Skip wget certificate checking in opam

Question

I just updated to opam 2, on a very old MacBook which I cannot update (running OS X 10.6.8), and which is missing some important packages related to certificate validation (and due to missing tools, I cannot even update Homebrew, because it requires certification... kind of a circular problem).

I would like to update opam without checking certificates, since otherwise I get the following error:

<><> Updating package repositories ><><><><><><><><><><><><><><><><><><><><>   
[ERROR] Could not update repository "default": 
OpamDownload.Download_fail(_, "Download command failed: 
  \"/usr/local/bin/wget --content-disposition -t 3 -O 
    /private/tmp/opam-17621-5a61c5/index.tar.gz.part
    https://opam.ocaml.org/1.2.2/index.tar.gz -U opam/2.0.0\"
  exited with code 5 
  \"ERROR: cannot verify opam.ocaml.org's certificate, issued by
  'CN=Let\\'s Encrypt Authority X3,O=Let\\'s Encrypt,C=US':\"")

I was just able to upgrade from 1.2.2 to opam 2.0.0, but now I cannot do opam update. And without it, there's not much I can do.

Is there a way to pass option --no-check-certificate to the wget command used by opam without having to recompile it myself?

Answer 1

Fix your wget instead. Looks like it's missing a recent CA bundle.

First, check where it looks for the bundle -

$ strace wget -O /dev/null https://github.com 2>&1 | grep cert

read(3, "eting an end user certificate as"..., 4096) = 2806
read(5, "eting an end user certificate as"..., 4096) = 2806
openat(AT_FDCWD, "/usr/lib/ssl/cert.pem", O_RDONLY) = -1 ENOENT (No such file or directory)

Then copy Mozilla's .pem bundle to match the expected .pem path.

If you're on a system that lacks strace or there's simply no mention of a CA bundle location in the output, then try creating a .wgetrc, and add

ca_certificate = /path/to/your/ca-bundle.pem

Save as $HOME/.wgetrc.

wget should then be able to validate the Let's Encrypt cert.

More on .wgetrc at http://gnu.org/software/wget/manual/html_node/Wgetrc-Commands.html