From: Hanspeter N. <fi...@sn...> - 2017-01-04 11:47:34
|
On 1/2/17 9:19 AM, Derek Homeier wrote: > Hi, > > I want to check if I am doing something very stupid here, since I am unable to properly > use any apps linking to openssl100-shlibs (among others wget and python) since approximately > the update to openssl-1.0.2, as it refuses to accept almost any host certificate: > > ariel:15579> curl -O https://www.openssl.org/source/openssl-1.0.2j.tar.gz > % Total % Received % Xferd Average Speed Time Time Time Current > Dload Upload Total Spent Left Speed > 100 5183k 100 5183k 0 0 985k 0 0:00:05 0:00:05 --:--:-- 1266k > ariel:15580> wget https://www.openssl.org/source/openssl-1.0.2j.tar.gz > --2017-01-02 15:03:01-- https://www.openssl.org/source/openssl-1.0.2j.tar.gz > Resolving www.openssl.org... 2600:1406:1a:38f::c1e, 2600:1406:1a:38e::c1e, 104.91.180.27 > Connecting to www.openssl.org|2600:1406:1a:38f::c1e|:443... connected. > ERROR: cannot verify www.openssl.org's certificate, issued by ‘CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US’: > Unable to locally verify the issuer's authority. > To connect to www.openssl.org insecurely, use `--no-check-certificate'. according to 'fink info wget', you have to edit .wgetrc so that wget knows about the ca-bundle certificates. 1. Install the 'ca-bundle' package. 2. If you don't currently have $HOME/.wgetrc, generate it via . cp /sw/etc/wgetrc $HOME/.wgetrc . 3. Edit $HOME/.wgetrc with your favorite text editor and add the following line to it: . ca_certificate = /sw/etc/ssl/certs/ca-bundle.crt I can confirm that wget fails here similarly to you before the edit, and downloads find after the change. Hanspeter |