Hello. I'm trying to downlaod files from a https server using aria2. But it says unable to get local issuer certificate. See attachments, arguments.jpg and error.jpg.
Hello tujikawa. Thanks for answering. I thought that a .cer file was a file of pem format but with a different extension, maybe I'm wrong... But anyway, do you know how to get a certificate of pem format?
Another question. The file I give --ca-certificate as input is the certificate of the server where I try to download files from. Is this correct?
Regards
Øyvind
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Ok. I see that I've misunderstood the use of --ca-certificate. Thank you for clearifying that. To create a ca certificate, do I use the remote server certificate to create it?
Regards
Øyvind
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
If server certificate is signed by well-known CA, then usually you can use OS bundled ca-certificates.crt (/etc/ssl/certs/ca-certificates.crt for Debian).
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi. I have still not mamanged to get aria2 to work on https. When I run aria on http as in (attachment:certificate_false.jpg) everything works fine. But when I run aria on https as in (attachment:certificate_true.jpg) aria2 fails with message: unable to get local issuer certificate. Any idea?
Can you send me an example of how a decrypted ca certificate should look like? (I guess mine is of wrong format...?)
Regards
Øyvind Olsen
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi. I have one more question. Where should the physical placement of the ca certificate be. Should it be placed on the server or the client. I have placed it on the client where I call aria2. Is this correct?
Regards
Øyvind Olsen
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
CA certs should be placed on the client side so that aria2 can read it.
You can download PEM fomat certificates from browser.
I attached the certificate chain downloaded from sourceforge.net.
With this file, aria2 should download index page of sf.net:
The CN field in sourceforge.net certificate uses wildcard and aria2 started to support this since 1.15.0. If you are using old aria2, upgrade to the latest version.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm still having a problem downloading a file via https. I get the following error:
-> [SocketCore.cc:888] errorCode=1 Certificate verification failed. Cause: unable to get local issuer certificate See --ca-certificate and --check-certificate option.
On the server side I have set the directory security to Require secure channel (SSL) abd require 128-bit encryption and accept client certificates under 'Client certificates'
Do you think the certificate is still wrong? If I send you the certificate, will you be able to check if it is of correct format?
Regards
Øyvind Olsen
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The error means the client (aria2) could not verify the server's certificate and it is not relevant to client certificate.
First try using --check-certificate=false option, which ignores this kind of error.
About client certificate, if it is not confidential, send me and I'll try to check it out.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
--ca-certificate option only accepts PEM format. Seeing .cer extension in argument.JPG, I guess it is CER format and not PEM format.
Hello tujikawa. Thanks for answering. I thought that a .cer file was a file of pem format but with a different extension, maybe I'm wrong... But anyway, do you know how to get a certificate of pem format?
Another question. The file I give --ca-certificate as input is the certificate of the server where I try to download files from. Is this correct?
Regards
Øyvind
Google search result shows the following command:
openssl x509 -inform der -in certificate.cer -out certificate.pem
Specifically, it is not the certificate of the server.
It is the CA certificates to verify the remote server.
Ok. I see that I've misunderstood the use of --ca-certificate. Thank you for clearifying that. To create a ca certificate, do I use the remote server certificate to create it?
Regards
Øyvind
If server certificate is signed by well-known CA, then usually you can use OS bundled ca-certificates.crt (/etc/ssl/certs/ca-certificates.crt for Debian).
Hi. I have still not mamanged to get aria2 to work on https. When I run aria on http as in (attachment:certificate_false.jpg) everything works fine. But when I run aria on https as in (attachment:certificate_true.jpg) aria2 fails with message: unable to get local issuer certificate. Any idea?
Can you send me an example of how a decrypted ca certificate should look like? (I guess mine is of wrong format...?)
Regards
Øyvind Olsen
Hi. I have one more question. Where should the physical placement of the ca certificate be. Should it be placed on the server or the client. I have placed it on the client where I call aria2. Is this correct?
Regards
Øyvind Olsen
CA certs should be placed on the client side so that aria2 can read it.
You can download PEM fomat certificates from browser.
I attached the certificate chain downloaded from sourceforge.net.
With this file, aria2 should download index page of sf.net:
$ aria2c https://sourceforge.net --ca-certificate sf.net.pem
Hello and thamks for your answear. I downloaded the pem file and ran the commandline. But I got an error message: Hostname not match...
I have attached a file.
Regards
Øyvind Olsen
The CN field in sourceforge.net certificate uses wildcard and aria2 started to support this since 1.15.0. If you are using old aria2, upgrade to the latest version.
I upgraded aria2 to 1.15.0 and it worked. My version was 1.9.5. Could you tell me the steps how to make a pem certificate?
Regards
Øyvind Olsen
Do you mean CA's certificate?
The simple way to get CA certificates is use the file the OS provides. I don't know Windows provides this.
To make CA certificates,
you can download http://ftp.de.debian.org/debian/pool/main/c/ca-certificates/ca-certificates_20120212.tar.gz
and unpack. Cd to mozilla directory and run make. Then run
cat *.crt > ca-certificates.crtThe generated ca-certificates.crt has the bunch of CA certificates in PEM format.
I'm still having a problem downloading a file via https. I get the following error:
-> [SocketCore.cc:888] errorCode=1 Certificate verification failed. Cause: unable to get local issuer certificate See --ca-certificate and --check-certificate option.
On the server side I have set the directory security to Require secure channel (SSL) abd require 128-bit encryption and accept client certificates under 'Client certificates'
Do you think the certificate is still wrong? If I send you the certificate, will you be able to check if it is of correct format?
Regards
Øyvind Olsen
The error means the client (aria2) could not verify the server's certificate and it is not relevant to client certificate.
First try using --check-certificate=false option, which ignores this kind of error.
About client certificate, if it is not confidential, send me and I'll try to check it out.