Tell --no-check-certificate how not to use --no-check-certificate in Wget and that there is neither "ERROR" or "WARNING"? It happens in Windows.

ERROR

 set https_proxy=http://192.168.1.1:80 set use_proxy=on M:\Distrib\Wget\wget.exe --secure-protocol=TLSv1 https://wm.exchanger.ru/asp/XMLWMList.asp?exchtype=7 --output-file=log.txt --output-document=M:\XML\XMLWMList7.xml

log.txt :

 --2015-05-28 07:23:27-- https://wm.exchanger.ru/asp/XMLWMList.asp?exchtype=7 Connecting to 192.168.1.1:80... connected. **ERROR**: cannot verify wm.exchanger.ru's certificate, issued by 'CN=Network Solutions OV Server CA 2,O=Network Solutions LLC,L=Herndon,ST=VA,C=US': Unable to locally verify the issuer's authority. To connect to wm.exchanger.ru insecurely, use `--no-check-certificate'.

WARNING

 set https_proxy=http://192.168.1.1:80 set use_proxy=on M:\Distrib\Wget\wget.exe --secure-protocol=TLSv1 --no-check-certificate https://wm.exchanger.ru/asp/XMLWMList.asp?exchtype=7 --output-file=log.txt --output-document=M:\XML\XMLWMList7.xml

log.txt :

 --2015-05-28 07:26:04-- https://wm.exchanger.ru/asp/XMLWMList.asp?exchtype=7 Connecting to 192.168.1.1:80... connected. **WARNING**: cannot verify wm.exchanger.ru's certificate, issued by 'CN=Network Solutions OV Server CA 2,O=Network Solutions LLC,L=Herndon,ST=VA,C=US': Unable to locally verify the issuer's authority. Proxy request sent, awaiting response... 200 OK Length: 12669 (12K) [text/xml] Saving to: 'M:/XML/XMLWMList7.xml' 0K .......... .. 100% 46.7K=0.3s 2015-05-28 07:26:05 (46.7 KB/s) - 'M:/XML/XMLWMList7.xml' saved [12669/12669]
  • In wget, you can take frequently used options into some kind of environment variable (I don’t remember exactly the name). Then there is no need to write this option on the command line. - Egor Skriptunoff
  • Are you set https_proxy=http://192.168.1.1:80 about this ?: set https_proxy=http://192.168.1.1:80 set use_proxy=on - that's what I do. - Max
  • No, I'm talking about the WGETRC variable, which points to the file that stores the settings. - Egor Skriptunoff
  • Interesting. And how to correctly register a certificate, do not tell ? - Max
  • one
    @EgorSkriptunoff, it is written somewhat differently in wgetrc. - Vladimir Martyanov

3 answers 3

You need to install a publisher certificate as a trusted publisher certificate. OpenSSL (whose library is used in wget ) trusts the certificates installed in /etc/ssl/certs . The certificate itself in the PEM format must be loaded into a file with the .crt extension and put in /etc/ssl/certs . This should be enough, but if not, then the path to the directory with certificates can be specified for the wget option

--ca-directory=directory .

  • one
    I am not in UNIX but in WINDOWS. 1. How to download a .crt ? 1.1. In Internet Explorer, go to the site - wm.exchanger.ru/asp/XMLWMList.asp?exchtype=7 -Click the lock - View certificates - Tab "Composition" - "Copy to file" - "Next" - And then what to choose? 2. What will the M:\Distrib\Wget\wget.exe ... line look like? So: M:\Distrib\Wget\wget.exe --secure-protocol=TLSv1 --ca-directory=M:\Certificate https://wm.exchanger.ru/asp/XMLWMList.asp?exchtype=7 --output-file=log.txt --output-document=M:\XML\XMLWMList7.xml ? - Max
  • --certificate-type=PEM many options, added --certificate-type=PEM , saved certificates in different ways, it does not work. - Max
  • --ca-certificate has another option --ca-certificate , with which you can specify a CA certificate. you do not need to specify the site certificate itself (especially as IE saves it in binary DER format, although the extension gives .crt ). Try to download ssl-tools.net/certificates/… and specify it without renaming with the option --ca-certificate 440ff68a35e03995ac55e457a67eb1680f9a7cdd.pem - Outtruder
  • I checked again many options, one of them: M:\Distrib\Wget\wget.exe --secure-protocol=TLSv1 --ca-certificate=M:\Certificate\440ff68a35e03995ac55e457a67eb1680f9a7cdd.pem https://wm.exchanger.ru/asp/XMLWMList.asp?exchtype=7 --output-file=log.txt --output-document=M:\XML\XMLWMList7.xml - failed. And why do you need to download a certificate from the site: ssl-tools.net and not from the site: wm.exchanger.ru ? - Max
  • It is also possible with wm.exchanger.ru - this site sends the entire chain of certificates. According to the description wget allows you to specify trusted certificates of publishers, but not the site itself. Therefore, you need a certificate of this CA Network Solutions OV... , and even in the PEM format (IE will give it to you in DER). I compared the certificates from the chain from the site and from the site ssl-tools.net - they are the same, and the problem is not in them. I have a suspicion that the wget you have installed generally has problems with verifying certificates (too old version of openssl library? - I don’t know ...) - Outtruder

Option to disable certificate checking: create a file with the name ".wgetrc", set the line check_certificate = off in it and put this file in the directory with wget.exe. Tested on wget 1.10.2

    Add a comment did not work, I probably had a temporary account ...

    with the name ".wgetrc"

    WINDOWS doesn’t like to create, rename ... an unnamed file. I tried this:

     set https_proxy=http://192.168.1.1:80 set use_proxy=on set check_certificate=off M:\Distrib\Wget\wget.exe --secure-protocol=TLSv1 https://wm.exchanger.ru/asp/XMLWMList.asp?exchtype=7 --output-file=log.txt --output-document=M:\XML\XMLWMList7.xml

    Thought set check_certificate=off will replace - --no-check-certificate - does not replace .

    Update

    Egor Skriptunoff - Could not add a comment, my question already seems to be not mine ...

    what's the point? just write --no-check-certificate to the parameter file

    • --no-check-certificate ... It is almost always a bad idea not to check certificates when transferring sensitive or sensitive data; HTTPS OPTIONS (SSL / TLS)
    • Yes, and if it is possible to get rid of WARNING - why not get rid of.

    Update 2

    I beg your pardon , Outtruder could not add a comment, says the reputation is not enough.

    I have a suspicion that the wget you installed generally has problems with verifying certificates (is the version of the openssl library too old? - I don’t know ...)

    • Do you have a script?
    • What keys?

    • Where did you get Wget?

      wget.exe -V> log.txt

    log.txt

     GNU Wget 1.16.3 built on mingw32. +digest +https +ipv6 +iri +large-file -nls +ntlm +opie -psl +ssl/openssl Wgetrc: M:\Distrib\Wget/.wgetrc (user) /usr/local/etc/wgetrc (system) Compile: i686-w64-mingw32-gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/usr/local/etc/wgetrc" -DLOCALEDIR="/usr/local/share/locale" -I. -I../lib -I../lib -I/win32dev/misc/wget/out2/include -I/win32dev/misc/wget/out2/include -DNDEBUG -mtune=generic -mtune=intel Link: i686-w64-mingw32-gcc -DNDEBUG -mtune=generic -mtune=intel -L/win32dev/misc/wget/out2/lib -L/win32dev/misc/wget/out2/lib /win32dev/misc/wget/out2/lib/libiconv.a /win32dev/misc/wget/out2/lib/libssl.a /win32dev/misc/wget/out2/lib/libcrypto.a -lz -lws2_32 -lole32 -lgdi32 -lcrypt32 -lidn ftp-opie.o mswindows.o openssl.o http-ntlm.o ../lib/libgnu.a Copyright (C) 2014 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://www.gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Originally written by Hrvoje Niksic <hniksic@xemacs.org>. Please send bug reports and questions to <bug-wget@gnu.org>.

    The file " wget-1.16.3-win32.zip " took here: https://eternallybored.org/misc/wget/

    On the website : http://www.gnu.org/software/wget/ for some reason could not be found.

    • FAR works great with "untitled" files. - Vladimir Martyanov
    • Yes, I have neither Ubuntu nor FAR . Ubuntu - recently removed, did not like its next name. Instead of FAR, I use Folder Manager - renamed, it turned out, but it worked the same way as with --no-check-certificate : WARNING: ... I didn’t need to disconnect, I understood how to disable, I need to prevent WARNING . - Max
    • set another name via WGETRC - Egor Skriptunoff
    • In the sense of? Another name of what exactly? I renamed the Folder Manager into the .wgetrc file in the file: check_certificate=off in the batch file .cmd set https_proxy=http://192.168.1.1:80 set use_proxy=on M:\Distrib\Wget\wget.exe --secure-protocol=TLSv1 https://wm.exchanger.ru/asp/XMLWMList.asp?exchtype=7 --output-file=log.txt --output-document=M:\XML\XMLWMList7.xml - everything works but WARNING . But I can't give another name to the next version of Ubuntu :-) - Maxim
    • Specially downloaded and tried with a couple of other sites - successfully downloads when specifying the publisher's certificate. It does not work with the certificate of this publisher - 'CN = Network Solutions OV Server CA 2, O = Network Solutions LLC, L = Herndon, ST = VA, C = US' - Outtruder

    Protected by a community spirit 2 Sep '17 at 12:45 .

    Thank you for your interest in this issue. Since he collected a large number of low-quality and spam responses, which had to be deleted, now it’s necessary to have 10 reputation points on the site (the bonus for account association is not counted ).

    Maybe you want to answer one of the unanswered questions ?