X-Recipient: archive-cygwin@delorie.com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:from:date
	:message-id:subject:to:content-type:content-transfer-encoding;
	 q=dns; s=default; b=pX5nA9/CtLZdQyxQwuPzk8jGQvxWmtrjDwZAJQYuYUC
	4XzEktycHuVjKYINw1jFzYDwO3VclxPY6RV20mWDlg+qpCuE0o5lJS0PcIFxzHv1
	GY8a+0gywKbBn2enFnAv8kHPHe2k+9LPrSecPmvLHA5Tc2ZIcgvaSc+RBfeLUz08
	=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:from:date
	:message-id:subject:to:content-type:content-transfer-encoding;
	 s=default; bh=zZrMTh4P6aP62kJII8FmT034EG4=; b=kMiUA4Q9UwcFR/MGT
	NWKluNr5UxUVjQ0oOrdhaXtgOKi3eeSFVBK+KiD7yetFSzzrhcKmBqsxvvp7S9Wn
	e9obYwcJ9Ztrwv1+WONjNaI3dZVcYcGAG1bE4+wYS5/Ai82GW7aR4ZYHMVo/lO+z
	SgdMEIiM16dRBF7XC3o8l8FEHk=
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe@cygwin.com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-help@cygwin.com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Delivered-To: mailing list cygwin@cygwin.com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: =?ISO-8859-1?Q?No, score=0.8 required=5.0 tests=AWL,BAYES_50,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=no version=3.3.2 spammy==d0=bc=d0=b0=d1, lee, authorities, english?=
X-HELO: mail-io0-f174.google.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;        d=gmail.com; s=20161025;        h=mime-version:in-reply-to:references:from:date:message-id:subject:to         :content-transfer-encoding;        bh=YgFWmn3aPCFEVEPW6YjqtBXC2XXoAETZLDMBWjoHIQk=;        b=Zcb8nOekSsl5sqdYFL8XfO31/BcCd92wnwJ+S2OVu+iNWv2XV1dyv/HTk3J4iUAIIw         kSYwnKoQo/cE2N9HSaUo7n+qrrBQDhsy8OeaLSNWiN0IKywXZMBGFJY22/pJxMTt3LnS         jfKLZUrjBp5zQMdINcPbvUTcwfBWUDvEXtCp0/Uipwhx6ygi95yderpL339oPO5W/J+i         w2oavwTfS4ZSNaJAn9B5hM5EtWZ6Xxw8dJKgjBOdYGhIGThqBZTj3qqVj56z+i89gm3r         m34SIE07+4t+F9nG+PlMAdc4vlCWh6xA8bD0XWjG7ZTvCngNxy7lF6ySLA9yVLr5v9gn         wUVg==
MIME-Version: 1.0
In-Reply-To: <1964416456.20180805201253@yandex.ru>
References: <1964416456.20180805201253@yandex.ru>
From: Lee <ler762@gmail.com>
Date: Mon, 6 Aug 2018 03:29:07 -0400
Message-ID: <CAD8GWssOdAt=MgArgPWPKCvyu9rstqCHyLEa=WM+zzp3-OMLWw@mail.gmail.com>
Subject: Re: wget does not recognize PKI?
To: cygwin@cygwin.com
Content-Type: text/plain; charset="UTF-8"
X-IsSubscribed: yes
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id w767TLYE004384

On 8/5/18, Andrey Repin wrote:
> Greetings, All!

Greetings, Andrey Repin!

> $ wget https://ca.rootdir.org/ca.crl
> --2018-08-05 20:05:28--  https://ca.rootdir.org/ca.crl
> Resolving ca.rootdir.org (ca.rootdir.org)... 192.168.1.6
> Connecting to ca.rootdir.org (ca.rootdir.org)|192.168.1.6|:443...
> connected.
> ERROR: The certificate of ‘ca.rootdir.org’ is not trusted.
> ERROR: The certificate of ‘ca.rootdir.org’ hasn't got a known issuer.
>
> $ "$( which wget )" --version
> GNU Wget 1.19.1 built on cygwin.
>
> -cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls +ntlm
> +opie +psl +ssl/gnutls
>
> The root CA certificate is correctly installed and hashed.

Apparently not.  Does it work if you tell wget to use your root CA cert?
‘--ca-certificate=FILE’
     Use FILE as the file with the bundle of certificate authorities
     (“CA”) to verify the peers.  The certificates must be in PEM
     format.

     Without this option Wget looks for CA certificates at the
     system-specified locations, chosen at OpenSSL installation time.

& you probably have, but to be sure.. you looked at 'info
update-ca-trust' - right?

This might help verify your trust store:
$ cat listcerts.sh
#!/bin/sh
# ref: https://serverfault.com/questions/590870/how-to-view-all-ssl-certificates-in-a-bundle

if [ $# -eq 1 ]; then
   # bundle specified
   FILE="$1"
   if [ ! -r $FILE ]; then
      echo "p1 unreadable: $FILE"
      exit 1
   fi
else
   FILE="/usr/ssl/certs/ca-bundle.crt"
 # FILE="/etc/pki/tls/certs/ca-bundle.crt"
 # FILE="/etc/pki/tls/certs/ca-bundle.trust.crt"
fi


cat $FILE |\
awk -v cmd="openssl x509 -noout -subject " '
/^-----BEGIN/ { c = $0; next }
{ c = c "\n" $0 }
/^-----END/ { print c|cmd; close(cmd); c = "" }
'

# openssl x509 -noout -text
#  to see all the certificate info
# oopenssl x509 -noout -subject
#  to see just the subject

$

Regards,
Lee

>
> $ ls -l /etc/ssl/certs/
> total 3
> lrwxrwxrwx  1 anrdaemon None  13 мар 31 01:30 a94d09e5.0 -> ca-bundle.crt
> lrwxrwxrwx  1 anrdaemon None  49 мар 12 02:29 ca-bundle.crt ->
> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
> lrwxrwxrwx  1 anrdaemon None  55 мар 12 02:29 ca-bundle.trust.crt ->
> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
> lrwxrwxrwx  1 anrdaemon None  18 мар 31 01:30 dd07c56a.0 ->
> Rootdir.org_CA.crt
> drwxr-xr-x+ 1 anrdaemon None   0 апр 22 16:50 demo
> drwxr-xr-x+ 1 anrdaemon None   0 апр 22 16:50 expired
> -rw-r--r--  1 anrdaemon None 165 апр  3 14:04 README.RootCerts
> lrwxrwxrwx  1 anrdaemon None  29 фев 14 04:41 Rootdir.org_CA.crt ->
> /etc/ssl/ca-20120530-0121.crt
>
> What's going on?
>
>
> --
> With best regards,
> Andrey Repin
> Sunday, August 5, 2018 20:07:02
>
> Sorry for my terrible english...

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple