X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:reply-to:message-id:to:subject
	:in-reply-to:references:mime-version:content-type
	:content-transfer-encoding; q=dns; s=default; b=e1kY9vzHW3tLdtCr
	9RlGa/hPU8/8Y+qphJvcuAbCTrcQMppBRxSxScXKUcgvMV+taqcazCdJ4+xjjWtz
	acz9S1AhjI/VSy2ZoHtjo0A6fag/HhCCZrJdLnWGc5Q7o3mypJNrXDde1KVUY5MS
	oIz9ekEHFykbjx3unUzFPKXe0sY=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:reply-to:message-id:to:subject
	:in-reply-to:references:mime-version:content-type
	:content-transfer-encoding; s=default; bh=Fipo095Ds1S26Y4mANwI74
	UTTJI=; b=QsbdASFxIsJePTVnWLzmeCy+GJtggYjYkmJHjwYgGY3nU7jD1/lWrZ
	4YfG/VHjNdXShUD7V07qF4tweqDMqvzU0vveUU0rV/yc2B06Rwqy57z7RKMzTBVJ
	hsDJT3+GL7ustAqeALEpeLcIi8+rzRGz4TXUJd+ZqYRoiOP+XAkZo=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=2.0 required=5.0 tests=BAYES_50,FREEMAIL_FROM,KAM_THEBAT,MIME_BASE64_BLANKS,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=no version=3.3.2 spammy=UD:yandex.ru, lee, authorities, english
X-HELO: forward101o.mail.yandex.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1533549901;	bh=sGIw8ERi8awpRK69VrOwXLVI5DIKoXqI6BxUQ9HjPwQ=;	h=Date:From:Reply-To:Message-ID:To:Subject:In-Reply-To:References;	b=LV7Kjs9RdHq3JVjs7FL58vYGYWWMcwnfgai5gt4qI5R2aeo8VKlJ8AXrY7liEFjyu	 zX73qMaFB/VAcfM8eX0qLOT6Es/uUWzx3IciaXsVih1JFpHTyA8jOmjkOjss4VatrA	 X8IRQtt238Fz1YCkRdtDXXt6vXxUcIl4pBMo3v8s=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1533549900;	bh=sGIw8ERi8awpRK69VrOwXLVI5DIKoXqI6BxUQ9HjPwQ=;	h=Date:From:Reply-To:Message-ID:To:Subject:In-Reply-To:References;	b=i1pUO64Dt99XkKx7WIiNUZS6TQem/pmPe1C74Vt7Nfnj8bpNvAVbWyQm71epRFIx5	 /nH0WBcfHrREGao2DS+n0hprS/OPAlYUXf1nciqDiqgCdYbHr7Wb9QBbw19PCQcXey	 668byAMx38Ee7dpSZLbQQyrjNHo5UIRwRlfMjglI=
Authentication-Results: smtp2o.mail.yandex.net; dkim=pass header.i=@yandex.ru
Date: Mon, 6 Aug 2018 13:03:55 +0300
From: Andrey Repin <anrdaemon AT yandex DOT ru>
Reply-To: cygwin AT cygwin DOT com
Message-ID: <723508902.20180806130355@yandex.ru>
To: Lee <ler762 AT gmail DOT com>, cygwin AT cygwin DOT com
Subject: Re: wget does not recognize PKI?
In-Reply-To: <CAD8GWssOdAt=MgArgPWPKCvyu9rstqCHyLEa=WM+zzp3-OMLWw@mail.gmail.com>
References: <1964416456 DOT 20180805201253 AT yandex DOT ru>   <CAD8GWssOdAt=MgArgPWPKCvyu9rstqCHyLEa=WM+zzp3-OMLWw AT mail DOT gmail DOT com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
X-IsSubscribed: yes
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by delorie.com id w76A5KBB018141

Greetings, Lee!

> On 8/5/18, Andrey Repin wrote:
>> Greetings, All!

> Greetings, Andrey Repin!

>> $ wget https://ca.rootdir.org/ca.crl
>> --2018-08-05 20:05:28--  https://ca.rootdir.org/ca.crl
>> Resolving ca.rootdir.org (ca.rootdir.org)... 192.168.1.6
>> Connecting to ca.rootdir.org (ca.rootdir.org)|192.168.1.6|:443...
>> connected.
>> ERROR: The certificate of ‘ca.rootdir.org’ is not trusted.
>> ERROR: The certificate of ‘ca.rootdir.org’ hasn't got a known issuer.
>>
>> $ "$( which wget )" --version
>> GNU Wget 1.19.1 built on cygwin.
>>
>> -cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls +ntlm
>> +opie +psl +ssl/gnutls
>>
>> The root CA certificate is correctly installed and hashed.

> Apparently not.

curl and openssl sees it.
Both Cygwin and native openssl.

> Does it work if you tell wget to use your root CA cert?
> ‘--ca-certificate=FILE’

It does, of course, but why doesn't it see the PKI by itself?

$ wget --ca-certificate=/etc/ssl/certs/dd07c56a.0 https://ca.rootdir.org/ca.crl
--2018-08-06 12:46:14--  https://ca.rootdir.org/ca.crl
Loaded CA certificate '/etc/ssl/certs/dd07c56a.0'
Resolving ca.rootdir.org (ca.rootdir.org)... 192.168.1.6
Connecting to ca.rootdir.org (ca.rootdir.org)|192.168.1.6|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 872 [application/octet-stream]
Saving to: ‘ca.crl’

ca.crl                   100%[================================>]     872  --.-KB/s    in 0s

2018-08-06 12:46:14 (18.0 MB/s) - ‘ca.crl’ saved [872/872]

>      Use FILE as the file with the bundle of certificate authorities
>      (“CA”) to verify the peers.  The certificates must be in PEM
>      format.

>      Without this option Wget looks for CA certificates at the
>      system-specified locations, chosen at OpenSSL installation time.

> & you probably have, but to be sure.. you looked at 'info
> update-ca-trust' - right?

No. Hashing /etc/ssl/certs has been enough for a long while.
I followed the directions, and it indeed fixed the issue, but I'm surprised by
the change in behavior.


-- 
With best regards,
Andrey Repin
Monday, August 6, 2018 12:44:13

Sorry for my terrible english...
--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple