On Sat, Dec 9, 2023 at 2:38 AM David Hadas <david.ha...@gmail.com> wrote:
>
> Using mTLS with self signed certificates with various tools, it seems wget
> misbehaves and does not add a legitimate self signed CA provided with the
> --ca-certificate flag to the ca pool used internally.
> (I expect that the same issue exists with TLS).
>
> The CA pem is legitimate and well structured as it is used successfully
> with other tools: (1) curl (see below), (2) standard go client and server.
Please show your CA certificate. Issue:
openssl x509 -in <your ca> -inform PEM -text -noout
The command assumes your cert is in PEM format.
> Wget indicates "Self-signed certificate encountered" as an output although
> the CA pem is provided using --ca-certificate
> Wget provides the same response with and without the --ca-certificate...
>
> [...]
> ERROR: cannot verify
> myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud's
> certificate, issued by ‘CN=test,O=test.research.ibm.com’:
> Self-signed certificate encountered.
This may be a different problem. It sounds like the chain is
malformed, but you have not shown the chain. It may be due to your CA
cert, or it may not.
Please show the output of the TLS handshake. Issue:
export
host=myapp-default.myos-e621c7d733ece1fad737ff54a8912822-0000.us-south.containers.appdomain.cloud
openssl s_client -connect ${host}:443 -servername ${host} -showcerts
Jeff
