# SSL certificates for use with wget



## tyrian (Jun 28, 2012)

When I wget https resources, I'm unable to verify the certificates:

`$ wget [url]https://google.com[/url]`

```
--2012-06-29 10:56:13--  [url]https://google.com/[/url]
Resolving google.com (google.com)... 74.125.227.137, 74.125.227.142, 74.125.227.128, ...
Connecting to google.com (google.com)|74.125.227.137|:443... connected.
ERROR: cannot verify google.com's certificate, issued by `/C=US/O=Google Inc/CN=Google Internet Authority':
  Unable to locally verify the issuer's authority.
To connect to google.com insecurely, use `--no-check-certificate'.
```

I've installed security/ca_root_nss, which is the only maintained root certificate I could find. How do I go about downloading resources with wget without explicitly bypassing the certificate with --no-check-certificate? 

I know that fetch() is in the base install, but I'm looking to use this in more complex arrangements, such as batch downloading large sets of files recursively, in a way not supported by fetch or curl. Is there an equivalent to the ca-certificates package on Debian-based distributions to handle the certs correctly?


----------



## kpa (Jun 29, 2012)

Try giving the CA certificate file to ftp/wget with the --ca-certificate or the --ca-directory options. I think the problem is that ftp/wget uses the base system openssl(1) settings and search paths for certificates and /usr/local/share/certs/ are not included in the search path by default.

`$ wget --ca-certificate /usr/local/share/certs/ca-root-nss.crt [url]https://www.google.com/[/url]`

Edit: The above works for me. There's also an option in security/ca_root_nss to create a symbolic link in /etc/ssl that should make thing work automatically.


----------



## tyrian (Jun 29, 2012)

That did the trick, thanks!


----------



## SirDice (Jun 29, 2012)

It might work without the options if you build security/ca_root_nss with ETCSYMLINK turned on.


----------



## rustyx (Aug 21, 2014)

Or install ca-root-nss then do this


```
ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem
```


----------

