[kwlug-disc] wget and --no-check-certificates with Unlimitel

Bob Jonkman bjonkman at sobac.com
Sun Jun 5 16:16:12 EDT 2011


Where does wget keep its list of certificate authorities?  According to 
http://wiki.openwrt.org/doc/howto/wget-ssl-certs that should be 
/etc/ssl/certs -- does this contain an entry for GeoTrust with 
"/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA"?  My /etc/ssl/certs contains 
not only .crt files, but contains many links to .pem files stored 
elsewhere.  Does wget follow links, or does it only read actual files?

Chances are that Unlimitel and Primus do not use the same CA, but your 
wget did have CA credentials for unlimitel.ca's CA.

The OpenWRT page gives links to some other bugs in wget as well, which 
might be relevant.

--Bob.

(I've pasted the orginal conversation to the bottom of this message, as 
I needed the text of the orginal error message.  I am easily confused; I 
need the extra help of contextual quoting)



On 11-06-05 12:10 AM, Paul Nijjar wrote:
> On Sat, Jun 04, 2011 at 11:57:18PM -0400, Bob Jonkman wrote:
>> If the certificate is issued to primus.ca, but the URL you're accessing
>> is unlimitel.ca then you'll get errors.  But I don't know if that's the
>> meaning of "Unable to locally verify the issuer's authority".
>>
>> Unlimitel was recently bought by Primus, so up to now they may have been
>> using certificates issued to unlimitel.ca, which matches the URL.
> Here is what Firefox reports about the cert (at
> https://api.unlimitel.ca):
>
> Issued To
> Common Name (CN)		*.unlimitel.ca
> Organization (O)		Primus Telecommunications Canada Inc
> Organizational Unit (OU)	<Not Part Of Certificate>
> Serial Number			00:82:F5
>
> Issued By
> Common Name (CN)		GeoTrust SSL CA
> Organization (O)		GeoTrust, Inc.
> Organizational Unit (OU)	<Not Part Of Certificate>
>
> Validity
> Issued On			4/3/2011
> Expires On			4/6/2014
>
> There is fingerprint information too, but you could look that up.
>
> This suggests that the certs should not give me errors (and they don't
> in Firefox) but that they have been changed with the sale to Primus.
>
> However, I don't know why this would make wget confused.

Bob Jonkman wrote:
> If the certificate is issued to primus.ca, but the URL you're 
> accessing is unlimitel.ca then you'll get errors.  But I don't know if 
> that's the meaning of "Unable to locally verify the issuer's authority".
>
> Unlimitel was recently bought by Primus, so up to now they may have 
> been using certificates issued to unlimitel.ca, which matches the URL.
>
> --Bob.
>
> On 11-06-04 10:05 PM, Paul Nijjar wrote:
>> I am using Unlimitel's API to get information about our accounts. The
>> API is documented here:
>>
>> http://www.unlimitel.ca/temp/support/voip_support/api-documentation-v2.pdf 
>>
>>
>> Here is the line in question, with our customer number suitably
>> masked:
>>
>> wget https://api.unlimitel.ca/getlastmonthcdr.php?custnum=XXXXX
>>
>> This used to work fine last month. This month wget gives me the
>> following errors:
>>
>> Resolving api.unlimitel.ca... 216.254.136.108
>> Connecting to api.unlimitel.ca|216.254.136.108|:443... connected.
>> ERROR: cannot verify api.unlimitel.ca's certificate, issued by
>> `/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA':
>>    Unable to locally verify the issuer's authority.
>> To connect to api.unlimitel.ca insecurely, use
>> `--no-check-certificate'.
>> Unable to establish SSL connection.
>>
>> The "--no-check-certificate" option works, but it is scary.
>>
>> I don't know what wget is trying to do that fails.
>>
>> I am not sure what has changed on Unlimitel's side. It looks like the
>> certificates belong to Primus, and have a "notbefore" field of
>> "4/3/2011" -- so April 3 2011?  (Good grief. ISO 8601 is a good idea,
>> people.) I guess this means something changed with the cert since the
>> last time this script ran?
>>
>> I would appreciate any of the following:
>> - Confirmation that something is wrong
>> - An explanation of what is wrong and the best way to fix it
>> - Whether I should just give in and se the --no-check-certificate
>>    option.
>>
>>
>>
>> - Paul




More information about the kwlug-disc mailing list