Wget can't download page via HTTPS ("No certificate presented", "GnuTLS: Resource unavailable")

0

I'm using GNU Wget 1.20.3 on Manjaro with the default configuration.

I'm trying to download the page https://www.gw.hd.bw.schule.de/ (a simple HTML page) using the following command:

$ wget https://www.gw.hd.bw.schule.de/

The download is not successful, Wget outputs the following:

--2019-08-04 20:21:40--  https://www.gw.hd.bw.schule.de/
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving www.gw.hd.bw.schule.de (www.gw.hd.bw.schule.de)... 129.143.69.156
Connecting to www.gw.hd.bw.schule.de (www.gw.hd.bw.schule.de)|129.143.69.156|:443... connected.
GnuTLS: Resource temporarily unavailable, try again.
ERROR: No certificate presented by www.gw.hd.bw.schule.de.

I need to use Wget, because I need its abilities to recursively download multiple pages and rewrite the links to be relative.

Accessing the same page in Firefox or Chromium works, as well as downloading the page using curl https://www.gw.hd.bw.schule.de/.

I therefore suspect it has something to do with the certificate validation process. I believe that Wget uses GnuTLS while cURL uses OpenSSL to handle the TLS connection, so I checked how they handle the certificate.

This works (certificate is downloaded and verified):

$ openssl s_client -connect www.gw.hd.bw.schule.de:443

This doesn't work (gnutls-cli version 3.6.8):

$ gnutls-cli www.gw.hd.bw.schule.de

GnuTLS aborts this command with the following error:

[...]
- Could not verify certificate (err: Some constraint limits were reached.)
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.

What does this error mean? How do I fix it? Is this the cause of Wget's failure to download? If not, what else is?

Other things I've checked

I believe this has nothing to do with SNI (I've checked that both Wget and Firefox send SNI headers using Wireshark as described in this answer on ServerFault).

I also believe this has nothing to do with the location of the certificate store as I've manually downloaded the certificate using Firefox and specified it using wget --ca-certificate=[...] (unsuccessfully).

Edit: A workaround

I've compiled Wget manually from source, linking it to OpenSSL instead of GnuTLS. Using this version of Wget, I could successfully download the webpage. I thought I'd share this as it can be seen as further evidence that it has something to do with GnuTLS (although I don't know what), and maybe it helps someone with the same problem.

TuringTux

Posted 2019-08-04T19:45:25.453

Reputation: 312

No answers

Asked: 2019-08-04T19:45:25.453

Viewed: 122 times

Active: 2019-08-06T12:31:36.223