Differences

This shows you the differences between two versions of the page.

doc:howto:wget-ssl-certs [2012/12/03 21:04]
avalon a little IMO useful information
doc:howto:wget-ssl-certs [2014/06/29 20:33] (current)
motherjoker
Line 13: Line 13:
To connect to dyndns.com insecurely, use `--no-check-certificate'.'' To connect to dyndns.com insecurely, use `--no-check-certificate'.''
-The bug has been fixed, but wget hasn't had a release since 22-Sep-2009. As of 16-Mar-2011, [[http://lists.gnu.org/archive/html/bug-wget/2011-03/msg00015.html|it looks like]] a new version of wget will be released "soon", which will contain this patch.+<del>The bug has been fixed, but wget hasn't had a release since 22-Sep-2009. As of 16-Mar-2011, [[http://lists.gnu.org/archive/html/bug-wget/2011-03/msg00015.html|it looks like]] a new version of wget will be released "soon", which will contain this patch.</del>  wget (1.13.4-1) is now available in the OpenWRT repositories.
====Install wget (with SSL)==== ====Install wget (with SSL)====
Line 28: Line 28:
  - Update shell: <code bash>source /etc/profile</code>   - Update shell: <code bash>source /etc/profile</code>
  - you can also use ''/etc/ssl/certs'' directory with ''curl --capath''   - you can also use ''/etc/ssl/certs'' directory with ''curl --capath''
 +Note: if you need SSL in your DDNS client, look also here [[ddns.client#using.wget]]
==== Adding root certificates ==== ==== Adding root certificates ====
Line 33: Line 34:
Most browsers/distributions/etc ship with root certificates from the major Certificate Authorities, such as VeriSign and GeoTrust. Root certificates are used to validate the certificates presented by servers. OpenWRT does not include root certificates, so it is up to you to install them. Most browsers/distributions/etc ship with root certificates from the major Certificate Authorities, such as VeriSign and GeoTrust. Root certificates are used to validate the certificates presented by servers. OpenWRT does not include root certificates, so it is up to you to install them.
-Let say we want to install the root certificate authority for dyndns.org. The domain https://members.dyndns.org is signed by the [[http://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer | "Equifax" root certificate]]. We need to download the root certificate, then place it in the certificate directory. Certificates in /etc/ssl/certs must be named after their hash value so that they can be found.+Let say we want to install the root certificate authority for dyndns.org. The domain https://members.dyndns.org is signed by the <del>[[http://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer | "Equifax" root certificate]]</del>. We need to download the root certificate, then place it in the certificate directory. Certificates in /etc/ssl/certs must be named after their hash value so that they can be found.
-It is easier to find the root certificate with any modern web browser (e.g. firefox) by opening the site with https, viewing the certificate and exporting it from the browser to a pem file.+It is easier to find the root certificate with any modern web browser (e.g. firefox) by opening the site with https, viewing the certificate and exporting it from the browser to a pem or base64 cer file.  Using openssl s_client allows for easy downloading of the remote server's SSL certificate chain.  You should verify the chain you get with another source such as your web browser.
The first step is installing ''openssl-util'':<code>opkg install openssl-util</code> The first step is installing ''openssl-util'':<code>opkg install openssl-util</code>
-Now you can use either the manual method or the add-cert.sh script below to install certs into /etc/ssl/certs. Make sure to use openssl from the OpenWrt device because if you try this from your linux PC, you may get a completely different hash for the same exact certificate.+Now you can use either the manual method or the add-cert.sh script below to install certs into /etc/ssl/certs. Make sure to use openssl from the OpenWrt device because if you try this from your linux PC, you may get a completely different hash for the same exact certificate due to a difference in the version of openssl.
===Adding certificates manually=== ===Adding certificates manually===
Line 46: Line 47:
|<code bash> |<code bash>
cd /etc/ssl/certs cd /etc/ssl/certs
-wget http://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer+openssl s_client -connect members.dyndns.org:443 < /dev/null > temporary.out 
 +openssl x509 -outform PEM < temporary.out > members.dyndns.org.cer 
##### create link using the hash value from openssl ##### ##### create link using the hash value from openssl #####
# store certificate hash value in HASH append .0 # store certificate hash value in HASH append .0
-HASH=`openssl x509 -hash -noout -in Equifax_Secure_Certificate_Authority.cer`.0+HASH=`openssl x509 -hash -noout -in members.dyndns.org.cer`.0
# create link # create link
-ln -s Equifax_Secure_Certificate_Authority.cer $HASH+ln -s members.dyndns.org.cer $HASH
</code>| </code>|
//Note: If another cert has the same hash use suffix ''.1'' or ''.2'' instead of ''.0''. To see the hash value type ''echo $HASH''.// //Note: If another cert has the same hash use suffix ''.1'' or ''.2'' instead of ''.0''. To see the hash value type ''echo $HASH''.//
Line 113: Line 116:
  echo "Option: -f      force overwriting if certificate exists" >&2   echo "Option: -f      force overwriting if certificate exists" >&2
fi</code>| fi</code>|
 +
 +===Adding certificates through opkg===
 +You can use opkg to install the certificates from the major CA
 +<code>opkg install ca-certificates</code>
 +Now you have the major root certificates installed in /etc/ssl/certs
===== Trouble Shooting ===== ===== Trouble Shooting =====
Line 130: Line 138:
--- //[[joda]] 2010/06/19 20:57// --- //[[joda]] 2010/06/19 20:57//
 +
 +
 +==== Confirm wget SSL root ====
 +
 +Example:  wget https://members.dyndns.org/

Back to top

doc/howto/wget-ssl-certs.1354565090.txt.bz2 · Last modified: 2012/12/03 21:04 by avalon