Blog

03/06/2019

FreeBSD wget cannot verify certificate, issued by Let’s Encrypt



I installed GNU wget utility on FreeBSD as explained here. However, whenever I use the wget command to download stuff from the Internet, it says:
   ERROR: cannot verify download.freebsd.org’s certificate, issued by ‘CN=Let’s Encrypt Authority X3,O=Let’s Encrypt,C=US’:
    Unable to locally verify the issuer’s authority.

How do I fix this problem on FreeBSD 12?

Introduction – The default wget settings is to verify the server’s certificate against the recognized certificate authorities. This error indicates that wget is unable to find root certificates locally. You must install root certificates on your FreeBSD server. Without root certificates, all commands and software such as Firefox would fail. FreeBSD comes with the ca_root_nss package. It includes root certificate bundle from the Mozilla Project. All you have to do is install ca_root_nss package to get rid of this problem.

How to find information about the ca_root_nss package

Run the following pkg command along with grep command to search:
# pkg search ca | grep root
Sample outputs:

R-cran-urca-1.3.0_2            Unit root and cointegration tests for time series data
ca_root_nss-3.41               Root certificate bundle from the Mozilla Project
p5-CACertOrg-CA-20110724.005   CACert.org CA root certificate in PEM format

R-cran-urca-1.3.0_2 Unit root and cointegration tests for time series data ca_root_nss-3.41 Root certificate bundle from the Mozilla Project p5-CACertOrg-CA-20110724.005 CACert.org CA root certificate in PEM format

So if you run wget, you might get an error that read as follows:
$ wget https://download.freebsd.org/ftp/releases/amd64/12.0-RELEASE/base.txz

ERROR: cannot verify download.freebsd.org’s certificate, issued by ‘CN=Let’s Encrypt Authority X3,O=Let’s Encrypt,C=US’: (click to enlarge)

FreeBSD wget cannot verify certificate authority

Now we know package name. Let us install it:
# pkg install ca_root_nss

Install ca_root_nss package to get root certificate bundle from the Mozilla Project on FreeBSD

Bundle of CA root certificates installed in /etc/ssl and /usr/local/openssl/ directories on FreeBSD.

Test it

Run the wget command again and it should work without any problems:
$ wget https://download.freebsd.org/ftp/releases/amd64/12.0-RELEASE/base.txz
Sample outputs:

--2018-12-17 15:32:38--  https://download.freebsd.org/ftp/releases/amd64/12.0-RELEASE/base.txz
Resolving download.freebsd.org (download.freebsd.org)... 149.20.1.200, 2001:4f8:1:11::15:0
Connecting to download.freebsd.org (download.freebsd.org)|149.20.1.200|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 154325028 (147M) [application/octet-stream]
Saving to: 'base.txz'
 
base.txz                  100%[=====================================>] 147.18M  46.5MB/s    in 3.8s    
 
2018-12-17 15:32:42 (38.6 MB/s) - 'base.txz' saved [154325028/154325028]

–2018-12-17 15:32:38– https://download.freebsd.org/ftp/releases/amd64/12.0-RELEASE/base.txz Resolving download.freebsd.org (download.freebsd.org)… 149.20.1.200, 2001:4f8:1:11::15:0 Connecting to download.freebsd.org (download.freebsd.org)|149.20.1.200|:443… connected. HTTP request sent, awaiting response… 200 OK Length: 154325028 (147M) [application/octet-stream] Saving to: ‘base.txz’ base.txz 100%[=====================================>] 147.18M 46.5MB/s in 3.8s 2018-12-17 15:32:42 (38.6 MB/s) – ‘base.txz’ saved [154325028/154325028]

A note about –no-check-certificate

If you can not install ca_root_nss package, pass the --no-check-certificate to the wget command. It means wget won’t check the server certificate against the available certificate authorities. Also wget won’t require the URL host name to match the common name presented by the certificate:
$ wget --no-check-certificate https://url
$ wget --no-check-certificate https://sxi.io/

Conclusion

This page explained how to install root certificate bundle from the Mozilla Project on FreeBSD. For more info see GNU/wget home page here.

(adsbygoogle = window.adsbygoogle || []).push({});

Posted by: SXI ADMIN

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

14/08/2019

How to KVM, QEMU start or stop virtual machine from command line (CLI)

KVM or Kernel Based Virtual Machine is a popular virtualization technology. It allows you to run virtual guest machines over a host machine. To start...
14/08/2019

How to Docker backup Saving and restoring your volumes

Running a Docker volume backup First, we spin up a temporary container, and we mount the backup folder and the target Docker volume to this container....
12/08/2019

How to Start and Enable Firewalld on CentOS 7

In this article, we discuss how to start and enable firewalld. It is highly recommended that you have a firewall protecting your server.Pre-Flight CheckThese...