How do I fix certificate errors when running wget on an HTTPS URL in Cygwin?
HttpsCygwinCertificateWgetHttps Problem Overview
For example, running wget https://www.dropbox.com
results in the following errors:
ERROR: The certificate of `www.dropbox.com' is not trusted.
ERROR: The certificate of `www.dropbox.com' hasn't got a known issuer.
Https Solutions
Solution 1 - Https
If you don't care about checking the validity of the certificate just add the --no-check-certificate
option on the wget command-line. This worked well for me.
NOTE: This opens you up to man-in-the-middle (MitM) attacks, and is not recommended for anything where you care about security.
Solution 2 - Https
Looking at current hacky solutions in here, I feel I have to describe a proper solution after all.
First, you need to install the cygwin package ca-certificates
via Cygwin's setup.exe to get the certificates.
Do NOT use curl or similar hacks to download certificates (as a neighboring answer advices) because that's fundamentally insecure and may compromise the system.
Second, you need to tell wget where your certificates are, since it doesn't pick them up by default in Cygwin environment. If you can do that either with the command-line parameter --ca-directory=/usr/ssl/certs
(best for shell scripts) or by adding ca_directory = /usr/ssl/certs
to ~/.wgetrc
file.
You can also fix that by running ln -sT /usr/ssl /etc/ssl
as pointed out in another answer, but that will work only if you have administrative access to the system. Other solutions I described do not require that.
Solution 3 - Https
If the problem is that a known root CA is missing and when you are using ubuntu or debian, then you can solve the problem with this one line:
sudo apt-get install ca-certificates
Solution 4 - Https
May be this will help:
wget --no-check-certificate https://blah-blah.tld/path/filename
Solution 5 - Https
First, the SSL certificates need to be installed. Instructions (based on https://stackoverflow.com/a/4454754/278488):
pushd /usr/ssl/certs
curl http://curl.haxx.se/ca/cacert.pem | awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > "cert" n ".pem"}'
c_rehash
The above is enough to fix curl
, but wget
requires an extra symlink:
ln -sT /usr/ssl /etc/ssl
Solution 6 - Https
apt-get install ca-certificates
The s
makes the difference ;)
Solution 7 - Https
I have the similar problem and fixed it by temporarily disabling my antivirus(Kaspersky Free 18.0.0.405). This AV has HTTPS interception module that automatically self-sign all certificates it finds in HTTPS responses.
Wget from Cygwin does not know anything about AV root certificate, so when it finds that website's certificate was signed with non trust certificate it prints that error.
To fix this permanently without disabling AV you should copy the AV root certificate from Windows certificate store to /etc/pki/ca-trust/source/anchors
as .pem file(base64 encoding) and run update-ca-trust
Solution 8 - Https
I had a similar problem with wget to my own live web site returning errors after installing a new SSL certificate. I'd already checked several browsers and they didn't report any errors:
wget --no-cache -O - "https://example.com/..." ERROR: The certificate of ‘example.com’ is not trusted. ERROR: The certificate of ‘example.com’ hasn't got a known issuer.
The problem was I had installed the wrong certificate authority .pem/.crt file from the issuer. Usually they bundle the SSL certificate and CA file as a zip file, but DigiCert email you the certificate and you have to figure out the matching CA on your own. https://www.digicert.com/help/ has an SSL certificate checker which lists the SSL authority and the hopefully matching CA with a nice blue link graphic if they agree:
`SSL Cert: Issuer GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1
CA: Subject GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1 Valid from 16/Jul/2020 to 31/May/2023 Issuer DigiCert Global Root CA`
Solution 9 - Https
We just had this same issue come up when we installed a newly minted certificate just this last week. I've also seen it two other times...yet I'm slow to learn. In all 3 cases I had to get the "intermediate certificates" and install them. In other words My cert was good but it's signer or it's signer's signer wasn't correctly installed. Make sure you go to your certificate provider's site and get the correct intermediate certificates and install them as well on your server and then this warning will go away.
It might not JUST be the above, it could also be that clients don't have updated lists...but I would make sure it's not just you not fully installing the certificates right FIRST, and then after that going on to the clients and making sure their list is updated.
Solution 10 - Https
In my case, on raspberry pi 3B the timing was in the future (2025) that I need to update to the current local time using ntpdate
by passing the time to the past and it solved the issue.
$ sudo date +%Y%m%d -s "20210101"
$ sudo ntpdate times1.mike.fi
Solution 11 - Https
Not exactly the same issue. On docker, I was mounting my host filesystem to /etc
where OpenSSL certs were already installed which gets overwritten.
Changing the mounting to different filesystem fixed it.
Solution 12 - Https
Just do
apt-get install ca-certificate
Solution 13 - Https
If you are using windows just go to control panel, click on automatic updates then click on Windows Update Web Site link. Just follow the step. At least this works for me, no more certificates issue i.e whenever I go to https://www.dropbox.com as before.