1

I'm trying to make a bash script who will check the SSL status of my web site client and return the error. But for every IP, wget https://$ip:$port gives me the following error:

ERROR: The certificate of 1.2.3.4 is not trusted ERROR: The certificate of 1.2.3.4 hasn't got a know issuer

When I try with Firefox I have the certificate for each IP. So I tried to dump the Firefox CA to a repository like this:

wget http://$ip:$port --ca-directory=(directory of CA from Firefox)

But it doesn't change anything.

I think, wget doesn't find SSL certificate and I don't know to get them.

How can I get the certificate information?

Improve this question

1 Answer 1

Reset to default
0

Typically SSL certificates are issued to hostnames like www.example.com and not to IP-adresses.
Therefore when you use the IP-address you get a mismatch between the URL you're accessing and the hostname the certificate was issued to.

Second the CA directory from firefox may not be suitable, as according to the man page wget requires:

--ca-directory=directory Specifies directory containing CA certificates in PEM format. Each file contains one CA certificate, and the file name is based on a hash value derived from the certificate. ...

I think that wget uses the openssl libraries, possibly making that a more verbose utility to check on the certificate status, for example in a query to determine the expiry date of a SSL certificate:

 echo "GET /" | openssl s_client -connect servername:port | openssl x509 -noout -dates
Improve this answer
7
  • Thanks for your answer. I know for the name server and ip but I have only ip in file and i have to check if the SSL certificate is still valid, but lots of them send me an error about wildcard. I don't care about this error. And about the -ca-directory option, I have make a copy of CA from Firefox (*.pem) in the /etc/ssl/certs folder. Commented Jun 23, 2014 at 8:37
  • If you only care about the expiry date; the script in my answer will also work on ip-addresses. You might want to suppress the STDERR with 2>/dev/null though. Commented Jun 23, 2014 at 8:43
  • About ` echo "GET /" ... -noout -dates` it look like to give me exactly what I am looking for, Thanks you again @HBruijn. But i still doesn't understand why wget didn't accept my CA file ! Commented Jun 23, 2014 at 8:44
  • Either you specify a CA file with a single certificate, or a directory, which contains a number of files for different CA's. In that directory wget (and openssl) look for the CA certificate not by scanning all files in that directory, nor by the name of the CA, but by the hash value of the CA subject name. Typically you create a symlink to cafile.cert with the output of openssl x509 -subject_hash -in cafile.cert as the name. Commented Jun 23, 2014 at 8:56
  • I don't fully understand. You said openssl cmd is looking for a CA hash. In cafile.cert, I have to put the hash of all CA I have ? Commented Jun 23, 2014 at 9:07

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.