Skip Certificate Checks with Wget

Skip Certificate Checks with Wget

Category : How-to

Get Social!

This is a reminder for myself more than anything else, on how to get wget to download SSL internet content when it’s encrypted by a self-signed or otherwise unknown certificate.

If you haven’t installed or updated your certificate Authority certificates on your computer and try and download something from an SSL URL with wget you’re going to run into trouble because your computer doesn’t know what a valid SSL certificate looks like. You’ll also get a similar problem if the site you’re accessing is encrypted by a self-signed certificate. This example shows a problem downloading from a HTTPS Github URL. Of course, there is no problem with the SSL certificate on Github.com, it’s the local machine that doesn’t have the internets Certificate Authority certificates installed.

Resolving github.com (github.com)... 192.30.253.113
Connecting to github.com (github.com)|192.30.253.113|:443... connected.
ERROR: The certificate of 'github.com' is not trusted.
ERROR: The certificate of 'github.com' hasn't got a known issuer.

The quickest way round this, albeit not the safest, is to tell wget to ignore any certificate checks and download the file. To do this, add the –no-check-certificate to your wget command. I don’t know why the wget developers couldn’t have chosen a switch that’s easier to remember!

wget https://github.com --no-check-certificate

 


Apt-get error: E: The method driver /usr/lib/apt/methods/https could not be found

Category : How-to

Get Social!

I’ve been getting the following error when using apt-get update with Debian Wheezy recently.

E: The method driver /usr/lib/apt/methods/https could not be found.

It seems that apt-get only supports HTTP connections by default, and throws an error with any HTTPS URLs.  You’ll likely see this error message if you add a new apt source URL that starts with https. What’s most annoying is that apt doesn’t simply ignore the HTTPS URL when updating the local cache, it actually stops all updates regardless of URL schema.

apt-get update
E: The method driver /usr/lib/apt/methods/https could not be found.

Luckily the fix is easy and requires an additional apt package to handle the SSL URLs. Run the below command to install the apt-transport-https package to enable apt to use HTTPS URL lists.

apt-get install apt-transport-https

Once this is installed, apt should function and update its local cache from your apt lists.


How To Change The Zentyal Certificate Algorithm From SHA-1 To SHA256

Get Social!

logo-zentyal-blackAs of Zentyal version 4.2 the bundled certificate authority (CA) module is creating signed certificates using the SHA-1 algorithm which is an old algorithm and pretty much deprecated.

Google Chrome, for example, will give a warning when accessing any SSL page that’s encrypted stating that your connection is not secure.

SSL Certificates created now should, as a minimum, use the the SHA256 algorithm to ensure encrypted connections are kept private. To change Zentyal to use the SHA256 algorithm, you’ll need to make a small edit to your openssl.cnf file.

vi /var/lib/zentyal/conf/openssl.cnf

And look for default_md within the file. It will currently show as sha1 like below:

default_md = sha1

Edit the value and enter sha256.

default_md = sha256

You’ll then need to log into the Zentyal Admin site and revoke and re-issue all of your sha1 certificates.

I’ve submitted a pull request on Github to have the default changed for new installations.


Git SSL Certificate Problem Caused By Self Signed Certificates

Category : How-to

Get Social!

git-logoIt’s never been easier to set up your own Git server to host your own git repositories for your projects. Thanks to people like the folks over at GitLab you can be up and running in no time at all.

If you host something like this yourself, you’ll probably have entered the world called self signed certificates. These are SSL certificates that have not been signed by a known and trusted certificate authority. There is no security concern using a self signed certificate, the level of security will be similar to a paid for certificate, the problem is that your commuter won’t know that it can trust the certificate. You may have seen this error in a Web Browser, such as Chrome:

chrome-ssl-warning

With Git, however, you’ll get an error from the git command line tool similar to the below:

$ git clone https://wwwgit.jamescoyle.net/test/test-project.git
Cloning into 'test-project'...
fatal: unable to access 'https://[email protected]/test/test-project.git/': SSL certificate problem: unable to get local issuer certificate

The preferred method of dealing with this error is to add the Certificate Authority’s signing certificate as a trusted Certificate Authority on your computer.The way to do this differs depending on your OS and is out of scope for this post.

There are two Git specific methods of forcing Git to accept the self signed certificates, which don’t require you to import the CA certificate to your computers Trusted  CA store:

Turn off Git SSL Verification

You can stop the Git client from verifying your servers certificate and to trust all SSL certificates you use with the Git client. This has it’s own security risks as you would not be warned if there was a valid problem with the server you are trying to connect to.

That said, it’s the quickest and easiest fix for a non trusted server certificate. Simply run the below git command on your Git client.

git config --global http.sslVerify false

Tell Git Where Your Certificate Authority Certificates Are

Another option is to point your Git client towards a folder that contains the Certificate Authority certificate that was used to sign your Git server’s SSL certificate. You may not have one of these if you’re using Self Signed certificates.

Save the CA certificate to a folder on your Git client and run the following git command to tell your Git client to use it when connecting t the server:

git config --system http.sslCAPath /git/certificates

 


Visit our advertisers

Quick Poll

How many Proxmox servers do you work with?

Visit our advertisers