I installed GNU wget utility on FreeBSD as explained here. However, whenever I use the wget command to download stuff from the Internet, it says:
ERROR: cannot verify download.freebsd.org’s certificate, issued by ‘CN=Let\’s Encrypt Authority X3,O=Let\’s Encrypt,C=US’:
Unable to locally verify the issuer’s authority.
How do I fix this problem on FreeBSD 12?
Introduction – The default wget settings is to verify the server’s certificate against the recognized certificate authorities. This error indicates that wget is unable to find root certificates locally. You must install root certificates on your FreeBSD server. Without root certificates, all commands and software such as Firefox would fail. FreeBSD comes with the ca_root_nss package. It includes root certificate bundle from the Mozilla Project. All you have to do is install ca_root_nss package to get rid of this problem.
How to find information about the ca_root_nss package
Run the following pkg command along with grep command to search:# pkg search ca | grep root
Sample outputs:
R-cran-urca-1.3.0_2 Unit root and cointegration tests for time series data ca_root_nss-3.41 Root certificate bundle from the Mozilla Project p5-CACertOrg-CA-20110724.005 CACert.org CA root certificate in PEM format |
So if you run wget, you might get an error that read as follows:$ wget https://download.freebsd.org/ftp/releases/amd64/12.0-RELEASE/base.txz
FreeBSD wget cannot verify certificate authority
Now we know package name. Let us install it:# pkg install ca_root_nss
Bundle of CA root certificates installed in /etc/ssl and /usr/local/openssl/ directories on FreeBSD.
Test it
Run the wget command again and it should work without any problems:$ wget https://download.freebsd.org/ftp/releases/amd64/12.0-RELEASE/base.txz
Sample outputs:
--2018-12-17 15:32:38-- https://download.freebsd.org/ftp/releases/amd64/12.0-RELEASE/base.txz Resolving download.freebsd.org (download.freebsd.org)... 149.20.1.200, 2001:4f8:1:11::15:0 Connecting to download.freebsd.org (download.freebsd.org)|149.20.1.200|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 154325028 (147M) [application/octet-stream] Saving to: 'base.txz' base.txz 100%[=====================================>] 147.18M 46.5MB/s in 3.8s 2018-12-17 15:32:42 (38.6 MB/s) - 'base.txz' saved [154325028/154325028] |
A note about –no-check-certificate
If you can not install ca_root_nss package, pass the --no-check-certificate to the wget command. It means wget won’t check the server certificate against the available certificate authorities. Also wget won’t require the URL host name to match the common name presented by the certificate:$ wget --no-check-certificate https://url
$ wget --no-check-certificate https://www.cyberciti.biz/
Conclusion
This page explained how to install root certificate bundle from the Mozilla Project on FreeBSD. For more info see GNU/wget home page here.
