Como fazer com que wget confie em meu certificado autoassinado (sem usar --no-check-certificate)? [duplicado]

3
  • Ubuntu 12.04
  • OpenSSL 1.0.1 14
  • Wget 1.13.4

Minha configuração:

  • crie nossa própria CA ( our_own_ca.crt )
  • gera um certificado assinado com a AC acima ( graphite.local.crt )
  • Concatene esse certificado e o certificado CA em um arquivo de pacote

Configuração do Nginx:

ssl_certificate /etc/ssl/certs/graphite.local.crt;
ssl_certificate_key /etc/ssl/certs/graphite.local.key;
ssl_client_certificate /etc/ssl/certs/our_own_ca_chained.crt;

com:

our_own_ca_chained.crt = graphite.local.crt + own_own_ca.crt

Para instalar essa CA no repositório confiável, de acordo com /usr/share/doc/ca-certificates/README.Debian , só preciso copiá-la para o /usr/local/share/ca-certificates/ e, em seguida, executar update-ca-certificates . Aqui está a saída:

Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
Warning: there was a problem reading the certificate file /etc/ssl/certs/our_own_ca.pem. Message:
  Extensions not allowed in v2 certificate
done.
done.

Depois disso, temos algo como belows em /etc/ssl/certs :

lrwxrwxrwx 1 root root   17 Mar 11 05:27 99ff557c.0 -> our_own_ca.pem
lrwxrwxrwx 1 root root   17 Mar 11 05:27 dc79b3f0.0 -> our_own_ca.pem
lrwxrwxrwx 1 root root   50 Mar 11 05:27 our_own_ca.pem -> /usr/local/share/ca-certificates/our_own_ca.crt

então curl funcionou:

curl -I link

HTTP/1.1 302 FOUND
Server: nginx
Date: Wed, 11 Mar 2015 05:30:30 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Cookie
Location: https://graphite.local/account/login?next=/
Strict-Transport-Security: max-age=15768000

mas wget não:

wget https://graphite.local
--2015-03-11 05:31:22--  https://graphite.local/
Resolving graphite.local (graphite.local)... 127.0.0.1
Connecting to graphite.local (graphite.local)|127.0.0.1|:443... connected.
ERROR: cannot verify graphite.local's certificate, issued by 'xxx':
  Self-signed certificate encountered.
To connect to graphite.local insecurely, use '--no-check-certificate'.

Eu também tentei usar o --ca-certificate , mas recebi o mesmo erro.

Eu senti falta de algo?

    
por quanta 11.03.2015 / 06:35

1 resposta

1

Eu tentaria a opção --ca-directory=directory :

wget --ca-directory=/etc/ssl/certs https://graphite.local

No manual do wget

Specifies directory containing CA certificates in PEM format. Each file contains one CA certificate, and the file name is based on a hash value derived from the certificate. This is achieved by processing a certificate directory with the c_rehash utility supplied with OpenSSL. Using ‘--ca-directory’ is more efficient than ‘--ca-certificate’ when many certificates are installed because it allows Wget to fetch certificates on demand.

Without this option Wget looks for CA certificates at the system-specified locations, chosen at OpenSSL installation time.

    
por 13.03.2015 / 11:48