SSL CERTIFICATE CHECKS FAIL ALL THE TIME (git & wget & etc…)
###################################################

If your trying to download something from github with “git clone” or wget from an https site – and you keep getting invalid certificates errors (even though your downloading from legit places). This means your system doesnt have good ROOT CERTIFICATES to validate with. Fix this by getting the latest ROOT CERTIFICATES so that your system can verify amongst common download certificates.

NOTE: In windows and mac and certain linux distros you dont need to do this as the ca-certs come prepackages in the main install.

NOTE: when you go to an https site (or download a file from https), the ssl protocol will grab the servers certificates and verify its coming from a legit source and also that the certificates check off with your root certificates. If they dont have valid certs you get warnings, such as the warning you get when browsing to a site with a self-signed certificate – and you get the red lock on the url bar – or a warning page that looks like this:

With git, wget and curl you might get errors like this

Workaround for git, curl & wget:

Those are just work arounds. If a site has a bad certificate it comes down to 1 of 2 things.

1. it should have a good certificate but you dont have the latest ca root certs installed on your box – so follow method below to fix that

2. its truely a bad certificate – you can workaround it with above workarounds (at your own security risk)

To get latest certs

To get the latest list of CA-CERTS, Download the latest ca-certificates file and install it.

But first get root access (or run every command with “sudo” perfix):

# sudo -i

Most like this command will do to install your root certs:
# apt-get install ca-certificates
# update-ca-certificates

Note you will need the prereqs (that you already probably have) – openssl & debconf:
# apt-get install openssl
# apt-get install debconf

Now run your gits & wget and they should work.

REINSTALL
##########

If not try to reinstall.

# apt-get install –reinstall ca-certificates
# update-ca-certificates

MAY NEED OTHER VERSION
########################

If not yet still – then possibly you have that file/program and still you get errors – you might be using a ca-certificates thats comprimised or changed for specific use. You can check which edition you have with :
# dpkg -l | grep ca-certificates
See all the ones available to apt-get (from your listed repos in /etc/apt/sources.list):
# apt-cache show ca-certificates
Or see the version that will install:
# apt-cache show ca-certificates

MANUAL INSTALL
###############

Or you can manually install the certificates from a trusted source:

STEP1 Wget the deb file

Here is a place for all debian systems:
https://packages.debian.org/search?keywords=ca-certificates

Ill just use wheezy because its compatible with my system:
https://packages.debian.org/wheezy/ca-certificates

Here is a list of download links (go to this site and pick a mirror, and right click to copy its url):
https://packages.debian.org/wheezy/all/ca-certificates/download

# wget http://ftp.us.debian.org/debian/pool/main/c/ca-certificates/ca-certificates_20130119_all.deb

NOTE (updated 2015-10-08): the above is from 2013, newer ones can be found here http://ftp.us.debian.org/debian/pool/main/c/ca-certificates/. i.e. here is the one from 2015: # wget http://ftp.us.debian.org/debian/pool/main/c/ca-certificates/ca-certificates_20150426_all.deb

Note that the package downloads alot of root ssl certs, but also a binary called “update-ca-certificates” which is very useful. If you already have that binary. You can just extract the .deb file using:
ar x ca-certificates*deb
Then just copy out the certificates to this folder in your system: /usr/share/ca-certificates/
After copying the certificates there just run:
# update-ca-certificates

STEP2
Install the wget
# dpkg -i ca-certificates_20130119_all.deb
# update-ca-certificates

EXTRA INFO
###########

Note: in the end the ca-certificates deb file just contains the executable certificates, which if you already have, then your set for that part (the part where you need that file, as you see we run it after installing/copying the certificates to /usr/share/ca-certicates), then the ca-certificates deb file contains the certificates themselves – which as mentioned earlier if they are put in the right directory /usr/share/ca-certificates/ then they can be put to some work: First copy the certs to /usr/share/ca-certificates and then run:
# update-ca-certificates
Update-ca-certificates symlinks the certs in that directory to the cache of certs in /etc

Note: that the ca-certificates debian file gets updated regularly with any new root certs or edits that need to be made.

UPDATE-CA-CERTIFICATES
########################

Here is a description from the man pages of what update-ca-certificate does:

This manual page documents briefly the update-ca-certificates command.

update-ca-certificates is a program that updates the directory
/etc/ssl/certs to hold SSL certificates and generates certificates.crt,
a concatenated single-file list of certificates.

It reads the file /etc/ca-certificates.conf. Each line gives a pathname
of a CA certificate under /usr/share/ca-certificates that should be
trusted. Lines that begin with “#” are comment lines and thus ignored.
Lines that begin with “!” are deselected, causing the deactivation of
the CA certificate in question. Certificates must have a .crt extension
in order to be included by update-ca-certificates.

Furthermore all certificates with a .crt extension found below
/usr/local/share/ca-certificates are also included as implicitly
trusted.

Before terminating, update-ca-certificates invokes run-parts on
/etc/ca-certificates/update.d and calls each hook with a list of cer-
tificates: those added are prefixed with a +, those removed are pre-
fixed with a -.

LIST OF FILES IN A GOOD VERSION OF ca-certificates
##########################################

This is the following version:

 

SUMMARY OF COMMANDS
####################

Here is two of the good discussed methods above.

With APT-GET
=============
sudo -i
apt-get install openssl
apt-get install debconf
apt-get install ca-certificates
update-ca-certificates

MANUAL
=======

OTHER MANUAL METHOD
====================

Extract the debian file and manually copy certificates.

 

Leave a Reply

Your email address will not be published. Required fields are marked *