How to Fix SSL Certificate Errors in Cygwin When Using wget with HTTPS URLs


4 views

When running wget in Cygwin on Windows, you might encounter SSL certificate errors like:

ERROR: The certificate of example.com' is not trusted.
ERROR: The certificate of example.com' hasn't got a known issuer.

This occurs because Cygwin's wget doesn't automatically trust the Windows certificate store. Unlike native Windows applications, Cygwin maintains its own trust store.

For testing purposes, you can temporarily bypass certificate verification:

wget --no-check-certificate https://example.com/file.zip

Warning: This is insecure and should only be used for trusted internal resources.

To properly fix this, you need to configure Cygwin to use Windows' certificate store:

Method 1: Using Windows CA Store

wget --ca-certificate=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem https://example.com

Method 2: Updating Cygwin's CA Certificates

Run these commands in Cygwin:

curl -L -o /etc/pki/ca-trust/source/ca-bundle.crt https://curl.se/ca/cacert.pem
update-ca-trust

Add this to your ~/.wgetrc file:

ca_certificate = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
check_certificate = on

Test your configuration with:

wget https://www.google.com

If successful, you should see the index.html file downloaded without certificate errors.

If you continue having issues, consider using curl which often handles certificates better:

curl -O https://example.com/file.zip
  • Ensure your Cygwin installation is up-to-date: setup-x86_64.exe -q -P wget,ca-certificates
  • Check system time - incorrect time can cause certificate validation failures
  • For corporate environments, you may need to add your organization's root CA

When running wget in Cygwin on Windows, you might encounter SSL certificate errors like:

ERROR: The certificate of example.com' is not trusted.
ERROR: The certificate of example.com' hasn't got a known issuer.

This occurs because Cygwin's wget doesn't automatically use Windows' certificate store like native Windows tools do. Instead, it relies on its own CA certificate bundle.

For testing purposes only, you can bypass SSL verification:

wget --no-check-certificate https://example.com/file.zip

Warning: This makes your connection vulnerable to man-in-the-middle attacks.

The recommended approach is to install Cygwin's CA certificates package:

setup-x86_64.exe -q -P ca-certificates

After installation, wget will use /etc/ssl/certs/ca-bundle.crt as its trust store.

If you have a specific certificate bundle you want to use:

wget --ca-certificate=/path/to/custom/ca-bundle.crt https://example.com

To manually update the certificates:

update-ca-trust

Or download Mozilla's CA bundle directly:

wget https://curl.se/ca/cacert.pem -O /etc/ssl/certs/ca-bundle.crt

For detailed debugging, use these flags:

wget --debug --verbose https://example.com

This will show the complete certificate chain and verification process.

To make this persistent, add to your ~/.wgetrc:

ca_certificate = /etc/ssl/certs/ca-bundle.crt
check_certificate = on