekintiantekintian
2793 silver badges3 bronze badges
If you are using windows just go to control panel, click on automatic updates then click on Windows Update Web Site link. Just follow the step. At least this works for me, no more certificates issue i.e whenever I go to https://www.dropbox.com as before.
answered Aug 20, 2014 at 3:13
1
When I try to run the wget command on http urls I get this error message:
ERROR: The certificate of `url' is not trusted.
ERROR: The certificate of `url' hasn't got a known issuer.
Jeff Schaller♦
65.1k34 gold badges106 silver badges240 bronze badges
asked Jan 4, 2017 at 22:00
Mordechai HadadMordechai Hadad
3111 gold badge2 silver badges4 bronze badges
3
If you are using Debian or Ubuntu, install the ca-certificates package:
$ sudo apt-get install ca-certificates
If you don’t care about checking the validity of the certificate, use the --no-check-certificate option:
$ wget --no-check-certificate https://download/url
Note: The second option is not recommended because of the possibility of a man-in-the-middle attack.
Freddy
23.2k1 gold badge18 silver badges56 bronze badges
answered Jan 5, 2017 at 4:35
3
Per TFM for wget use the
--no-check-certificate
option.
«Don’t check the server certificate against the available certificate authorities. Also don’t require the URL host name to match the common name presented by the certificate.»
answered Jan 5, 2017 at 3:29
ivanivanivanivan
4,7901 gold badge9 silver badges19 bronze badges
1
In my case, the root caused turned out to be an incorrect system date, which happened to be out of the certificate validity date range at the time of executing pip. This is related to the SSL library and not pip itself. Thus a simple wget or curl call to the offending URL will duplicate the issue.
Of course, I was also able to work around the issue quickly with —no-check—certificate (or equivalent) for wget and pip.
This might be a common case with working with SBC like RasberryPi/BeagleBone or any other system where a real-time clock (RTC) is not present out of the box. So lesson learned: Use NTP for to keep system time up-to-date whenever possible.
answered Jul 30, 2020 at 5:34
1
Linux
- 10.05.2016
- 7 718
- 0
- 18.03.2019
- 4
- 4
- 0
- Содержание статьи
- The certificate is not trusted
- Добавить комментарий
wget — консольный менеджер закачек, с помощью которого через командную строку можно выкачать буквально «что угодно». Однако, не исключены ошибки в процессе эксплуатации, и сейчас мы поговорим об одной из самых распространенных.
The certificate is not trusted
Если при скачивании какого-либо файла через wget появляется следующая ошибка:
ERROR: The certificate of `raw.githubusercontent.com' is not trusted.
ERROR: The certificate of `raw.githubusercontent.com' hasn't got a known issuer.ERROR: The certificate of `www.dropbox.com' is not trusted.
ERROR: The certificate of `www.dropbox.com' hasn't got a known issuer.то нужно просто доустановить в системе набор корневых сертификатов. В Debian или Ubuntu делается это следующей командой:
apt-get install ca-certificatesСамый крайний вариант — использовать специальный параметр для игнорирования ошибок проверки сертификатов:
wget --no-check-certificateТ.е. команда на скачивание через wget должна приобрести подобный вид:
wget --no-check-certificate https://steamcdn-a.akamaihd.net/client/installer/steamcmd_linux.tar.gzПерейти к содержанию
На чтение 2 мин Опубликовано 31.12.2021
Игнорируем ошибки проверки сертификата при использовании wget.
Попробуйте получить доступ к адресу, защищенному самоподписанным сертификатом.
$ wget --output-document - https://nextcloud.example.org
--2021-07-16 13:59:59-- https://nextcloud.example.org/ Resolving nextcloud.example.org (nextcloud.example.org)... 192.168.8.32 Connecting to nextcloud.example.org (nextcloud.example.org)|192.168.8.32|:443... connected. ERROR: cannot verify nextcloud.example.org's certificate, issued by ‘CN=nextcloud.example.org’: Self-signed certificate encountered. To connect to nextcloud.example.org insecurely, use `--no-check-certificate'.
$ wget --quiet --no-check-certificate --output-document - https://nextcloud.example.org/robots.txt
User-agent: * Disallow: /
Выдержка из страницы руководства.
[...] --no-check-certificate Don't check the server certificate against the available certificate authorities. Also don't require the URL host name to match the common name presented by the certificate. As of Wget 1.10, the default is to verify the server's certificate against the recognized certificate authorities, breaking the SSL handshake and aborting the download if the verification fails. Although this provides more secure downloads, it does break interoperability with some sites that worked with previous Wget versions, particularly those using self-signed, expired, or otherwise invalid certificates. This option forces an "insecure" mode of operation that turns the certificate verification errors into warnings and allows you to proceed. If you encounter "certificate verification" errors or ones saying that "common name doesn't match requested host name", you can use this option to bypass the verification and proceed with the download. Only use this option if you are otherwise convinced of the site's authenticity, or if you really don't care about the validity of its certificate. It is almost always a bad idea not to check the certificates when transmitting confidential or important data. For self-signed/internal certificates, you should download the certificate and verify against that instead of forcing this insecure mode. If you are really sure of not desiring any certificate verification, you can specify --check-certificate=quiet to tell wget to not print any warning about invalid certificates, albeit in most cases this is the wrong thing to do. [...]
см. также:
- 🖧 Советы и рекомендации по использованию команды wget в системах Linux
- 🖧 В чем разница между curl и Wget?
- 🖧 Как использовать wget за прокси
Пожалуйста, не спамьте и никого не оскорбляйте.
Это поле для комментариев, а не спамбокс.
Рекламные ссылки не индексируются!
I have a problem with my Fedora 8 installation. It looks that wget doesn’t know how to verify SSL certificates any more. It’s strange because I have another Fedora 8 box which I believe has the same configuration and it works!
How can I make it work without using --no-check-certificate switch?
This is a sample output:
wget https://www.google.com
--2011-09-23 00:11:13-- https://www.google.com/
Resolving www.google.com... 74.125.230.146, 74.125.230.147, 74.125.230.148, ...
Connecting to www.google.com|74.125.230.146|:443... connected.
ERROR: cannot verify www.google.com's certificate, issued by `/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA':
Unable to locally verify the issuer's authority.
To connect to www.google.com insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.
EDIT
I have this file /etc/pki/tls/certs/ca-bundle.crt file and when I run wget with --ca-certificate switch pointing to this file everything goes fine. Where should this file be placed so that I don’t need to use the switch?
BTW: curl and links work fine, but lynx also complains: «SSL error:unable to get local issuer certificate» so this is not only wget‘s issue…
Перейти к содержанию
На чтение 2 мин Опубликовано 31.12.2021
Игнорируем ошибки проверки сертификата при использовании wget.
Попробуйте получить доступ к адресу, защищенному самоподписанным сертификатом.
$ wget --output-document - https://nextcloud.example.org
--2021-07-16 13:59:59-- https://nextcloud.example.org/ Resolving nextcloud.example.org (nextcloud.example.org)... 192.168.8.32 Connecting to nextcloud.example.org (nextcloud.example.org)|192.168.8.32|:443... connected. ERROR: cannot verify nextcloud.example.org's certificate, issued by ‘CN=nextcloud.example.org’: Self-signed certificate encountered. To connect to nextcloud.example.org insecurely, use `--no-check-certificate'.
$ wget --quiet --no-check-certificate --output-document - https://nextcloud.example.org/robots.txt
User-agent: * Disallow: /
Выдержка из страницы руководства.
[...] --no-check-certificate Don't check the server certificate against the available certificate authorities. Also don't require the URL host name to match the common name presented by the certificate. As of Wget 1.10, the default is to verify the server's certificate against the recognized certificate authorities, breaking the SSL handshake and aborting the download if the verification fails. Although this provides more secure downloads, it does break interoperability with some sites that worked with previous Wget versions, particularly those using self-signed, expired, or otherwise invalid certificates. This option forces an "insecure" mode of operation that turns the certificate verification errors into warnings and allows you to proceed. If you encounter "certificate verification" errors or ones saying that "common name doesn't match requested host name", you can use this option to bypass the verification and proceed with the download. Only use this option if you are otherwise convinced of the site's authenticity, or if you really don't care about the validity of its certificate. It is almost always a bad idea not to check the certificates when transmitting confidential or important data. For self-signed/internal certificates, you should download the certificate and verify against that instead of forcing this insecure mode. If you are really sure of not desiring any certificate verification, you can specify --check-certificate=quiet to tell wget to not print any warning about invalid certificates, albeit in most cases this is the wrong thing to do. [...]
см. также:
- 🖧 Советы и рекомендации по использованию команды wget в системах Linux
- 🖧 В чем разница между curl и Wget?
- 🖧 Как использовать wget за прокси
Пожалуйста, не спамьте и никого не оскорбляйте.
Это поле для комментариев, а не спамбокс.
Рекламные ссылки не индексируются!