I am trying to download files from an https site and keep getting the following error:
OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Unable to establish SSL connection.
From reading blogs online I gather I have to provide the server cert and the client cert. I have found steps on how to download the server cert but not the client cert. Does anyone have a complete set of steps to use wget with SSL? I also tried the —no-check-certificate option but that did not work.
wget version: wget-1.13.4
openssl version: OpenSSL 1.0.1f 6 Jan 2014
trying to download all lecture resources from a course’s webpage on coursera.org. So, the URL would look something like this: https://class.coursera.org/matrix-002/lecture
Accessing this webpage online requires form authentication, not sure if that is causing the failure.
Evan Carroll
76k45 gold badges251 silver badges444 bronze badges
asked Jun 13, 2015 at 10:56
3
It works from here with same OpenSSL version, but a newer version of wget (1.15). Looking at the Changelog there is the following significant change regarding your problem:
1.14: Add support for TLS Server Name Indication.
Note that this site does not require SNI. But www.coursera.org requires it.
And if you would call wget with -v --debug (as I’ve explicitly recommended in my comment!) you will see:
$ wget https://class.coursera.org
...
HTTP request sent, awaiting response...
HTTP/1.1 302 Found
...
Location: https://www.coursera.org/ [following]
...
Connecting to www.coursera.org (www.coursera.org)|54.230.46.78|:443... connected.
OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Unable to establish SSL connection.
So the error actually happens with www.coursera.org and the reason is missing support for SNI. You need to upgrade your version of wget.
answered Jun 14, 2015 at 6:48
Steffen UllrichSteffen Ullrich
110k10 gold badges129 silver badges167 bronze badges
3
You probably have an old version of wget. I suggest installing wget using Chocolatey, the package manager for Windows. This should give you a more recent version (if not the latest).
Run this command after having installed Chocolatey (as Administrator):
choco install wget
answered Dec 12, 2018 at 18:35
PheelbertPheelbert
1991 silver badge10 bronze badges
1
I was in SLES12 and for me it worked after upgrading to wget 1.14, using —secure-protocol=TLSv1.2 and using —auth-no-challenge.
wget --no-check-certificate --secure-protocol=TLSv1.2 --user=satul --password=xxx --auth-no-challenge -v --debug https://jenkins-server/artifact/build.x86_64.tgz
answered Feb 12, 2018 at 8:50
Atul SomanAtul Soman
4,5224 gold badges29 silver badges42 bronze badges
3
One alternative is to replace the «https» with «http» in the url that you’re trying to download from to just circumvent the SSL connection. Not the most secure solution, but this worked in my case.
answered Mar 15, 2018 at 13:44
JohnnyUtahJohnnyUtah
3334 silver badges10 bronze badges
1
I was having this problem on Ubuntu 12.04.3 LTS (well beyond EOL, I know…) and got around it with:
sudo apt-get update && sudo apt-get install ca-certificates
answered Apr 24, 2018 at 16:52
jaybraujaybrau
4031 gold badge3 silver badges9 bronze badges
Basically your OpenSSL uses SSLv3 and the site you are accessing does not support that protocol.
Just update your wget:
sudo apt-get install wget
Or if it is already supporting another secure protocol, just add it as argument:
wget https://example.com --secure-protocol=PROTOCOL_v1
answered Aug 28, 2017 at 2:18
Rad ApdalRad Apdal
4421 gold badge6 silver badges16 bronze badges
Otherwise might be just simpler to use curl instead.
There is no peculiar need to specify any option and can be simply:
curl https://example.com/filename.zip
with curl there is no need to add the -v option when facing the wget SSL error.
answered Sep 6, 2021 at 5:52
2
Same problem as wget interrupted by a certificate problem:
After do-release-upgrade from 16.04 to 18.01
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts.
Check your Internet connection or proxy settings
wget https://changelogs.ubuntu.com/meta-release-lts
--2018-09-15 08:03:41-- https://changelogs.ubuntu.com/meta-release-lts
Resolving changelogs.ubuntu.com (changelogs.ubuntu.com)... 91.189.95.15, 2001:67c:1560:8008::11
Connecting to changelogs.ubuntu.com (changelogs.ubuntu.com)|91.189.95.15|:443... connected.
ERROR: cannot verify changelogs.ubuntu.com's certificate, issued by ‘CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US’:
Unable to locally verify the issuer's authority.
To connect to changelogs.ubuntu.com insecurely, use `--no-check-certificate'.
Also (as root):
# update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
# wget https://www.google.com/
--2018-09-16 16:54:31-- https://www.google.com/
Resolving www.google.com (www.google.com)... 216.58.201.164, 2a00:1450:4003:80a::2004
Connecting to www.google.com (www.google.com)|216.58.201.164|:443... connected.
ERROR: cannot verify www.google.com's certificate, issued by ‘CN=Google Internet Authority G3,O=Google Trust Services,C=US’:
Unable to locally verify the issuer's authority.
To connect to www.google.com insecurely, use `--no-check-certificate'.
Update 2018-10-23:
openssl s_client -connect www.google.com:443 -debug
fails
openssl s_client -connect www.google.com:443 --debug --CApath /etc/ssl/certs/
works
wget https://www.google.com/ --ca-directory=/etc/ssl/certs/
works, so why is the default ca-directory not /etc/ssl/certs/? and do I set it?
New Update and solved:
strace -e openat wget https://your-url
I saw that it was using /usr/local/lib/libssl.so.1.1, so I found one openssl installed on /usr/local, and after deleting it, the problem was fixed.
Thanks
Describe the bug
wget can’t download files from HTTPS server
To Reproduce
Steps to reproduce the behavior:
sudo yum install wgetwget https://dl.google.com/go/go1.11.4.linux-amd64.tar.gz- it says
GnuTLS: The request is invalid. Unable to establish SSL connection.
Expected behavior
Download destination file.
Additional context
curl wored fine with ssl.
So I gueses it’s not WSL or Server’s problem.
wget version is GNU Wget 1.20.1 built on linux-gnu..
WLinux Version
Fedora remix version : 1.0.24.0
Windows Build
C:UsersCKDS>systeminfo | findstr /C:»OS»
OS Name: Microsoft Windows 10 Home
OS Version: 10.0.17134 N/A Build 17134
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
BIOS Version: American Megatrends Inc. 0606, 2018-08-31
WSL log
[root@CKDSPC doc]# yum -y install wget
Last metadata expiration check: 18:51:37 ago on Thu 10 Jan 2019 10:43:11 PM DST.
Dependencies resolved.
========================================================================================================================
Package Arch Version Repository Size
========================================================================================================================
Installing:
wget x86_64 1.20.1-1.fc29 updates 736 k
Transaction Summary
========================================================================================================================
Install 1 Package
Total size: 736 k
Installed size: 3.0 M
Downloading Packages:
[SKIPPED] wget-1.20.1-1.fc29.x86_64.rpm: Already downloaded
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : wget-1.20.1-1.fc29.x86_64 1/1
Running scriptlet: wget-1.20.1-1.fc29.x86_64 1/1
Verifying : wget-1.20.1-1.fc29.x86_64 1/1
Installed:
wget-1.20.1-1.fc29.x86_64
Complete!
[root@CKDSPC doc]# wget --version
GNU Wget 1.20.1 built on linux-gnu.
-cares +digest +gpgme +https +ipv6 +iri +large-file +metalink +nls
+ntlm +opie +psl +ssl/gnutls
Wgetrc:
/etc/wgetrc (system)
Locale:
/usr/share/locale
Compile:
gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc"
-DLOCALEDIR="/usr/share/locale" -I. -I../lib -I../lib
-I/usr/include/p11-kit-1 -DHAVE_LIBGNUTLS -DNDEBUG -O2 -g -pipe
-Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
-Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong
-grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection
-fcf-protection
Link:
gcc -I/usr/include/p11-kit-1 -DHAVE_LIBGNUTLS -DNDEBUG -O2 -g -pipe
-Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
-Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong
-grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection
-fcf-protection -Wl,-z,relro -Wl,-z,now
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld -lmetalink -luuid
-lidn2 -lnettle -lgnutls -lz -lpsl -L/usr/lib64 -lgpgme ftp-opie.o
gnutls.o http-ntlm.o ../lib/libgnu.a
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://www.gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Originally written by Hrvoje Niksic <hniksic@xemacs.org>.
Please send bug reports and questions to <bug-wget@gnu.org>.
[root@CKDSPC doc]# wget https://dl.google.com/go/go1.11.4.linux-amd64.tar.gz
--2019-01-11 17:35:01-- https://dl.google.com/go/go1.11.4.linux-amd64.tar.gz
Resolving dl.google.com (dl.google.com)... 172.217.25.78, 2404:6800:4004:818::200e
Connecting to dl.google.com (dl.google.com)|172.217.25.78|:443... connected.
GnuTLS: The request is invalid.
Unable to establish SSL connection.
[root@CKDSPC doc]#
Перейти к содержанию
На чтение 2 мин Опубликовано 31.12.2021
Игнорируем ошибки проверки сертификата при использовании wget.
Попробуйте получить доступ к адресу, защищенному самоподписанным сертификатом.
$ wget --output-document - https://nextcloud.example.org
--2021-07-16 13:59:59-- https://nextcloud.example.org/ Resolving nextcloud.example.org (nextcloud.example.org)... 192.168.8.32 Connecting to nextcloud.example.org (nextcloud.example.org)|192.168.8.32|:443... connected. ERROR: cannot verify nextcloud.example.org's certificate, issued by ‘CN=nextcloud.example.org’: Self-signed certificate encountered. To connect to nextcloud.example.org insecurely, use `--no-check-certificate'.
$ wget --quiet --no-check-certificate --output-document - https://nextcloud.example.org/robots.txt
User-agent: * Disallow: /
Выдержка из страницы руководства.
[...] --no-check-certificate Don't check the server certificate against the available certificate authorities. Also don't require the URL host name to match the common name presented by the certificate. As of Wget 1.10, the default is to verify the server's certificate against the recognized certificate authorities, breaking the SSL handshake and aborting the download if the verification fails. Although this provides more secure downloads, it does break interoperability with some sites that worked with previous Wget versions, particularly those using self-signed, expired, or otherwise invalid certificates. This option forces an "insecure" mode of operation that turns the certificate verification errors into warnings and allows you to proceed. If you encounter "certificate verification" errors or ones saying that "common name doesn't match requested host name", you can use this option to bypass the verification and proceed with the download. Only use this option if you are otherwise convinced of the site's authenticity, or if you really don't care about the validity of its certificate. It is almost always a bad idea not to check the certificates when transmitting confidential or important data. For self-signed/internal certificates, you should download the certificate and verify against that instead of forcing this insecure mode. If you are really sure of not desiring any certificate verification, you can specify --check-certificate=quiet to tell wget to not print any warning about invalid certificates, albeit in most cases this is the wrong thing to do. [...]
см. также:
- 🖧 Советы и рекомендации по использованию команды wget в системах Linux
- 🖧 В чем разница между curl и Wget?
- 🖧 Как использовать wget за прокси
Пожалуйста, не спамьте и никого не оскорбляйте.
Это поле для комментариев, а не спамбокс.
Рекламные ссылки не индексируются!