OpenWrt Forum Archive

Topic: How to use CA-Certificate Package with wget and curl

The content of this topic has been archived on 21 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.


I installed the ca-certificate package on my router (trunk r40694 / LuCI Trunk (svn-r10180) running on wndr3800.
Can somebody support me how to use the installed .cer files together with wget (full version) and curl.

I tried wget --ca-directory=/etc/ssl/certs -o - https://.....
and curl --capath /etc/ssl/certs https://.....

and what ever https page I try I only get errors that the server could not be verified.

What did I wrong ?

Thanks for your support

Seems you are using wget & curl packages without SSL support. There are package versions with SSL support enabled for wget & curl..

# wget -V
GNU Wget 1.15 built on linux-gnu.
+digest +https +ipv6 -iri +large-file -nls +ntlm +opie +ssl/openssl

# wget -v --ca-directory=/etc/ssl/certs
--2014-05-17 15:37:45--
Connecting to||:443... connected.
ERROR: cannot verify's certificate, issued by '/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU= Secure Certification Authority/serialNumber=10688435':
  Unable to locally verify the issuer's authority.
To connect to insecurely, use `--no-check-certificate'.

# curl -V
curl 7.36.0 (mips-openwrt-linux-gnu) libcurl/7.36.0 OpenSSL/1.0.1g
Protocols: file ftp ftps http https
Features: IPv6 Largefile SSL

# curl -v --capath /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here:

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.


(Last edited by chris5560 on 17 May 2014, 14:45)


found the solution for myself. The ca-certificates package is missing the HASH-links to the certificates.

First I opkg install openssl-util
then I wrote a little script:


if [ ! -f $OPENSSL ]; then
    opkg update
    opkg install openssl-util

for CERTFILE in $(ls -1 $CERTDIR); do
    echo "Certificate $CERTFILE"

    # create symbolic link from hash
    echo -n "  generating hash: "
    HASH=`$OPENSSL x509 -hash -noout -in $CERTDIR/$CERTFILE`
    echo "$HASH"

    # handle hash collisions
    while [ -h "$CERTDIR/$HASH.$SUFFIX" ]; do
        let "SUFFIX += 1"

    echo "  linking $HASH.$SUFFIX -> $CERTFILE"
exit 0

Test. Works

Hope somebody find a way to put the hash-link generation directly into the ca-certificates package.



I do small improvements to script that use shell expansion:

#! /bin/sh

# Install openssl-util if need
[ ! -f ${OPENSSL} ] && opkg update && opkg install openssl-util

for CERTFILE in ${CERTDIR}/*; do
        # create symbolic link from hash
        echo -en "Certificate ${CERTFILE##*/}\n  generating hash: "
        HASH=$(${OPENSSL} x509 -hash -noout -in ${CERTFILE})
        echo "$HASH"

        # handle hash collision
        while [ -h "${CERTDIR}/${HASH}.${SUFFIX}" ]; do
                let "SUFFIX += 1"

        echo "  linking ${HASH}.${SUFFIX} -> ${CERTFILE##*/}"
        ln -s ${CERTFILE##*/} ${CERTDIR}/${HASH}.${SUFFIX}

I think that is a good idea add this (or similar script) to ca-certficates package.


It's part of ca-certifaces 20141019 package availible on trunk.
Hash links are installed/created during installation (Makefile)

Had the same problem, thanks Chris for the solution. Just to be practical, do this:

source /etc/openwrt_release; opkg install$DISTRIB_TARGET/packages/base/ca-certificates_20141019_$(dirname $DISTRIB_TARGET).ipk

I received an error, but everything seems to work fine anyway:

Configuring ca-certificates.
//usr/lib/opkg/info/ca-certificates.postinst: line 4: default_postinst: not found
Collected errors:
 * pkg_run_script: package "ca-certificates" postinst script returned status 127.
 * opkg_configure: ca-certificates.postinst returned 127.

the install routine in CC was changed.
if you are using BB 14.07 please give development some days. They are currently working on a new build server,
So currently inside BB downloads there is still ca-certificates 20140325 for download.
Inside BB sources is already 20141019.
As soon as the build server is up and running. downloads will be updated.

The discussion might have continued from here.