When your Fedora 8 system suddenly stops verifying SSL certificates with wget, it creates both security concerns and workflow interruptions. The error message clearly indicates the core issue:
ERROR: cannot verify www.google.com's certificate, issued by /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA':
Unable to locally verify the issuer's authority.
The problem stems from wget being unable to locate the Certificate Authority (CA) bundle that contains trusted root certificates. While you've confirmed the existence of /etc/pki/tls/certs/ca-bundle.crt, wget isn't automatically detecting this file.
This explains why:
curlworks (it uses different certificate paths)linksworks (might have different SSL implementation)lynxfails (similar path detection issue)
To make wget automatically use the CA bundle without requiring the --ca-certificate switch, you need to configure the system's certificate store properly.
First, verify the actual certificate bundle location:
ls -l /etc/pki/tls/certs/ca-bundle.crt
ls -l /etc/ssl/certs/ca-certificates.crt
Then create a symlink if needed:
sudo ln -s /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt
For cases where you can't modify system files, set the SSL_CERT_FILE environment variable in your .bashrc:
echo 'export SSL_CERT_FILE=/etc/pki/tls/certs/ca-bundle.crt' >> ~/.bashrc
source ~/.bashrc
Create or edit ~/.wgetrc to specify the CA path:
echo "ca_certificate = /etc/pki/tls/certs/ca-bundle.crt" >> ~/.wgetrc
After applying any of these solutions, test with:
wget https://www.google.com
You should now see successful SSL verification without certificate errors.
If issues persist, use these debugging commands:
openssl s_client -connect www.google.com:443 -showcerts
wget --debug https://www.google.com
Check for these common pitfalls:
- Outdated CA certificates (run
sudo update-ca-trust) - Incorrect file permissions on the CA bundle
- System time being incorrect (affects certificate validity checks)
If you're seeing errors like this when using wget on Fedora 8:
ERROR: cannot verify www.google.com's certificate, issued by /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA':
Unable to locally verify the issuer's authority.
While other tools like curl work fine, this indicates a certificate store configuration issue specific to wget and possibly lynx.
The core issue is that wget isn't properly locating your system's CA certificate bundle. Fedora 8 stores this at /etc/pki/tls/certs/ca-bundle.crt, but some applications might not look there by default.
You have several options to fix this permanently:
1. System-wide configuration:
sudo ln -s /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt
2. Environment variable approach:
export SSL_CERT_FILE=/etc/pki/tls/certs/ca-bundle.crt
# Add this to your ~/.bashrc for persistence
3. wget configuration file:
Create or edit ~/.wgetrc with:
ca_certificate = /etc/pki/tls/certs/ca-bundle.crt
After implementing any of these fixes, test with:
wget https://www.google.com
Should now work without SSL errors.
The divergence between wget and curl behavior occurs because:
curluses the system-wide certificate store by defaultwgetmight be compiled with different default paths- Fedora 8's package configuration might have inconsistencies
If you need temporary solutions:
# For single command:
wget --ca-certificate=/etc/pki/tls/certs/ca-bundle.crt https://example.com
# For lynx:
export SSL_CERT_FILE=/etc/pki/tls/certs/ca-bundle.crt
lynx https://example.com