1. Overview

wget is a popular command-line tool for downloading files on Linux. It supports a vast number of network protocols including FTP and HTTPS.

When downloading a file, we may sometimes encounter errors, depending on the HTTPS setup of the server we’re using.

In this tutorial, we’ll look at how to resolve HTTPS download-related errors in wget. First, we’ll learn disabling the certificate check. Then, we’ll consider wget secure protocol options that may fix it. Finally, we’ll look at compiling wget from source to install the latest version, which can be helpful in certain situations.

2. Reproduce an Error

First, let’s reproduce an error like the kind we’re trying to resolve in this tutorial.

For that, we use the badssl.com website, which allows us to simulate various HTTP errors.

Here, the link we use to reproduce the HTTP error is https://expired.badssl.com/, which creates the certificate-related problems:

$ wget https://expired.badssl.com/
Connecting to expired.badssl.com (104.154.89.105:443)
ERROR: cannot verify expired.badssl.com's certificate: issued certificate has expired
wget: error getting response: Connection reset by peer

As we can see, a download link causes “certificate has expired” error.

In the next sections, we’ll see how to resolve this error.

3. Disable wget Certificate Check

To fix the above error, we can try adding the option –no-check-certificate:

$ wget https://expired.badssl.com/ --no-check-certificate 
Connecting to expired.badssl.com (104.154.89.105:443)
HTTP request sent, awaiting response... 200 OK
Saving to: ‘index.html’
index.html         100%[========================================================================================>]     494  --.-KB/s    in 0s      
‘index.html’ saved

As we can see, the wget continues downloading despite possible verification failure. In our case, this fixed the error and downloaded a file correctly.

If needed, this option can be combined with the other ones, such as a username and password because some servers may require authentication:

$ wget https://expired.badssl.com/ --no-check-certificate --user=USERNAME --password=PASS

As we can see, the –user option and the –password option now provide the authentication details.

Similar to the above, if the error resolves, the download process should start here.

4. Select wget Secure Protocol

If the above method hasn’t helped, we can try to manually setup the HTTPS protocol version. This is because the website may use an outdated SSL server, which may not be able to automatically choose the correct HTTPS protocol version.

In this case, we need to specify the HTTPS protocol manually by adding the option –secure-protocol=protocol.

Here, the protocol can be one of ‘SSLv2’, ‘SSLv3’, ‘TLSv1’, ‘TLSv1_1’, ‘TLSv1_2’, ‘TLSv1_3’, or ‘PFS’.

For example, let’s look at what happens if the protocol version isn’t selected correctly. For that, we’ll use the https://tls-v1-2.badssl.com/ URL.

Now, let’s simulate our system requiring a higher level of security by using the –secure-protocol switch to force TLS v1.3, triggering an error:

$ wget https://tls-v1-2.badssl.com --secure-protocol=TLSv1_3
Connecting to tls-v1-2.badssl.com (104.154.89.105:443)
OpenSSL: error:0A000410:SSL routines::sslv3 alert handshake failure
Unable to establish SSL connection.

To resolve an error like this, we can choose to explicitly downgrade to the actual TLS protocol the server uses:

$ wget https://tls-v1-2.badssl.com --secure-protocol=TLSv1_2
Connecting to tls-v1-2.badssl.com (104.154.89.105:443)
HTTP request sent, awaiting response... 200 OK
Saving to: ‘index.html’
index.html         100%[========================================================================================>]     494  --.-KB/s    in 0s      
‘index.html’ saved

As we can see, this downgrade resolves the SSL error.

We should note that our installed SSL system may not support all TLS or SSL versions.

5. Compile wget From Source

Sometimes, the above methods don’t resolve the issue. In this case, we can try compiling wget from the source.

The reason is that in some Linux distributions, wget may not support the HTTPS protocol by default.

Let’s look at the commands to complete the compilation and installation process.

5.1. Download wget Sources

First, we need to download the latest version of wget source code using the curl command:

$ curl https://ftp.gnu.org/gnu/wget/wget-latest.tar.gz > wget-latest.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 5061k  100 5061k    0     0  2724k      0  0:00:01  0:00:01 --:--:-- 2725k

Here, we provide the link to the latest version of the wget package.

The package should now be saved as wget-latest.tar.gz.

5.2. Untar wget Package

Next, we need to untar the sources from the downloaded archive. For that, we’ll use the tar command:

$ tar xzf wget-latest.tar.gz

The options xzf allow us to unpack the gzip archive and save it to a file located in the archive.

As a result, we should be able to see the wget- directory.

5.3. Compile the Package

Finally, we need to compile the wget package.

When compiling, it’s important to include the OpenSSL library to enable HTTPS support.

The following commands should get the job done:

$ cd wget-<version>
$ ./configure --with-openssl
$ make
$ make install

Now, the wget should be installed on our system. Let’s verify the install:

$ wget --version
GNU Wget 1.21.2 built on linux-gnu.
...

As we can see, the wget has been built and installed on our system.

6. Conclusion

In this tutorial, we learned how to fix HTTPS download errors for the wget command.

First, we analyzed how to disable the certificate check. Then, we looked at the –secure-protocol option, which can be helpful for outdated SSL servers.

Finally, we learned how to compile wget from sources and install it manually, as some Linux distributions may not have HTTPS support for wget.