Wget with certificate authority in wget on macOS

If you use self-signed certificates on your dev/testing servers you’re more likely to run into a problem with making requests to them. On linux systems it said to be easily fixed by adding the root CA certificate to /etc/ssl/certs. On macOS systems it just doesn’t do the trick.

Among the errors could be “ERROR: cannot verify your-host.name’s certificate, issued by ‘CN=YourAuthorityCA,DC=ld,DC=you,DC=ru’: Self-signed certificate encountered” for wget. Or “SSL certificate problem: self signed certificate in certificate chain” for curl.

Now up to fixing it. Download the certificate. Let it be stored at ~/Downloads/my_root.crt.

cd ~
mkdir -p .ssl/certs
mv ~/Downloads/my_root.crt ~/.ssl/certs
cd ~/.ssl/certs

# 1
# The next command is used instead of the c_rehash which I couldn't make run
for file in *.crt; do ln -s "$file" "$(openssl x509 -hash -noout -in "$file")".0; done

# 2
echo "ca_directory=~/.ssl/certs" >> ~/.wgetrc
echo "capath=$HOME/.ssl/certs:/etc/ssl/certs" >> ~/.curlrc

In (1) we create symlinks to each file in the certs directory with names based on a hash value of the corresponding source files. This is required by wget, from its man doc:

–ca-directory=directory

Specifies directory containing CA certificates in PEM format. Each file contains one CA certificate, and the file name is based on a hash value derived from the certificate. This is achieved by processing a certificate directory with the “c_rehash” utility supplied with OpenSSL. Using –ca-directory is more efficient than –ca-certificate when many certificates are installed because it allows Wget to fetch certificates on demand.

It advises us to use c_rehash for this purpose. There two downsides of using that utility. First, I couldn’t make it run… and found a workaround at Stackoverflow. Second, even if it could run, it only works with .pem files, not .crt. So we would have to either convert the certificate or edit the c_rehash tool, which only adds more hassle. The command above works just fine.

In (2) you set options for wget and curl telling them where to look for your additional certificates.

Resources used:

comments powered by Disqus