Where do I install certificates so that wget and other MacPorts programs will find them?

7

3

I have to install custom certificates so that they work with wget installed via MacPorts. I can't find the right directory.

I've tried installing in /System/Library/OpenSSL/certs but that directory seems to be ingored by wget. Likewise certificates installed in my keychain are ignored.

vy32

Posted 2011-03-26T17:56:12.357

Reputation: 2 715

There is also a certsync port which keeps the OpenSSL certificate bundle in sync with your system keychain (by concatenating all your keychain CAs together into/opt/local/etc/openssl/cert.pem). If you only care about wget working, then sudo port install certsync; sudo port load certsync might be the most straightforward solution. I have tested this and it works with a man-in-the-middle root CA installed into the system keychain by my employer. See my answer below for more details. – TheDudeAbides – 2019-09-19T21:18:44.410

Answers

4

Create a wgetrc file containing:

ca_directory=/System/Library/OpenSSL/certs

On Linux and BSD, the file is located at ~/.wgetrc (and /etc/wgetrc system-wide). I don't know if it is the same for MacPorts.

user1686

Posted 2011-03-26T17:56:12.357

Reputation: 283 655

2Very cool. It's /opt/local/etc/wgetrc on macports. – vy32 – 2011-03-26T19:44:16.200

9

The answer above didn't resolve the issue for me, but I found a similar easy solution with MacPorts:

sudo port install curl-ca-bundle

To install the Certificate Authrity bundle and then push its reference to the wget settings profile:

echo CA_CERTIFICATE=/opt/local/share/curl/curl-ca-bundle.crt >> ~/.wgetrc

Ain

Posted 2011-03-26T17:56:12.357

Reputation: 190

This is a good answer, and it solves a common problem with wget and curl from MacPorts (getting certificate errors for every SSL/TLS web site). It's just not a solution to what the OP had asked for: a method to install "custom certificates" so that wget can find them. – TheDudeAbides – 2019-09-19T20:50:06.477

2

I can't add a comment to grawity's solution, so I guess I'll create a new answer...

grawity's solution seems to be incomplete. It worked because you had already "tried installing in /System/Library/OpenSSL/certs".

I installed OpenSSL from MacPorts (newer than the version included with my Snow Leopard install). This put a cert.pem file in /opt/local/etc/openssl/, which I could then point to with grawity's method. This is essentially what I did:

sudo port install openssl
sudo echo 'ca_directory = /opt/local/etc/openssl' > /opt/local/etc/wgetrc
sudo cat /opt/local/etc/wgetrc.sample >> /opt/local/etc/wgetrc`

Ain's solution probably would have worked for me as well.

Neal Gokli

Posted 2011-03-26T17:56:12.357

Reputation: 121

The original post was asking for a method to install "custom certificates." This means the OP had their own something.pem file, and they just wanted to put it in a place where wget knew (or could be configured) to look for it. – TheDudeAbides – 2019-09-19T21:00:20.670

1

(Hello from 2019!) There is now a certsync port which keeps the OpenSSL certificates in sync with your system keychain, which can be installed with:

sudo port install certsync

MacPorts should create a launchd startup item to do the sync periodically, but if not, sudo port load certsync will do that (use port unload to disable it).

This might be useful, if, for example, your Mac is pre-configured by your employer with a local root CA or other man-in-the-middle certs, or you have your own CAs for other reasons. While not impossible, it would be a pain to

  1. extract those from your system keychain,
  2. only to dump them somewhere else on your filesystem (that you're guaranteed to forget about in six months),
  3. and then, potentially, also having to configure every other command-line utility to point to them (as with the /opt/local/etc/wgetrc in the other solutions here).

Note that the certsync port conflicts with curl-ca-bundle, which is in the dependency chain for many other MacPorts packages, including curl. If you try to proceed, you'll get warnings like this:

$ sudo port install certsync

Error: Can't install certsync because conflicting ports are active: curl-ca-bundle
Error: Follow https://guide.macports.org/#project.tickets to report a bug.
Error: Processing of port certsync failed

$ sudo port uninstall curl-ca-bundle
Note: It is not recommended to uninstall/deactivate a port that has dependents as
it breaks the dependents.
The following ports will break:
 p11-kit @0.23.16.1_0
 neomutt @20180716_0
 neomutt @20180716_1
 curl @7.65.3_1
 subversion @1.12.2_0
Continue? [y/N]:

The "broken" ports will probably still work regardless, since certsync essentially does the job of curl-ca-bundle by concatenating all your system keychain's CAs into /opt/local/etc/openssl/cert.pem, but I can't certify that.

Still, if you only care about getting wget working, and are happy with the built-in /usr/bin/curl (which is configured to use the macOS system-wide certificate store anyway), simply installing the certsync port might be the most straightforward solution.

Source: the comments section of Fixing SSL CA certificates with OpenSSL from MacPorts (andatche.com)

TheDudeAbides

Posted 2011-03-26T17:56:12.357

Reputation: 465

Pretty neat! Now it's only necessary to update the system keychain! – vy32 – 2019-09-20T21:54:53.537

This solves a lot of headaches for me, thanks! – Alan Berezin – 2020-02-27T23:19:35.733

Asked: 2011-03-26T17:56:12.357

Viewed: 4 354 times

Active: 2019-09-19T22:32:38.063