If you use self-signed certificates on your dev/testing servers you’re more likely to run
into a problem with making requests to them. On linux systems it said to be easily fixed
by adding the root CA certificate to
/etc/ssl/certs. On macOS systems it just doesn’t do
Among the errors could be “ERROR: cannot verify your-host.name’s certificate, issued by ‘CN=YourAuthorityCA,DC=ld,DC=you,DC=ru’: Self-signed certificate encountered” for wget. Or “SSL certificate problem: self signed certificate in certificate chain” for curl.
Now up to fixing it. Download the certificate. Let it be stored at
cd ~ mkdir -p .ssl/certs mv ~/Downloads/my_root.crt ~/.ssl/certs cd ~/.ssl/certs # 1 # The next command is used instead of the c_rehash which I couldn't make run for file in *.crt; do ln -s "$file" "$(openssl x509 -hash -noout -in "$file")".0; done # 2 echo "ca_directory=~/.ssl/certs" >> ~/.wgetrc echo "capath=$HOME/.ssl/certs:/etc/ssl/certs" >> ~/.curlrc
In (1) we create symlinks to each file in the certs directory with names based on a hash value
of the corresponding source files. This is required by
wget, from its
Specifies directory containing CA certificates in PEM format. Each file contains one CA certificate, and the file name is based on a hash value derived from the certificate. This is achieved by processing a certificate directory with the “c_rehash” utility supplied with OpenSSL. Using –ca-directory is more efficient than –ca-certificate when many certificates are installed because it allows Wget to fetch certificates on demand.
It advises us to use c_rehash for this purpose. There two downsides of using that utility.
First, I couldn’t make it run… and found a workaround at Stackoverflow.
Second, even if it could run, it only works with
.pem files, not
So we would have to either convert the certificate or edit the c_rehash tool, which only adds more hassle.
The command above works just fine.
In (2) you set options for
curl telling them where to look for your additional certificates.
Author Stan Sidel