FreeBSD wget cannot verify certificate, issued by Let’s Encrypt

last updated in Categories , , ,

I installed GNU wget utility on FreeBSD as explained here. However, whenever I use the wget command to download stuff from the Internet, it says:
   ERROR: cannot verify’s certificate, issued by ‘CN=Let\’s Encrypt Authority X3,O=Let\’s Encrypt,C=US’:
    Unable to locally verify the issuer’s authority.

How do I fix this problem on FreeBSD 12?

Introduction – The default wget settings is to verify the server’s certificate against the recognized certificate authorities. This error indicates that wget is unable to find root certificates locally. You must install root certificates on your FreeBSD server. Without root certificates, all commands and software such as Firefox would fail. FreeBSD comes with the ca_root_nss package. It includes root certificate bundle from the Mozilla Project. All you have to do is install ca_root_nss package to get rid of this problem.

How to find information about the ca_root_nss package

Run the following pkg command along with grep command to search:
# pkg search ca | grep root
Sample outputs:

R-cran-urca-1.3.0_2            Unit root and cointegration tests for time series data
ca_root_nss-3.41               Root certificate bundle from the Mozilla Project
p5-CACertOrg-CA-20110724.005 CA root certificate in PEM format

So if you run wget, you might get an error that read as follows:
$ wget

ERROR: cannot verify's certificate
ERROR: cannot verify’s certificate, issued by ‘CN=Let\’s Encrypt Authority X3,O=Let\’s Encrypt,C=US’: (click to enlarge)

FreeBSD wget cannot verify certificate authority

Now we know package name. Let us install it:
# pkg install ca_root_nss

FreeBSD install root certificate bundle package
Install ca_root_nss package to get root certificate bundle from the Mozilla Project on FreeBSD

Bundle of CA root certificates installed in /etc/ssl and /usr/local/openssl/ directories on FreeBSD.

Test it

Run the wget command again and it should work without any problems:
$ wget
Sample outputs:

--2018-12-17 15:32:38--
Resolving (, 2001:4f8:1:11::15:0
Connecting to (||:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 154325028 (147M) [application/octet-stream]
Saving to: 'base.txz'
base.txz                  100%[=====================================>] 147.18M  46.5MB/s    in 3.8s    
2018-12-17 15:32:42 (38.6 MB/s) - 'base.txz' saved [154325028/154325028]

A note about –no-check-certificate

If you can not install ca_root_nss package, pass the --no-check-certificate to the wget command. It means wget won’t check the server certificate against the available certificate authorities. Also wget won’t require the URL host name to match the common name presented by the certificate:
$ wget --no-check-certificate https://url
$ wget --no-check-certificate


This page explained how to install root certificate bundle from the Mozilla Project on FreeBSD. For more info see GNU/wget home page here.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Start the discussion at