On Wed, Oct 18, 2017 at 7:58 PM, Jeffrey Walton wrote:
> On Mon, Oct 16, 2017 at 4:52 AM, Tim Rühsen wrote:
>> ...
>>
>> Caveat: wget has been build with GnuTLS (3.5.15). The OpenSSL (1.1.0f)
>> code seems not to support --ca-directory !? It succeeds with
On Mon, Oct 16, 2017 at 4:52 AM, Tim Rühsen wrote:
> ...
>
> Caveat: wget has been build with GnuTLS (3.5.15). The OpenSSL (1.1.0f)
> code seems not to support --ca-directory !? It succeeds with both the
> above tests. While we only actively support GnuTLS, we accept OpenSSL
>
On Mon, Oct 16, 2017 at 4:52 AM, Tim Rühsen wrote:
> Hi Jeffrey,
> ...
> Caveat: wget has been build with GnuTLS (3.5.15). The OpenSSL (1.1.0f)
> code seems not to support --ca-directory !? It succeeds with both the
> above tests. While we only actively support GnuTLS, we
Hi Jeffrey,
I can't reproduce your issue on the first try (Debian unstable here).
That means the issuers cert (DST Root CA X3,O=Digital Signature Trust
Co.) is part of the systems's CA cert store.
$ ls -la /etc/ssl/certs/*X3*
lrwxrwxrwx 1 root root 53 27-10-11 09:39:52
So it looks like the behavior below is inherited from OpenSSL:
$ openssl s_client -connect ftp.gnu.org:443 -servername ftp.gnu.org
-CAfile ~/.cacert/lets-encrypt-root-x3.pem
CONNECTED(0003)
...
Verify return code: 2 (unable to get issuer certificate)
However, OpenSSL also has -partial-chain
I'm having trouble downloading tarballs from ftp.gnu.org using wget.
wget --ca-certificate="$HOME/.cacert/lets-encrypt-root-x3.pem"
"https://ftp.gnu.org/gnu/libunistring/libunistring-0.9.7.tar.gz; -O
libunistring-0.9.7.tar.gz
--2017-10-14 17:59:40--