A partir do xenial (Ubuntu 16.04.3 LTS) a versão 1.17.1-1ubuntu1.3 do wget interopera com esse site FTP muito bem, fora da caixa.
Estou trabalhando no Solaris e tentando atualizar o Git construindo o Git e todas as suas dependências a partir de fontes. O Wget não está conseguindo baixar uma dependência, que está localizada em https://ftp.gnu.org/gnu/libunistring/libunistring-0.9.7.tar.gz .
$ wget --ca-certificate="$HOME/.cacert/lets-encrypt-root-x3.pem" "https://ftp.gnu.org/gnu/libunistring/libunistring-0.9.7.tar.gz" -O libunistring-0.9.7.tar.gz
--2017-10-14 17:59:40-- https://ftp.gnu.org/gnu/libunistring/libunistring-0.9.7.tar.gz
Resolving ftp.gnu.org (ftp.gnu.org)... 208.118.235.20, 2001:4830:134:3::b
Connecting to ftp.gnu.org (ftp.gnu.org)|208.118.235.20|:443... connected.
ERROR: cannot verify ftp.gnu.org's certificate, issued by 'CN=Let\'s Encrypt Authority X3,O=Let\'s Encrypt,C=US':
unable to get issuer certificate
To connect to ftp.gnu.org insecurely, use '--no-check-certificate'.
Abaixo está a cadeia vista pelo OpenSSL, e verifica o assunto e os emissores. Também é o mesmo certificado listado em Vamos criptografar a cadeia de confiança | Vamos criptografar a autoridade X3 (assinatura cruzada de IdenTrust) .
Eu posso duplicar o problema no Linux com o Fedora 26. E o comando cURL equivalente funciona como esperado.
Como eu digo ao Wget para usar CN=Let's Encrypt Authority X3 como o ponto de confiança para o download?
Esta versão do Wget já foi atualizada pela construção a partir de fontes.
$ wget -V
GNU Wget 1.19.1 built on solaris2.11.
-cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls
+ntlm +opie -psl +ssl/openssl
Wgetrc:
/usr/local/etc/wgetrc (system)
Locale:
/usr/local/share/locale
Compile:
gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/usr/local/etc/wgetrc"
-DLOCALEDIR="/usr/local/share/locale" -I. -I../lib -I../lib
-I/usr/local/include -DNDEBUG -D_REENTRANT -I/usr/include/pcre
-DNDEBUG -m64
Link:
gcc -I/usr/include/pcre -DNDEBUG -m64 -m64
-Wl,-rpath,/usr/local/lib64 -L/usr/local/lib64 -lpcre -luuid -lidn2
/usr/local/lib64/libssl.so /usr/local/lib64/libcrypto.so
-R/usr/local/lib64 -ldl -lz -lssl -lcrypto -ldl -lpthread
ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a -lsocket -lnsl
-lnsl -lnsl -lsocket -lsocket /usr/local/lib64/libiconv.so
-R/usr/local/lib64 /usr/local/lib64/libunistring.so
/usr/local/lib64/libiconv.so -ldl -lpthread -R/usr/local/lib64
-lsocket
...
O comando cURL equivalente funciona conforme o esperado. O problema é que o Wget está sempre disponível, mas o cURL pode precisar ser instalado. Eu não quero depender de um programa que pode (ou não) ser instalado.
$ curl --cacert "$HOME/.cacert/lets-encrypt-root-x3.pem" "https://ftp.gnu.org/gnu/libunistring/libunistring-0.9.7.tar.gz" -o libunistring-0.9.7.tar.gz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3505k 100 3505k 0 0 3505k 0 0:00:01 0:00:01 --:--:-- 3249k
$ openssl x509 -in ~/.cacert/lets-encrypt-root-x3.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0a:01:41:42:00:00:01:53:85:73:6a:0b:85:ec:a7:08
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
Validity
Not Before: Mar 17 16:40:46 2016 GMT
Not After : Mar 17 16:40:46 2021 GMT
Subject: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9c:d3:0c:f0:5a:e5:2e:47:b7:72:5d:37:83:b3:
68:63:30:ea:d7:35:26:19:25:e1:bd:be:35:f1:70:
92:2f:b7:b8:4b:41:05:ab:a9:9e:35:08:58:ec:b1:
2a:c4:68:87:0b:a3:e3:75:e4:e6:f3:a7:62:71:ba:
79:81:60:1f:d7:91:9a:9f:f3:d0:78:67:71:c8:69:
0e:95:91:cf:fe:e6:99:e9:60:3c:48:cc:7e:ca:4d:
77:12:24:9d:47:1b:5a:eb:b9:ec:1e:37:00:1c:9c:
ac:7b:a7:05:ea:ce:4a:eb:bd:41:e5:36:98:b9:cb:
fd:6d:3c:96:68:df:23:2a:42:90:0c:86:74:67:c8:
7f:a5:9a:b8:52:61:14:13:3f:65:e9:82:87:cb:db:
fa:0e:56:f6:86:89:f3:85:3f:97:86:af:b0:dc:1a:
ef:6b:0d:95:16:7d:c4:2b:a0:65:b2:99:04:36:75:
80:6b:ac:4a:f3:1b:90:49:78:2f:a2:96:4f:2a:20:
25:29:04:c6:74:c0:d0:31:cd:8f:31:38:95:16:ba:
a8:33:b8:43:f1:b1:1f:c3:30:7f:a2:79:31:13:3d:
2d:36:f8:e3:fc:f2:33:6a:b9:39:31:c5:af:c4:8d:
0d:1d:64:16:33:aa:fa:84:29:b6:d4:0b:c0:d8:7d:
c3:93
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Authority Information Access:
OCSP - URI:http://isrg.trustid.ocsp.identrust.com
CA Issuers - URI:http://apps.identrust.com/roots/dstrootcax3.p7c
X509v3 Authority Key Identifier:
keyid:C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.root-x1.letsencrypt.org
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.identrust.com/DSTROOTCAX3CRL.crl
X509v3 Subject Key Identifier:
A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Signature Algorithm: sha256WithRSAEncryption
dd:33:d7:11:f3:63:58:38:dd:18:15:fb:09:55:be:76:56:b9:
70:48:a5:69:47:27:7b:c2:24:08:92:f1:5a:1f:4a:12:29:37:
24:74:51:1c:62:68:b8:cd:95:70:67:e5:f7:a4:bc:4e:28:51:
cd:9b:e8:ae:87:9d:ea:d8:ba:5a:a1:01:9a:dc:f0:dd:6a:1d:
6a:d8:3e:57:23:9e:a6:1e:04:62:9a:ff:d7:05:ca:b7:1f:3f:
c0:0a:48:bc:94:b0:b6:65:62:e0:c1:54:e5:a3:2a:ad:20:c4:
e9:e6:bb:dc:c8:f6:b5:c3:32:a3:98:cc:77:a8:e6:79:65:07:
2b:cb:28:fe:3a:16:52:81:ce:52:0c:2e:5f:83:e8:d5:06:33:
fb:77:6c:ce:40:ea:32:9e:1f:92:5c:41:c1:74:6c:5b:5d:0a:
5f:33:cc:4d:9f:ac:38:f0:2f:7b:2c:62:9d:d9:a3:91:6f:25:
1b:2f:90:b1:19:46:3d:f6:7e:1b:a6:7a:87:b9:a3:7a:6d:18:
fa:25:a5:91:87:15:e0:f2:16:2f:58:b0:06:2f:2c:68:26:c6:
4b:98:cd:da:9f:0c:f9:7f:90:ed:43:4a:12:44:4e:6f:73:7a:
28:ea:a4:aa:6e:7b:4c:7d:87:dd:e0:c9:02:44:a7:87:af:c3:
34:5b:b4:42
$ openssl s_client -connect ftp.gnu.org:443 -servername ftp.gnu.org -showcerts
CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/CN=ftp.gnu.org
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIFCDCCA/CgAwIBAgISBCgcdNJ6TV7BCOTsFWTZTK/NMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA5MjgwOTAxMDBaFw0x
NzEyMjcwOTAxMDBaMBYxFDASBgNVBAMTC2Z0cC5nbnUub3JnMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvRG0WuiyACStwn5iyYiBCn7kn8YRbyBCdGAW
41F8UDQ8DJVKhQTz7S3IUisHGJtRQ+plfSDrYgIShaeBK76afnguVAUjzHdrvT0S
kgXFsZzq6H2w5JiqbBSsOjUUca6iUYPGM3x0EgKCIvVBb12gViSqtstXFvBaYqhf
gPXS1cNzJhyRnOmeLh2I6644fbwnm3KYlL+mq8kBRkXX0GY1v9MCWImO+brIiWLv
numOgOZOfmRcESC6QPbG99CK/2JI0SwAQ0A88vp4HEijYjvLfUCxov4GoLqFR4h8
1HYfi7CUOPfvztkY6PTSCra02be/ZI8pD1aJKHfAE7vE/bmCHQIDAQABo4ICGjCC
AhYwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTqM0F2/vX2ZoriHFSossugjaq52jAf
BgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEw
LgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcw
LwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcv
MCUGA1UdEQQeMByCDWFscGhhLmdudS5vcmeCC2Z0cC5nbnUub3JnMIH+BgNVHSAE
gfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYa
aHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhp
cyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5n
IFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZp
Y2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVw
b3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAED8DAy2DSmXGK2iWtns3XNtKgFV
XWaW9gcfkTvpZDlIg3sXfP/rLKtOp2cAOi16bRENnLUaXjSDqEh7Rod3qDz8RkPH
C1NorU9DSGMEdf8J2fBAzB1MqHK1OC37pQDI8mXfGP1Zr2cy7la3YB4gOsHFACEC
nIGRoEd4uOhSzzmr8aq2KymLRnI7K6tvw3rX9w+fFGIgmwom1m9oKd68Hev2yVip
dDSjpOnydn9EXhJhJtBoNayRJ4v0XSdn1KKJCLbvDqAKuA9TQ6E0L41bNGp0ROUP
988v5CQtaK10OF3T4h7dO2arUwU/mwxtRs9O7jl8w0WepSlVQB0pQ7/wSyU=
-----END CERTIFICATE-----
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=ftp.gnu.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
...
A partir do xenial (Ubuntu 16.04.3 LTS) a versão 1.17.1-1ubuntu1.3 do wget interopera com esse site FTP muito bem, fora da caixa.
Tags ssl wget certificates solaris download