1. Overview
wget is a popular command-line tool for downloading files on Linux. It supports a vast number of network protocols including FTP and HTTPS.
When downloading a file, we may sometimes encounter errors, depending on the HTTPS setup of the server we’re using.
In this tutorial, we’ll look at how to resolve HTTPS download-related errors in wget. First, we’ll learn disabling the certificate check. Then, we’ll consider wget secure protocol options that may fix it. Finally, we’ll look at compiling wget from source to install the latest version, which can be helpful in certain situations.
2. Reproduce an Error
First, let’s reproduce an error like the kind we’re trying to resolve in this tutorial.
For that, we use the badssl.com website, which allows us to simulate various HTTP errors.
Here, the link we use to reproduce the HTTP error is https://expired.badssl.com/, which creates the certificate-related problems:
$ wget https://expired.badssl.com/
Connecting to expired.badssl.com (104.154.89.105:443)
ERROR: cannot verify expired.badssl.com's certificate: issued certificate has expired
wget: error getting response: Connection reset by peer
As we can see, a download link causes “certificate has expired” error.
In the next sections, we’ll see how to resolve this error.
3. Disable wget Certificate Check
To fix the above error, we can try adding the option –no-check-certificate:
$ wget https://expired.badssl.com/ --no-check-certificate
Connecting to expired.badssl.com (104.154.89.105:443)
HTTP request sent, awaiting response... 200 OK
Saving to: ‘index.html’
index.html 100%[========================================================================================>] 494 --.-KB/s in 0s
‘index.html’ saved
As we can see, the wget continues downloading despite possible verification failure. In our case, this fixed the error and downloaded a file correctly.
If needed, this option can be combined with the other ones, such as a username and password because some servers may require authentication:
$ wget https://expired.badssl.com/ --no-check-certificate --user=USERNAME --password=PASS
As we can see, the –user option and the –password option now provide the authentication details.
Similar to the above, if the error resolves, the download process should start here.
4. Select wget Secure Protocol
If the above method hasn’t helped, we can try to manually setup the HTTPS protocol version. This is because the website may use an outdated SSL server, which may not be able to automatically choose the correct HTTPS protocol version.
In this case, we need to specify the HTTPS protocol manually by adding the option –secure-protocol=protocol.
Here, the protocol can be one of ‘SSLv2’, ‘SSLv3’, ‘TLSv1’, ‘TLSv1_1’, ‘TLSv1_2’, ‘TLSv1_3’, or ‘PFS’.
For example, let’s look at what happens if the protocol version isn’t selected correctly. For that, we’ll use the https://tls-v1-2.badssl.com/ URL.
Now, let’s simulate our system requiring a higher level of security by using the –secure-protocol switch to force TLS v1.3, triggering an error:
$ wget https://tls-v1-2.badssl.com --secure-protocol=TLSv1_3
Connecting to tls-v1-2.badssl.com (104.154.89.105:443)
OpenSSL: error:0A000410:SSL routines::sslv3 alert handshake failure
Unable to establish SSL connection.
To resolve an error like this, we can choose to explicitly downgrade to the actual TLS protocol the server uses:
$ wget https://tls-v1-2.badssl.com --secure-protocol=TLSv1_2
Connecting to tls-v1-2.badssl.com (104.154.89.105:443)
HTTP request sent, awaiting response... 200 OK
Saving to: ‘index.html’
index.html 100%[========================================================================================>] 494 --.-KB/s in 0s
‘index.html’ saved
As we can see, this downgrade resolves the SSL error.
We should note that our installed SSL system may not support all TLS or SSL versions.
5. Compile wget From Source
Sometimes, the above methods don’t resolve the issue. In this case, we can try compiling wget from the source.
The reason is that in some Linux distributions, wget may not support the HTTPS protocol by default.
Let’s look at the commands to complete the compilation and installation process.
5.1. Download wget Sources
First, we need to download the latest version of wget source code using the curl command:
$ curl https://ftp.gnu.org/gnu/wget/wget-latest.tar.gz > wget-latest.tar.gz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5061k 100 5061k 0 0 2724k 0 0:00:01 0:00:01 --:--:-- 2725k
Here, we provide the link to the latest version of the wget package.
The package should now be saved as wget-latest.tar.gz.
5.2. Untar wget Package
Next, we need to untar the sources from the downloaded archive. For that, we’ll use the tar command:
$ tar xzf wget-latest.tar.gz
The options xzf allow us to unpack the gzip archive and save it to a file located in the archive.
As a result, we should be able to see the wget-
5.3. Compile the Package
Finally, we need to compile the wget package.
When compiling, it’s important to include the OpenSSL library to enable HTTPS support.
The following commands should get the job done:
$ cd wget-<version>
$ ./configure --with-openssl
$ make
$ make install
Now, the wget should be installed on our system. Let’s verify the install:
$ wget --version
GNU Wget 1.21.2 built on linux-gnu.
...
As we can see, the wget has been built and installed on our system.
6. Conclusion
In this tutorial, we learned how to fix HTTPS download errors for the wget command.
First, we analyzed how to disable the certificate check. Then, we looked at the –secure-protocol option, which can be helpful for outdated SSL servers.
Finally, we learned how to compile wget from sources and install it manually, as some Linux distributions may not have HTTPS support for wget.