Wget TLS fatal alert has been received error

This error has started to appear recently on Fedora 30, when I use ‘wget’:

[john@seneca ~]$ wget --verbose https://www.atlassian.com/software/stash/downloads/binary/atlassian-bitbucket-6.6.0-x64.bin -P /tmp
--2019-09-03 08:46:29--  https://www.atlassian.com/software/stash/downloads/binary/atlassian-bitbucket-6.6.0-x64.bin
Resolving www.atlassian.com (www.atlassian.com)... 52.215.192.155, 52.215.192.156, 52.215.192.157
Connecting to www.atlassian.com (www.atlassian.com)|52.215.192.155|:443... connected.
GnuTLS: A TLS fatal alert has been received.
GnuTLS: received alert [49]: Access was denied
Unable to establish SSL connection.

I have looked at this answer:

I created a .wgetrc, and added the following entry:
CA_CERTIFICATE=/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

Then it complains that it can’t open the cert:
ERROR: Failed to open cert /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt: (0).

It need to use root login or run command in sudo. it’s a simple to get a file.
have a nice day.

@eeijlar, I’m afraid it isn’t of much help but on my system the command you’ve provided runs without any error and downloads file successfully (edit: as normal user, not as root).

Can it be it’s not an wget / gnutls error but some real problem with connection? Is it the same for another hosts you use wget with?

You can also run wget --debug instead of --verbose and look for additional clues in the debug output.

By the way, it looks like wget successfully loads all system CA certificated, you don’t have to provide them manually.

HI @nightromantic ! how are you…?
It a good run and no problem “wget” in F30. so…Take care and Have a nice day!!

@simmon Please do not jump to the conclusion that root / sudo as the correct answer just because you see an “Access is denied” message.

@eeijlar Can you show us the output of ls -laZR /etc/pki/ca-trust and ls -laZR /usr/share/pki/ca-trust-source?

@simmon: here you go:

[john@seneca workspace]$ ls -laZR /etc/pki/ca-trust
/etc/pki/ca-trust:
total 24
drwxr-xr-x.  4 root root system_u:object_r:cert_t:s0 4096 May  8 10:00 .
drwxr-xr-x. 10 root root system_u:object_r:cert_t:s0 4096 May  8 10:25 ..
-rw-r--r--.  1 root root system_u:object_r:cert_t:s0  980 Jan 31  2019 ca-legacy.conf
drwxr-xr-x.  6 root root system_u:object_r:cert_t:s0 4096 May  8 10:00 extracted
-rw-r--r--   1 root root ?                            166 Jan 31  2019 README
drwxr-xr-x.  4 root root system_u:object_r:cert_t:s0 4096 May  8 10:00 source

/etc/pki/ca-trust/extracted:
total 28
drwxr-xr-x. 6 root root system_u:object_r:cert_t:s0 4096 May  8 10:00 .
drwxr-xr-x. 4 root root system_u:object_r:cert_t:s0 4096 May  8 10:00 ..
drwxr-xr-x  2 root root ?                           4096 Aug 19 11:06 edk2
drwxr-xr-x. 2 root root system_u:object_r:cert_t:s0 4096 Aug 19 11:06 java
drwxr-xr-x. 2 root root system_u:object_r:cert_t:s0 4096 Sep  3 14:02 openssl
drwxr-xr-x. 2 root root system_u:object_r:cert_t:s0 4096 Aug 19 11:06 pem
-rw-r--r--  1 root root ?                            560 Jan 31  2019 README

/etc/pki/ca-trust/extracted/edk2:
total 160
drwxr-xr-x  2 root root ?                             4096 Aug 19 11:06 .
drwxr-xr-x. 6 root root system_u:object_r:cert_t:s0   4096 May  8 10:00 ..
-r--r--r--  1 root root ?                           151135 Aug 19 11:06 cacerts.bin
-rw-r--r--  1 root root ?                              566 Jan 31  2019 README

/etc/pki/ca-trust/extracted/java:
total 164
drwxr-xr-x. 2 root root system_u:object_r:cert_t:s0   4096 Aug 19 11:06 .
drwxr-xr-x. 6 root root system_u:object_r:cert_t:s0   4096 May  8 10:00 ..
-r--r--r--  1 root root ?                           151818 Aug 19 11:06 cacerts
-rw-r--r--  1 root root ?                              726 Jan 31  2019 README

/etc/pki/ca-trust/extracted/openssl:
total 516
drwxr-xr-x. 2 root root system_u:object_r:cert_t:s0   4096 Sep  3 14:02 .
drwxr-xr-x. 6 root root system_u:object_r:cert_t:s0   4096 May  8 10:00 ..
-r--r--r--  1 root root ?                           255935 Sep  3 14:02 ca-bundle.trust.crt
-r--r--r--  1 root root ?                           257448 Sep  3 14:02 ca-bundle.trust.openet.crt
-rw-r--r--  1 root root ?                              787 Jan 31  2019 README

/etc/pki/ca-trust/extracted/pem:
total 396
drwxr-xr-x. 2 root root system_u:object_r:cert_t:s0   4096 Aug 19 11:06 .
drwxr-xr-x. 6 root root system_u:object_r:cert_t:s0   4096 May  8 10:00 ..
-r--r--r--  1 root root ?                           178488 Aug 19 11:06 email-ca-bundle.pem
-r--r--r--  1 root root ?                             2788 Aug 19 11:06 objsign-ca-bundle.pem
-rw-r--r--  1 root root ?                              898 Jan 31  2019 README
-r--r--r--  1 root root ?                           208277 Aug 19 11:06 tls-ca-bundle.pem

/etc/pki/ca-trust/source:
total 20
drwxr-xr-x. 4 root root system_u:object_r:cert_t:s0 4096 May  8 10:00 .
drwxr-xr-x. 4 root root system_u:object_r:cert_t:s0 4096 May  8 10:00 ..
drwxr-xr-x. 2 root root system_u:object_r:cert_t:s0 4096 Aug 19 11:06 anchors
drwxr-xr-x. 2 root root system_u:object_r:cert_t:s0 4096 Jan 31  2019 blacklist
lrwxrwxrwx  1 root root ?                             59 May  8 10:00 ca-bundle.legacy.crt -> /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt
-rw-r--r--  1 root root ?                            932 Jan 31  2019 README

/etc/pki/ca-trust/source/anchors:
total 12
drwxr-xr-x. 2 root root system_u:object_r:cert_t:s0 4096 Aug 19 11:06 .
drwxr-xr-x. 4 root root system_u:object_r:cert_t:s0 4096 May  8 10:00 ..
-rw-r--r--  1 root root ?                           2812 Aug 19 11:06 self-signed-cert.crt

/etc/pki/ca-trust/source/blacklist:
total 8
drwxr-xr-x. 2 root root system_u:object_r:cert_t:s0 4096 Jan 31  2019 .
drwxr-xr-x. 4 root root system_u:object_r:cert_t:s0 4096 May  8 10:00 ..
[john@seneca workspace]$ 

And :

[john@seneca workspace]$ ls -laZR /usr/share/pki/ca-trust-source
/usr/share/pki/ca-trust-source:
total 952
drwxr-xr-x. 4 root root system_u:object_r:cert_t:s0   4096 May  8 10:00 .
drwxr-xr-x. 4 root root system_u:object_r:usr_t:s0    4096 Jan 31  2019 ..
drwxr-xr-x. 2 root root system_u:object_r:cert_t:s0   4096 Jan 31  2019 anchors
drwxr-xr-x. 2 root root system_u:object_r:cert_t:s0   4096 Jan 31  2019 blacklist
-rw-r--r--  1 root root ?                           951337 Jan 31  2019 ca-bundle.trust.p11-kit
-rw-r--r--  1 root root ?                              937 Jan 31  2019 README

/usr/share/pki/ca-trust-source/anchors:
total 8
drwxr-xr-x. 2 root root system_u:object_r:cert_t:s0 4096 Jan 31  2019 .
drwxr-xr-x. 4 root root system_u:object_r:cert_t:s0 4096 May  8 10:00 ..

/usr/share/pki/ca-trust-source/blacklist:
total 8
drwxr-xr-x. 2 root root system_u:object_r:cert_t:s0 4096 Jan 31  2019 .
drwxr-xr-x. 4 root root system_u:object_r:cert_t:s0 4096 May  8 10:00 ..
[john@seneca workspace]$

The only thing non-standard about /etc/pki, is that I have a self-signed cert included in the certificate authorities file: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

Check the related packages versions and integrity, check SELinux status, enable time synchronization, update CA trusts, restore SELinux labels:

rpm -q ca-certificates wget
rpm -V ca-certificates wget
getenforce
sudo systemctl --now enable systemd-timesyncd.service
sudo timedatectl set-ntp true
sudo update-ca-trust
sudo restorecon -R -v /usr/share/pki /etc/pki

@vgaetera: here is the output:

[root@seneca ~]# rpm -q ca-certificates wget
ca-certificates-2018.2.26-3.fc30.noarch
wget-1.20.3-1.fc30.x86_64
[root@seneca ~]# rpm -V ca-certificates wget
[root@seneca ~]# getenforce 
Disabled
[root@seneca ~]# systemctl --now enable systemd-timesyncd.service
Created symlink /etc/systemd/system/dbus-org.freedesktop.timesync1.service → /usr/lib/systemd/system/systemd-timesyncd.service.
Created symlink /etc/systemd/system/sysinit.target.wants/systemd-timesyncd.service → /usr/lib/systemd/system/systemd-timesyncd.service.
[root@seneca ~]# timedatectl set-ntp true
[root@seneca ~]# update-ca-trust
[root@seneca ~]# restorecon -R -v /usr/share/pki /etc/pki
[root@seneca ~]# exit

I get the same error on wget with those changes.

Why do you have SELinux disabled? I guess that may be why some files have ? in the label field. I’m not sure if restorecon works with SELinux disabled. But then again, if it’s disabled, then the labels don’t matter.

And have you tried restoring the original file?

I tried copying /etc/pki from another identical Fedora machine. It made no difference.

I even downloaded wget and compiled it from source using the option to use openssl instead of GnuTLS, it made no difference either, so I really am stumped now. Re-installed wget, and re-installed gnu-tls also, no difference there either.

I never use SELinux, it’s a workstation behind a VPN so there is no great need for it. That said, restorecon does look useful

A clue to what might be happening…

If I switch to another user account on the machine, and use the locally compiled wget it works. That was compiled with openssl, binary in /usr/local/bin/wget.

However, the same binary doesn’t work on my normal user account, doesn’t work as root either.

If you’re on the other account, does the rpm version work? If so, it sounds like you have something hidden in your home directory that’s changing the config.

That doesn’t seem like a good reason to disable it, but that’s not really the point of this topic.

No, the rpm version doesn’t work on either the normal user or the alternative user, and the compiled version only works on the alternate user account.