X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:reply-to:subject:to:references:from:message-id
	:date:mime-version:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=PHolpmfFQivf39be
	ixg1/zbBrXsT7kgeffDocX5o+MBnjLGtk2mQOwkIB2+G2JIRuKoFm9Dwn5dzwpZg
	ANKZVkgTzgAuQcFyo4mFMtAHSIat62+7Qm0vGJprhOKnzojRw+JEaeuX4o1dJh+G
	S5CDyCspz0IQk1NBa/1vafRLjYY=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:reply-to:subject:to:references:from:message-id
	:date:mime-version:in-reply-to:content-type
	:content-transfer-encoding; s=default; bh=ykKHo9pp7clFHyW91BQT4D
	Czd1U=; b=UYUrJD1rC1n/xhSA40kvTLkjoERf5dx7uYKIvIVoxgBffCZx9+RsTa
	NnnnCEXWG55oeE9wc31r1uX+8ny4UqMFJ+lWuqoA+uWCMl0EI5fz89BhltUU141y
	cHC3RDQIB2Ak8r3EVEWbXfL5EdI4TmaNuB8jKmrI70WfRam8QivZc=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-0.5 required=5.0 tests=AWL,BAYES_05,KAM_LAZY_DOMAIN_SECURITY,KAM_SHORT,RCVD_IN_DNSWL_LOW autolearn=no version=3.3.2 spammy=central, brian, Csaba, raduly
X-HELO: smtp-out-no.shaw.ca
Reply-To: Brian DOT Inglis AT SystematicSw DOT ab DOT ca
Subject: Re: wget does not recognize PKI?
To: cygwin AT cygwin DOT com
References: <1964416456 DOT 20180805201253 AT yandex DOT ru> <bd0e6b94-9286-9e42-0efa-6ce8a9e2bd8d AT gmail DOT com> <CAEhDDbCE6BN+Ok-NnAS9JhxXa6mC5NYqsyFUMhLS+jZuYoe9tw AT mail DOT gmail DOT com>
From: Brian Inglis <Brian DOT Inglis AT SystematicSw DOT ab DOT ca>
Openpgp: preference=signencrypt
Message-ID: <d238c024-7412-fdc2-d970-e12265a201aa@SystematicSw.ab.ca>
Date: Mon, 6 Aug 2018 09:25:26 -0600
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <CAEhDDbCE6BN+Ok-NnAS9JhxXa6mC5NYqsyFUMhLS+jZuYoe9tw@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-IsSubscribed: yes

On 2018-08-05 14:03, Csaba Raduly wrote:
> On Sun, Aug 5, 2018 at 7:36 PM, Marco Atzeri  wrote:
>> Am 05.08.2018 um 19:12 schrieb Andrey Repin:
>>> $ wget https://ca.rootdir.org/ca.crl
>>> --2018-08-05 20:05:28--  https://ca.rootdir.org/ca.crl
>>> Resolving ca.rootdir.org (ca.rootdir.org)... 192.168.1.6
>>> Connecting to ca.rootdir.org (ca.rootdir.org)|192.168.1.6|:443...
>>> connected.
>>> ERROR: The certificate of ‘ca.rootdir.org’ is not trusted.
>>> ERROR: The certificate of ‘ca.rootdir.org’ hasn't got a known issuer.
>>> What's going on?
>> It seems not a cygwin issue:
>> "This connection is not secure
>> The owner of ca.rootdir.org did not properly configure the site. Firefox has
>> not affiliated with this site to protect your information from theft."
> And not just Firefox :
> $ curl -v https://ca.rootdir.org/ca.crl
> * STATE: INIT => CONNECT handle 0x600057990; line 1404 (connection #-5000)
> * Added connection 0. The cache now contains 1 members
> * STATE: CONNECT => WAITRESOLVE handle 0x600057990; line 1440 (connection #0)
> *   Trying 77.50.25.68...
> * TCP_NODELAY set
> * STATE: WAITRESOLVE => WAITCONNECT handle 0x600057990; line 1521
> (connection #0)
> * Connected to ca.rootdir.org (77.50.25.68) port 443 (#0)
> * STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x600057990; line 1573
> (connection #0)
> * Marked for [keep alive]: HTTP default
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
> * successfully set certificate verify locations:
>   CAfile: /etc/pki/tls/certs/ca-bundle.crt
>   CApath: none
> * TLSv1.2 (OUT), TLS header, Certificate Status (22):
> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
> * STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x600057990; line
> 1587 (connection #0)
> * TLSv1.2 (IN), TLS handshake, Server hello (2):
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
> * TLSv1.2 (OUT), TLS alert, Server hello (2):
> * SSL certificate problem: self signed certificate in certificate chain
> * Marked for [closure]: Failed HTTPS connection
> * multi_done
> * stopped the pause stream!
> * Closing connection 0
> * The cache now contains 0 members
> * Expire cleared
> curl: (60) SSL certificate problem: self signed certificate in certificate chain
> More details here: https://curl.haxx.se/docs/sslcerts.html
> curl failed to verify the legitimacy of the server and therefore could not
> establish a secure connection to it. To learn more about this situation and
> how to fix it, please visit the web page mentioned above.

Given that it's his own domain and root cert, not surprising it's not in
Mozilla's root CA list.
Lots of business gets done using counterparty certs with organization CA roots
not in any public or central repos, or just self-signed: avoids accessing or
giving CAs any info or money and dealing with fallout from vendor issues.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple