OpenWrt Forum Archive

Topic: How to use CA-Certificate Package with wget and curl

The content of this topic has been archived on 21 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hi,

I installed the ca-certificate package on my router (trunk r40694 / LuCI Trunk (svn-r10180) running on wndr3800.
Can somebody support me how to use the installed .cer files together with wget (full version) and curl.

I tried wget --ca-directory=/etc/ssl/certs -o - https://.....
and curl --capath /etc/ssl/certs https://.....

and what ever https page I try I only get errors that the server could not be verified.

What did I wrong ?

Thanks for your support

Seems you are using wget & curl packages without SSL support. There are package versions with SSL support enabled for wget & curl..

# wget -V
GNU Wget 1.15 built on linux-gnu.
+digest +https +ipv6 -iri +large-file -nls +ntlm +opie +ssl/openssl

# wget -v --ca-directory=/etc/ssl/certs https://forum.openwrt.org/
--2014-05-17 15:37:45--  https://forum.openwrt.org/
Resolving forum.openwrt.org... 78.24.191.177
Connecting to forum.openwrt.org|78.24.191.177|:443... connected.
ERROR: cannot verify forum.openwrt.org's certificate, issued by '/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certificates.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/serialNumber=10688435':
  Unable to locally verify the issuer's authority.
To connect to forum.openwrt.org insecurely, use `--no-check-certificate'.

# curl -V
curl 7.36.0 (mips-openwrt-linux-gnu) libcurl/7.36.0 OpenSSL/1.0.1g
Protocols: file ftp ftps http https
Features: IPv6 Largefile SSL

# curl -v --capath /etc/ssl/certs https://forum.openwrt.org
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

????

(Last edited by chris5560 on 17 May 2014, 16:45)

Hi,

found the solution for myself. The ca-certificates package is missing the HASH-links to the certificates.

First I opkg install openssl-util
then I wrote a little script: add_certs_hash.sh

#!/bin/sh
OPENSSL=/usr/bin/openssl
CERTDIR=/etc/ssl/certs

if [ ! -f $OPENSSL ]; then
    opkg update
    opkg install openssl-util
fi

for CERTFILE in $(ls -1 $CERTDIR); do
    echo "Certificate $CERTFILE"

    # create symbolic link from hash
    echo -n "  generating hash: "
    HASH=`$OPENSSL x509 -hash -noout -in $CERTDIR/$CERTFILE`
    echo "$HASH"

    # handle hash collisions
    SUFFIX=0
    while [ -h "$CERTDIR/$HASH.$SUFFIX" ]; do
        let "SUFFIX += 1"
    done

    echo "  linking $HASH.$SUFFIX -> $CERTFILE"
    ln -s "$CERTFILE" "$CERTDIR/$HASH.$SUFFIX"
done
exit 0

Test. Works

Hope somebody find a way to put the hash-link generation directly into the ca-certificates package.

chris5560

Hi!

I do small improvements to script that use shell expansion:

#! /bin/sh
OPENSSL=/usr/bin/openssl
CERTDIR=/etc/ssl/certs

# Install openssl-util if need
[ ! -f ${OPENSSL} ] && opkg update && opkg install openssl-util

for CERTFILE in ${CERTDIR}/*; do
        # create symbolic link from hash
        echo -en "Certificate ${CERTFILE##*/}\n  generating hash: "
        HASH=$(${OPENSSL} x509 -hash -noout -in ${CERTFILE})
        echo "$HASH"

        # handle hash collision
        SUFFIX=0
        while [ -h "${CERTDIR}/${HASH}.${SUFFIX}" ]; do
                let "SUFFIX += 1"
        done

        echo "  linking ${HASH}.${SUFFIX} -> ${CERTFILE##*/}"
        ln -s ${CERTFILE##*/} ${CERTDIR}/${HASH}.${SUFFIX}
done

I think that is a good idea add this (or similar script) to ca-certficates package.

Greetings!

It's part of ca-certifaces 20141019 package availible on trunk.
Hash links are installed/created during installation (Makefile)

Had the same problem, thanks Chris for the solution. Just to be practical, do this:

source /etc/openwrt_release; opkg install http://downloads.openwrt.org/snapshots/trunk/$DISTRIB_TARGET/packages/base/ca-certificates_20141019_$(dirname $DISTRIB_TARGET).ipk

I received an error, but everything seems to work fine anyway:

Configuring ca-certificates.
//usr/lib/opkg/info/ca-certificates.postinst: line 4: default_postinst: not found
Collected errors:
 * pkg_run_script: package "ca-certificates" postinst script returned status 127.
 * opkg_configure: ca-certificates.postinst returned 127.

Hi,
the install routine in CC was changed.
if you are using BB 14.07 please give development some days. They are currently working on a new build server,
So currently inside BB downloads there is still ca-certificates 20140325 for download.
Inside BB sources is already 20141019.
As soon as the build server is up and running. downloads will be updated.

The discussion might have continued from here.