#274 unable to download files from https server

Undecided
open
nobody
windows (3)
5
2012-10-06
2012-03-29
No

Hello. I'm trying to downlaod files from a https server using aria2. But it says unable to get local issuer certificate. See attachments, arguments.jpg and error.jpg.

Regards
Øyvind Olsen

Discussion

  • Øyvind Olsen

    Øyvind Olsen - 2012-03-29
     
  • Øyvind Olsen

    Øyvind Olsen - 2012-03-29
     
  • tujikawa

    tujikawa - 2012-03-29

    --ca-certificate option only accepts PEM format. Seeing .cer extension in argument.JPG, I guess it is CER format and not PEM format.

     
  • Øyvind Olsen

    Øyvind Olsen - 2012-03-30

    Hello tujikawa. Thanks for answering. I thought that a .cer file was a file of pem format but with a different extension, maybe I'm wrong... But anyway, do you know how to get a certificate of pem format?
    Another question. The file I give --ca-certificate as input is the certificate of the server where I try to download files from. Is this correct?

    Regards
    Øyvind

     
  • tujikawa

    tujikawa - 2012-03-30

    anyway, do you know how to get a certificate of pem format?

    Google search result shows the following command:

    openssl x509 -inform der -in certificate.cer -out certificate.pem

    Another question. The file I give --ca-certificate as input is the
    certificate of the server where I try to download files from. Is this
    correct?

    Specifically, it is not the certificate of the server.
    It is the CA certificates to verify the remote server.

     
  • Øyvind Olsen

    Øyvind Olsen - 2012-03-30

    Ok. I see that I've misunderstood the use of --ca-certificate. Thank you for clearifying that. To create a ca certificate, do I use the remote server certificate to create it?

    Regards
    Øyvind

     
  • tujikawa

    tujikawa - 2012-03-30

    If server certificate is signed by well-known CA, then usually you can use OS bundled ca-certificates.crt (/etc/ssl/certs/ca-certificates.crt for Debian).

     
  • Øyvind Olsen

    Øyvind Olsen - 2012-04-16

    Hi. I have still not mamanged to get aria2 to work on https. When I run aria on http as in (attachment:certificate_false.jpg) everything works fine. But when I run aria on https as in (attachment:certificate_true.jpg) aria2 fails with message: unable to get local issuer certificate. Any idea?
    Can you send me an example of how a decrypted ca certificate should look like? (I guess mine is of wrong format...?)

    Regards
    Øyvind Olsen

     
  • Øyvind Olsen

    Øyvind Olsen - 2012-04-18

    Hi. I have one more question. Where should the physical placement of the ca certificate be. Should it be placed on the server or the client. I have placed it on the client where I call aria2. Is this correct?

    Regards
    Øyvind Olsen

     
  • tujikawa

    tujikawa - 2012-04-19

    CA certs should be placed on the client side so that aria2 can read it.
    You can download PEM fomat certificates from browser.
    I attached the certificate chain downloaded from sourceforge.net.
    With this file, aria2 should download index page of sf.net:

    $ aria2c https://sourceforge.net --ca-certificate sf.net.pem

     
  • tujikawa

    tujikawa - 2012-04-19
     
  • Øyvind Olsen

    Øyvind Olsen - 2012-04-19

    Hello and thamks for your answear. I downloaded the pem file and ran the commandline. But I got an error message: Hostname not match...

    I have attached a file.

    Regards
    Øyvind Olsen

     
  • tujikawa

    tujikawa - 2012-04-22

    The CN field in sourceforge.net certificate uses wildcard and aria2 started to support this since 1.15.0. If you are using old aria2, upgrade to the latest version.

     
  • Øyvind Olsen

    Øyvind Olsen - 2012-04-23

    I upgraded aria2 to 1.15.0 and it worked. My version was 1.9.5. Could you tell me the steps how to make a pem certificate?

    Regards
    Øyvind Olsen

     
  • tujikawa

    tujikawa - 2012-04-24

    Do you mean CA's certificate?
    The simple way to get CA certificates is use the file the OS provides. I don't know Windows provides this.

    To make CA certificates,
    you can download http://ftp.de.debian.org/debian/pool/main/c/ca-certificates/ca-certificates_20120212.tar.gz
    and unpack. Cd to mozilla directory and run make. Then run cat *.crt > ca-certificates.crt
    The generated ca-certificates.crt has the bunch of CA certificates in PEM format.

     
  • tujikawa

    tujikawa - 2012-09-29
    • labels: --> windows
    • milestone: 1.2.x_(windows) --> Undecided
     
  • Øyvind Olsen

    Øyvind Olsen - 2012-10-05

    I'm still having a problem downloading a file via https. I get the following error:
    -> [SocketCore.cc:888] errorCode=1 Certificate verification failed. Cause: unable to get local issuer certificate See --ca-certificate and --check-certificate option.

    On the server side I have set the directory security to Require secure channel (SSL) abd require 128-bit encryption and accept client certificates under 'Client certificates'

    Do you think the certificate is still wrong? If I send you the certificate, will you be able to check if it is of correct format?

    Regards
    Øyvind Olsen

     
  • tujikawa

    tujikawa - 2012-10-06

    The error means the client (aria2) could not verify the server's certificate and it is not relevant to client certificate.
    First try using --check-certificate=false option, which ignores this kind of error.
    About client certificate, if it is not confidential, send me and I'll try to check it out.

     

Log in to post a comment.