Description of problem: wget uses the ca-bundle.crt file provided by openssl as standard reference for CAs. This file is very old ;-((. Esp. certificates provided by TC TrustCenter which are valid until 2011 are not in it. The man page says that if you add a parameter "--ca-certificate=<filename>" wget would use this file as an input - but it doesn't work. The validity of the server certificate for the host "www.internetwache.brandenburg.de" ends an 05/02/2006. Version-Release number of selected component (if applicable): wget-1.10.2-0.30E How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: root@pns8:~# wget --ca-certificate="/root/tcclass3-2011.pem" https://www.internetwache.brandenburg.de --16:17:32-- https://www.internetwache.brandenburg.de/ => `index.html' Resolving www.internetwache.brandenburg.de... 194.76.232.166 Connecting to www.internetwache.brandenburg.de|194.76.232.166|:443... connected. ERROR: Certificate verification error for www.internetwache.brandenburg.de: certificate has expired To connect to www.internetwache.brandenburg.de insecurely, use `--no-check-certificate'. Unable to establish SSL connection. Expected results: no errors Additional info:
You can modify the contents of the ca-bundle.crt file to include the certificates which are relevant for you. It is even more secure to include strictly only the certificates of CAs which you trust and whose policies you have read. This problem will be resolved in a future major release of Red Hat Enterprise Linux. Red Hat does not currently plan to provide a resolution for this in a Red Hat Enterprise Linux update for currently deployed systems. With the goal of minimizing risk of change for deployed systems, and in response to customer and partner requirements, Red Hat takes a conservative approach when evaluating changes for inclusion in maintenance updates for currently deployed products. The primary objectives of update releases are to enable new hardware platform support and to resolve critical defects.
Closed - Deferred