FreeBSD wget cannot verify certificate, issued by Let’s Encrypt

I installed GNU wget utility on FreeBSD as explained here. However, whenever I use the wget command to download stuff from the Internet, it says:
   ERROR: cannot verify’s certificate, issued by ‘CN=Let\’s Encrypt Authority X3,O=Let\’s Encrypt,C=US’:
    Unable to locally verify the issuer’s authority.

How do I fix this problem on FreeBSD 12?

Introduction – The default wget settings is to verify the server’s certificate against the recognized certificate authorities. This error indicates that wget is unable to find root certificates locally. You must install root certificates on your FreeBSD server. Without root certificates, all commands and software such as Firefox would fail. FreeBSD comes with the ca_root_nss package. It includes root certificate bundle from the Mozilla Project. All you have to do is install ca_root_nss package to get rid of this problem.

How to find information about the ca_root_nss package

Run the following pkg command along with grep command to search:
# pkg search ca | grep root
Sample outputs:

R-cran-urca-1.3.0_2            Unit root and cointegration tests for time series data
ca_root_nss-3.41               Root certificate bundle from the Mozilla Project
p5-CACertOrg-CA-20110724.005 CA root certificate in PEM format

So if you run wget, you might get an error that read as follows:
$ wget

ERROR: cannot verify’s certificate, issued by ‘CN=Let\’s Encrypt Authority X3,O=Let\’s Encrypt,C=US’: (click to enlarge)

FreeBSD wget cannot verify certificate authority

Now we know package name. Let us install it:
# pkg install ca_root_nss

Install ca_root_nss package to get root certificate bundle from the Mozilla Project on FreeBSD

Bundle of CA root certificates installed in /etc/ssl and /usr/local/openssl/ directories on FreeBSD.

Test it

Run the wget command again and it should work without any problems:
$ wget
Sample outputs:

--2018-12-17 15:32:38--
Resolving (, 2001:4f8:1:11::15:0
Connecting to (||:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 154325028 (147M) [application/octet-stream]
Saving to: 'base.txz'
base.txz                  100%[=====================================>] 147.18M  46.5MB/s    in 3.8s    
2018-12-17 15:32:42 (38.6 MB/s) - 'base.txz' saved [154325028/154325028]

A note about –no-check-certificate

If you can not install ca_root_nss package, pass the --no-check-certificate to the wget command. It means wget won’t check the server certificate against the available certificate authorities. Also wget won’t require the URL host name to match the common name presented by the certificate:
$ wget --no-check-certificate https://url
$ wget --no-check-certificate


This page explained how to install root certificate bundle from the Mozilla Project on FreeBSD. For more info see GNU/wget home page here.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 0 comments... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
0 comments… add one

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum