SSL CERTIFICATE CHECKS FAIL ALL THE TIME (git & wget & etc…)
###################################################
If your trying to download something from github with “git clone” or wget from an https site – and you keep getting invalid certificates errors (even though your downloading from legit places). This means your system doesnt have good ROOT CERTIFICATES to validate with. Fix this by getting the latest ROOT CERTIFICATES so that your system can verify amongst common download certificates.
NOTE: In windows and mac and certain linux distros you dont need to do this as the ca-certs come prepackages in the main install.
NOTE: when you go to an https site (or download a file from https), the ssl protocol will grab the servers certificates and verify its coming from a legit source and also that the certificates check off with your root certificates. If they dont have valid certs you get warnings, such as the warning you get when browsing to a site with a self-signed certificate – and you get the red lock on the url bar – or a warning page that looks like this:
With git, wget and curl you might get errors like this
GIT error: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://github.com/username/ExcelANT.git/info/refs WGET & CURL ERROR: The certificate of `www.drupal.org' is not trusted. ERROR: The certificate of `www.drupal.org' hasn't got a known issuer.
Workaround for git, curl & wget:
# wget and curl no check cert wget --no-check-certificate https://www.example.com/some-file.txt curl -k https://www.example.com/some-file.txt # git no check cert # For git its more like this: GIT_SSL_NO_VERIFY=true git clone https://www.github.com/some-user/some-program # Or like this export GIT_SSL_NO_VERIFY=true git clone https://www.github.com/some-user/some-program # optionally you can put that export in a ~/.bashrc
Those are just work arounds. If a site has a bad certificate it comes down to 1 of 2 things.
1. it should have a good certificate but you dont have the latest ca root certs installed on your box – so follow method below to fix that
2. its truely a bad certificate – you can workaround it with above workarounds (at your own security risk)
To get latest certs
To get the latest list of CA-CERTS, Download the latest ca-certificates file and install it.
But first get root access (or run every command with “sudo” perfix):
# sudo -i
Most like this command will do to install your root certs:
# apt-get install ca-certificates
# update-ca-certificates
Note you will need the prereqs (that you already probably have) – openssl & debconf:
# apt-get install openssl
# apt-get install debconf
Now run your gits & wget and they should work.
REINSTALL
##########
If not try to reinstall.
# apt-get install –reinstall ca-certificates
# update-ca-certificates
MAY NEED OTHER VERSION
########################
If not yet still – then possibly you have that file/program and still you get errors – you might be using a ca-certificates thats comprimised or changed for specific use. You can check which edition you have with :
# dpkg -l | grep ca-certificates
See all the ones available to apt-get (from your listed repos in /etc/apt/sources.list):
# apt-cache show ca-certificates
Or see the version that will install:
# apt-cache show ca-certificates
MANUAL INSTALL
###############
Or you can manually install the certificates from a trusted source:
STEP1 Wget the deb file
Here is a place for all debian systems:
https://packages.debian.org/search?keywords=ca-certificates
Ill just use wheezy because its compatible with my system:
https://packages.debian.org/wheezy/ca-certificates
Here is a list of download links (go to this site and pick a mirror, and right click to copy its url):
https://packages.debian.org/wheezy/all/ca-certificates/download
# wget http://ftp.us.debian.org/debian/pool/main/c/ca-certificates/ca-certificates_20130119_all.deb
NOTE (updated 2015-10-08): the above is from 2013, newer ones can be found here http://ftp.us.debian.org/debian/pool/main/c/ca-certificates/. i.e. here is the one from 2015: # wget http://ftp.us.debian.org/debian/pool/main/c/ca-certificates/ca-certificates_20150426_all.deb
Note that the package downloads alot of root ssl certs, but also a binary called “update-ca-certificates” which is very useful. If you already have that binary. You can just extract the .deb file using:
ar x ca-certificates*deb
Then just copy out the certificates to this folder in your system: /usr/share/ca-certificates/
After copying the certificates there just run:
# update-ca-certificates
STEP2
Install the wget
# dpkg -i ca-certificates_20130119_all.deb
# update-ca-certificates
EXTRA INFO
###########
Note: in the end the ca-certificates deb file just contains the executable certificates, which if you already have, then your set for that part (the part where you need that file, as you see we run it after installing/copying the certificates to /usr/share/ca-certicates), then the ca-certificates deb file contains the certificates themselves – which as mentioned earlier if they are put in the right directory /usr/share/ca-certificates/ then they can be put to some work: First copy the certs to /usr/share/ca-certificates and then run:
# update-ca-certificates
Update-ca-certificates symlinks the certs in that directory to the cache of certs in /etc
Note: that the ca-certificates debian file gets updated regularly with any new root certs or edits that need to be made.
UPDATE-CA-CERTIFICATES
########################
Here is a description from the man pages of what update-ca-certificate does:
This manual page documents briefly the update-ca-certificates command.
update-ca-certificates is a program that updates the directory
/etc/ssl/certs to hold SSL certificates and generates certificates.crt,
a concatenated single-file list of certificates.
It reads the file /etc/ca-certificates.conf. Each line gives a pathname
of a CA certificate under /usr/share/ca-certificates that should be
trusted. Lines that begin with “#” are comment lines and thus ignored.
Lines that begin with “!” are deselected, causing the deactivation of
the CA certificate in question. Certificates must have a .crt extension
in order to be included by update-ca-certificates.
Furthermore all certificates with a .crt extension found below
/usr/local/share/ca-certificates are also included as implicitly
trusted.
Before terminating, update-ca-certificates invokes run-parts on
/etc/ca-certificates/update.d and calls each hook with a list of cer-
tificates: those added are prefixed with a +, those removed are pre-
fixed with a -.
LIST OF FILES IN A GOOD VERSION OF ca-certificates
##########################################
This is the following version:
Package: ca-certificates Version: 20130119 Architecture: all
# dpkg -L ca-certificates /. /etc /etc/ssl /etc/ssl/certs /etc/ca-certificates /etc/ca-certificates/update.d /usr /usr/sbin /usr/sbin/update-ca-certificates /usr/share /usr/share/ca-certificates /usr/share/ca-certificates/mozilla /usr/share/ca-certificates/mozilla/A-Trust-nQual-03.crt /usr/share/ca-certificates/mozilla/ACEDICOM_Root.crt /usr/share/ca-certificates/mozilla/AC_Raíz_Certicámara_S.A..crt /usr/share/ca-certificates/mozilla/Actalis_Authentication_Root_CA.crt /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt /usr/share/ca-certificates/mozilla/AddTrust_Low-Value_Services_Root.crt /usr/share/ca-certificates/mozilla/AddTrust_Public_Services_Root.crt /usr/share/ca-certificates/mozilla/AddTrust_Qualified_Certificates_Root.crt /usr/share/ca-certificates/mozilla/AffirmTrust_Commercial.crt /usr/share/ca-certificates/mozilla/AffirmTrust_Networking.crt /usr/share/ca-certificates/mozilla/AffirmTrust_Premium.crt /usr/share/ca-certificates/mozilla/AffirmTrust_Premium_ECC.crt /usr/share/ca-certificates/mozilla/America_Online_Root_Certification_Authority_1.crt /usr/share/ca-certificates/mozilla/America_Online_Root_Certification_Authority_2.crt /usr/share/ca-certificates/mozilla/ApplicationCA_-_Japanese_Government.crt /usr/share/ca-certificates/mozilla/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt /usr/share/ca-certificates/mozilla/Baltimore_CyberTrust_Root.crt /usr/share/ca-certificates/mozilla/Buypass_Class_2_CA_1.crt /usr/share/ca-certificates/mozilla/Buypass_Class_2_Root_CA.crt /usr/share/ca-certificates/mozilla/Buypass_Class_3_CA_1.crt /usr/share/ca-certificates/mozilla/Buypass_Class_3_Root_CA.crt /usr/share/ca-certificates/mozilla/CA_Disig.crt /usr/share/ca-certificates/mozilla/CNNIC_ROOT.crt /usr/share/ca-certificates/mozilla/COMODO_Certification_Authority.crt /usr/share/ca-certificates/mozilla/COMODO_ECC_Certification_Authority.crt /usr/share/ca-certificates/mozilla/Camerfirma_Chambers_of_Commerce_Root.crt /usr/share/ca-certificates/mozilla/Camerfirma_Global_Chambersign_Root.crt /usr/share/ca-certificates/mozilla/Certigna.crt /usr/share/ca-certificates/mozilla/Certinomis_-_Autorité_Racine.crt /usr/share/ca-certificates/mozilla/Certplus_Class_2_Primary_CA.crt /usr/share/ca-certificates/mozilla/Certum_Root_CA.crt /usr/share/ca-certificates/mozilla/Certum_Trusted_Network_CA.crt /usr/share/ca-certificates/mozilla/Chambers_of_Commerce_Root_-_2008.crt /usr/share/ca-certificates/mozilla/ComSign_CA.crt /usr/share/ca-certificates/mozilla/ComSign_Secured_CA.crt /usr/share/ca-certificates/mozilla/Comodo_AAA_Services_root.crt /usr/share/ca-certificates/mozilla/Comodo_Secure_Services_root.crt /usr/share/ca-certificates/mozilla/Comodo_Trusted_Services_root.crt /usr/share/ca-certificates/mozilla/Cybertrust_Global_Root.crt /usr/share/ca-certificates/mozilla/DST_ACES_CA_X6.crt /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt /usr/share/ca-certificates/mozilla/Deutsche_Telekom_Root_CA_2.crt /usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_CA.crt /usr/share/ca-certificates/mozilla/DigiCert_Global_Root_CA.crt /usr/share/ca-certificates/mozilla/DigiCert_High_Assurance_EV_Root_CA.crt /usr/share/ca-certificates/mozilla/Digital_Signature_Trust_Co._Global_CA_1.crt /usr/share/ca-certificates/mozilla/Digital_Signature_Trust_Co._Global_CA_3.crt /usr/share/ca-certificates/mozilla/E-Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi.crt /usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt /usr/share/ca-certificates/mozilla/EC-ACC.crt /usr/share/ca-certificates/mozilla/EE_Certification_Centre_Root_CA.crt /usr/share/ca-certificates/mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt /usr/share/ca-certificates/mozilla/Entrust.net_Secure_Server_CA.crt /usr/share/ca-certificates/mozilla/Entrust_Root_Certification_Authority.crt /usr/share/ca-certificates/mozilla/Equifax_Secure_CA.crt /usr/share/ca-certificates/mozilla/Equifax_Secure_Global_eBusiness_CA.crt /usr/share/ca-certificates/mozilla/Equifax_Secure_eBusiness_CA_1.crt /usr/share/ca-certificates/mozilla/Equifax_Secure_eBusiness_CA_2.crt /usr/share/ca-certificates/mozilla/Firmaprofesional_Root_CA.crt /usr/share/ca-certificates/mozilla/GTE_CyberTrust_Global_Root.crt /usr/share/ca-certificates/mozilla/GeoTrust_Global_CA.crt /usr/share/ca-certificates/mozilla/GeoTrust_Global_CA_2.crt /usr/share/ca-certificates/mozilla/GeoTrust_Primary_Certification_Authority.crt /usr/share/ca-certificates/mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt /usr/share/ca-certificates/mozilla/GeoTrust_Primary_Certification_Authority_-_G3.crt /usr/share/ca-certificates/mozilla/GeoTrust_Universal_CA.crt /usr/share/ca-certificates/mozilla/GeoTrust_Universal_CA_2.crt /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R2.crt /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R3.crt /usr/share/ca-certificates/mozilla/Global_Chambersign_Root_-_2008.crt /usr/share/ca-certificates/mozilla/Go_Daddy_Class_2_CA.crt /usr/share/ca-certificates/mozilla/Go_Daddy_Root_Certificate_Authority_-_G2.crt /usr/share/ca-certificates/mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_1.crt /usr/share/ca-certificates/mozilla/IGC_A.crt /usr/share/ca-certificates/mozilla/Izenpe.com.crt /usr/share/ca-certificates/mozilla/Juur-SK.crt /usr/share/ca-certificates/mozilla/Microsec_e-Szigno_Root_CA.crt /usr/share/ca-certificates/mozilla/Microsec_e-Szigno_Root_CA_2009.crt /usr/share/ca-certificates/mozilla/NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt /usr/share/ca-certificates/mozilla/NetLock_Business_=Class_B=_Root.crt /usr/share/ca-certificates/mozilla/NetLock_Express_=Class_C=_Root.crt /usr/share/ca-certificates/mozilla/NetLock_Notary_=Class_A=_Root.crt /usr/share/ca-certificates/mozilla/NetLock_Qualified_=Class_QA=_Root.crt /usr/share/ca-certificates/mozilla/Network_Solutions_Certificate_Authority.crt /usr/share/ca-certificates/mozilla/OISTE_WISeKey_Global_Root_GA_CA.crt /usr/share/ca-certificates/mozilla/QuoVadis_Root_CA.crt /usr/share/ca-certificates/mozilla/SecureTrust_CA.crt /usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_2.crt /usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_3.crt /usr/share/ca-certificates/mozilla/RSA_Root_Certificate_1.crt /usr/share/ca-certificates/mozilla/RSA_Security_2048_v3.crt /usr/share/ca-certificates/mozilla/Root_CA_Generalitat_Valenciana.crt /usr/share/ca-certificates/mozilla/S-TRUST_Authentication_and_Encryption_Root_CA_2005_PN.crt /usr/share/ca-certificates/mozilla/SecureSign_RootCA11.crt /usr/share/ca-certificates/mozilla/Secure_Global_CA.crt /usr/share/ca-certificates/mozilla/Security_Communication_EV_RootCA1.crt /usr/share/ca-certificates/mozilla/Security_Communication_RootCA2.crt /usr/share/ca-certificates/mozilla/Security_Communication_Root_CA.crt /usr/share/ca-certificates/mozilla/Sonera_Class_1_Root_CA.crt /usr/share/ca-certificates/mozilla/Sonera_Class_2_Root_CA.crt /usr/share/ca-certificates/mozilla/Staat_der_Nederlanden_Root_CA.crt /usr/share/ca-certificates/mozilla/Staat_der_Nederlanden_Root_CA_-_G2.crt /usr/share/ca-certificates/mozilla/Starfield_Class_2_CA.crt /usr/share/ca-certificates/mozilla/Starfield_Root_Certificate_Authority_-_G2.crt /usr/share/ca-certificates/mozilla/Starfield_Services_Root_Certificate_Authority_-_G2.crt /usr/share/ca-certificates/mozilla/StartCom_Certification_Authority.crt /usr/share/ca-certificates/mozilla/StartCom_Certification_Authority_G2.crt /usr/share/ca-certificates/mozilla/SwissSign_Gold_CA_-_G2.crt /usr/share/ca-certificates/mozilla/SwissSign_Platinum_CA_-_G2.crt /usr/share/ca-certificates/mozilla/SwissSign_Silver_CA_-_G2.crt /usr/share/ca-certificates/mozilla/Swisscom_Root_CA_1.crt /usr/share/ca-certificates/mozilla/T-TeleSec_GlobalRoot_Class_3.crt /usr/share/ca-certificates/mozilla/TC_TrustCenter_Class_2_CA_II.crt /usr/share/ca-certificates/mozilla/TC_TrustCenter_Class_3_CA_II.crt /usr/share/ca-certificates/mozilla/TC_TrustCenter_Universal_CA_I.crt /usr/share/ca-certificates/mozilla/TC_TrustCenter_Universal_CA_III.crt /usr/share/ca-certificates/mozilla/TDC_Internet_Root_CA.crt /usr/share/ca-certificates/mozilla/TDC_OCES_Root_CA.crt /usr/share/ca-certificates/mozilla/TURKTRUST_Certificate_Services_Provider_Root_1.crt /usr/share/ca-certificates/mozilla/TURKTRUST_Certificate_Services_Provider_Root_2.crt /usr/share/ca-certificates/mozilla/TWCA_Root_Certification_Authority.crt /usr/share/ca-certificates/mozilla/Taiwan_GRCA.crt /usr/share/ca-certificates/mozilla/Thawte_Premium_Server_CA.crt /usr/share/ca-certificates/mozilla/Thawte_Server_CA.crt /usr/share/ca-certificates/mozilla/Trustis_FPS_Root_CA.crt /usr/share/ca-certificates/mozilla/TÜBİTAK_UEKAE_Kök_Sertifika_Hizmet_Sağlayıcısı_-_Sürüm_3.crt /usr/share/ca-certificates/mozilla/UTN_DATACorp_SGC_Root_CA.crt /usr/share/ca-certificates/mozilla/UTN_USERFirst_Email_Root_CA.crt /usr/share/ca-certificates/mozilla/UTN_USERFirst_Hardware_Root_CA.crt /usr/share/ca-certificates/mozilla/ValiCert_Class_1_VA.crt /usr/share/ca-certificates/mozilla/ValiCert_Class_2_VA.crt /usr/share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt /usr/share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt /usr/share/ca-certificates/mozilla/VeriSign_Universal_Root_Certification_Authority.crt /usr/share/ca-certificates/mozilla/Verisign_Class_1_Public_Primary_Certification_Authority.crt /usr/share/ca-certificates/mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.crt /usr/share/ca-certificates/mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt /usr/share/ca-certificates/mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.crt /usr/share/ca-certificates/mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt /usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt /usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.crt /usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt /usr/share/ca-certificates/mozilla/Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.crt /usr/share/ca-certificates/mozilla/Visa_eCommerce_Root.crt /usr/share/ca-certificates/mozilla/WellsSecure_Public_Root_Certificate_Authority.crt /usr/share/ca-certificates/mozilla/Wells_Fargo_Root_CA.crt /usr/share/ca-certificates/mozilla/XRamp_Global_CA_Root.crt /usr/share/ca-certificates/mozilla/certSIGN_ROOT_CA.crt /usr/share/ca-certificates/mozilla/ePKI_Root_Certification_Authority.crt /usr/share/ca-certificates/mozilla/thawte_Primary_Root_CA.crt /usr/share/ca-certificates/mozilla/thawte_Primary_Root_CA_-_G2.crt /usr/share/ca-certificates/mozilla/thawte_Primary_Root_CA_-_G3.crt /usr/share/ca-certificates/cacert.org /usr/share/ca-certificates/cacert.org/cacert.org.crt /usr/share/ca-certificates/debconf.org /usr/share/ca-certificates/debconf.org/ca.crt /usr/share/ca-certificates/spi-inc.org /usr/share/ca-certificates/spi-inc.org/spi-ca-2003.crt /usr/share/ca-certificates/spi-inc.org/spi-cacert-2008.crt /usr/share/doc /usr/share/doc/ca-certificates /usr/share/doc/ca-certificates/README.Debian /usr/share/doc/ca-certificates/copyright /usr/share/doc/ca-certificates/changelog.gz /usr/share/doc/ca-certificates/NEWS.Debian.gz /usr/share/man /usr/share/man/man8 /usr/share/man/man8/update-ca-certificates.8.gz
SUMMARY OF COMMANDS
####################
Here is two of the good discussed methods above.
With APT-GET
=============
sudo -i
apt-get install openssl
apt-get install debconf
apt-get install ca-certificates
update-ca-certificates
MANUAL
=======
# METHOD WORKS: if already have ca-certificates installed from another vendor/source cd ~ mkdir certs cd certs wget http://ftp.us.debian.org/debian/pool/main/c/ca-certificates/ca-certificates_20130119_all.deb dpkg -i ca-certificates_20130119_all.deb update-ca-certificates
OTHER MANUAL METHOD
====================
Extract the debian file and manually copy certificates.
# METHOD WORKS: if already have ca-certificates installed from another vendor/source cd ~ mkdir certs cd certs wget http://ftp.us.debian.org/debian/pool/main/c/ca-certificates/ca-certificates_20130119_all.deb ar x ca-certificates_20130119_all.deb tar xf data.tar.gz tar xf control.tar.gz # Now look for your certificates and copy them to /usr/share/ca-certificates # Then run: update-ca-certificates