When I try to run Wget with the following options:
E:\Program Files\GnuWin32\bin>wget -p --html-extension --convert-links --no-check-certificate https://minecraft.net/en-us/
SYSTEM_WGETRC = c:/progra~1/wget/etc/wgetrc
syswgetrc = E:\Program Files\GnuWin32/etc/wgetrc
--2017-02-24 10:38:01-- https://minecraft.net/en-us/
Resolving minecraft.net... 52.84.24.33, 52.84.24.150, 52.84.24.230, ...
Connecting to minecraft.net|52.84.24.33|:443... connected.
OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Unable to establish SSL connection.
I get the error: Unable to establish SSL connection.
The website that I am trying to download is safe.
I have also tried to change the protocol to SSLv3, but it still is not working.
Can someone tell me why it is doing this and how to get around it?
When I try to run Wget with the following options:
E:\Program Files\GnuWin32\bin>wget -p --html-extension --convert-links --no-check-certificate https://minecraft.net/en-us/
SYSTEM_WGETRC = c:/progra~1/wget/etc/wgetrc
syswgetrc = E:\Program Files\GnuWin32/etc/wgetrc
--2017-02-24 10:38:01-- https://minecraft.net/en-us/
Resolving minecraft.net... 52.84.24.33, 52.84.24.150, 52.84.24.230, ...
Connecting to minecraft.net|52.84.24.33|:443... connected.
OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Unable to establish SSL connection.
I get the error: Unable to establish SSL connection.
The website that I am trying to download is safe.
I have also tried to change the protocol to SSLv3, but it still is not working.
Can someone tell me why it is doing this and how to get around it?
I’m trying to wget
to my own box, and it can’t be an internal address in the wget (so says another developer).
When I wget, I get this:
wget http://example.com
--2013-03-01 15:03:30-- http://example.com/
Resolving example.com... 172.20.0.224
Connecting to example.com|172.20.0.224|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://www.example.com/ [following]
--2013-03-01 15:03:30-- https://www.example.com/
Resolving www.example.com... 172.20.0.224
Connecting to www.example.com|172.20.0.224|:443... connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish SSL connection.
I believe it is because I do not have the certificate setup properly. Using openssl:
openssl s_client -connect example.com:443
CONNECTED(00000003)
15586:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:588:
While if I do the same command on another site, it shows the entire cert.
Perhaps the ssl cert was never setup in the conf file on Apache for that domain?
If so, what should I be specifying in the virtualhost? Is there any alternative other than specifying --no-check-certificate
because I don’t want to do that?
JoeG
7,22110 gold badges60 silver badges105 bronze badges
asked Mar 1, 2013 at 21:11
meder omuralievmeder omuraliev
184k72 gold badges393 silver badges434 bronze badges
1
SSL23_GET_SERVER_HELLO:unknown protocol
This error happens when OpenSSL receives something other than a ServerHello
in a protocol version it understands from the server. It can happen if the server answers with a plain (unencrypted) HTTP. It can also happen if the server only supports e.g. TLS 1.2 and the client does not understand that protocol version. Normally, servers are backwards compatible to at least SSL 3.0 / TLS 1.0, but maybe this specific server isn’t (by implementation or configuration).
It is unclear whether you attempted to pass --no-check-certificate
or not. I would be rather surprised if that would work.
A simple test is to use wget
(or a browser) to request http://example.com:443
(note the http://
, not https://
); if it works, SSL is not enabled on port 443. To further debug this, use openssl s_client
with the -debug
option, which right before the error message dumps the first few bytes of the server response which OpenSSL was unable to parse. This may help to identify the problem, especially if the server does not answer with a ServerHello
message. To see what exactly OpenSSL is expecting, check the source: look for SSL_R_UNKNOWN_PROTOCOL
in ssl/s23_clnt.c
.
In any case, looking at the apache error log may provide some insight too.
Sam
11.8k9 gold badges49 silver badges68 bronze badges
answered Mar 1, 2013 at 22:50
3
In my case I had not enabled the site ‘default-ssl’. Only ‘000-default’ was listed in the /etc/apache2/sites-enabled
folder.
Enable SSL site on Ubuntu 14 LTS, Apache 2.4.7:
a2ensite default-ssl
service apache2 reload
answered May 2, 2015 at 1:03
1
Just a quick note (and possible cause).
You can have a perfectly correct VirtualHost
setup with _default_:443
etc. in your Apache .conf file.
But… If there is even one .conf file enabled with incorrect settings that also listens to port 443, then it will bring the whole SSL system down.
Therefore, if you are sure your .conf file is correct, try disabling the other site .conf files in sites-enabled
.
answered Dec 2, 2015 at 9:04
Nostalg.ioNostalg.io
3,6621 gold badge28 silver badges31 bronze badges
2
There are a few possibilities:
- Your workstation doesn’t have the root CA cert used to sign your server’s cert. How exactly you fix that depends on what OS you’re running and what release, etc. (I suspect this is not related)
- Your cert isn’t installed properly. If your SSL cert requires an intermediate cert to be presented and you didn’t set that up, you can get these warnings.
- Are you sure you’ve enabled SSL on port 443?
For starters, to eliminate (3), what happens if you telnet to that port?
Assuming it’s not (3), then depending on your needs you may be fine with ignoring these errors and just passing —no-certificate-check. You probably want to use a regular browser (which generally will bundle the root certs directly) and see if things are happy.
If you want to manually verify the cert, post more details from the openssl s_client
output. Or use openssl x509 -text -in /path/to/cert
to print it out to your terminal.
jww
98.2k91 gold badges413 silver badges889 bronze badges
answered Mar 1, 2013 at 21:22
Dave S.Dave S.
6,34931 silver badges34 bronze badges
2
I had this problem when setting up a new EC2 instance. I had not added HTTPS to my security group, and so port 443 was not open.
answered Nov 9, 2015 at 20:35
Steve EllisSteve Ellis
4945 silver badges13 bronze badges
For me a DNS name of my server was added to /etc/hosts and it was mapped to 127.0.0.1 which resulted in
SL23_GET_SERVER_HELLO:unknown protocol
Removing mapping of my real DNS name to 127.0.0.1 resolved the problem.
answered Mar 13, 2018 at 10:26
Kirill OficerovKirill Oficerov
2,1702 gold badges15 silver badges11 bronze badges
I meet this same question. The port 443 wasn’t open in Centos.
Check the 443 port with the following command:
sudo lsof -i tcp:443
In the first line of /etc/httpd/conf.d/ssl.conf add this two lines:
LoadModule ssl_module modules/mod_ssl.so
Listen 443
answered Mar 31, 2017 at 9:47
GeekHadesGeekHades
3,0283 gold badges19 silver badges15 bronze badges
This problem happened for me only in special cases, when I called website from some internet providers,
I’ve configured only ip v4 in VirtualHost configuration of apache,
but some of router use ip v6, and when I added ip v6 to apache config the problem solved.
answered May 31, 2019 at 16:18
masoud2011masoud2011
9169 silver badges10 bronze badges
The problem I faced was in client server environment. The client was trying to connect over http port 80 but wanted the server proxy to redirect the request to some other port and data was https. So basically asking secure information over http. So server should have http port 80 as well as the port client is requesting, let’s say urla:1111\subB
.
The issue was server was hosting this on some other port e,g urla:2222\subB
; so the client was trying to access over 1111 was receiving the error. Correcting the port number should fix this issue. In this case to port number 1111.
answered Dec 23, 2013 at 9:32
Wget SSL error can occur due to many different reasons that include Wget not supporting HTTPS downloads, no-check-certificate, the issue with secure protocol option, and son on.
Wget command help in downloading files from the Internet through the command line.
At Bobcares, we often receive requests to fix this error as part of our Server Management Services.
Today, let’s discuss how our Support Engineers fix this error easily for our customers.
Top causes and fixes for the Wget SSL error
It is a very generic error. When the Wget SSL error occurs, it normally pops an error message “Unable to establish SSL connection”.
Here are a few causes of the error. Let’s discuss them in detail.
Wget not supporting https downloads resulting in Wget SSL error
This error occurs when Wget does not support the https downloads in some distributions.
If we find any such error our Support Engineers fix this by compiling the source code manually using OpenSSL. After that, we can do https downloads.
Errors with the secure protocol option
Sometimes, the error may be with the secure protocol option. In such cases, our Support Engineers fix this by adding a secure-protocol option with a suitable protocol argument.
We set this using the command below.
secure-protocol=protocol
We can set the protocol to any of these ‘auto’, ‘SSLv2’, ‘SSLv3’,‘TLSv1_1’, ‘TLSv1_2.
And, this can resolve the error easily. However, the older versions of TLS are vulnerable.
Wget error due to Date/time
Date/time mismatch can be a cause for the error to popup.
We double-check the date/time and refresh the SSL certificate to fix this error. We use the command below for refreshing.
/usr/sbin/update-ca-certificates --fresh
No-check-certificate
Similarly, we can also fix the error by setting “–no-check-certificate“. On setting this, Wget does not check for servers certificate.
This will generally prompt for a password check. But this method is not always recommended.
[Need any further assistance with the Wget errors? – We can help you fix it!]
Conclusion
In short, when the Wget SSL error occurs, it pops an error message “Unable to establish SSL connection” which is a generic error. In today’s article, we discussed how our Support Engineers resolve this error easily for our customers.
PREVENT YOUR SERVER FROM CRASHING!
Never again lose customers to poor server speed! Let us help you.
Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.
GET STARTED
var google_conversion_label = «owonCMyG5nEQ0aD71QM»;
Wget SSL error can occur due to many different reasons that include Wget not supporting HTTPS downloads, no-check-certificate, the issue with secure protocol option, and son on.
Wget command help in downloading files from the Internet through the command line.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to fix SSL related errors.
In this context, we shall look into how to fix this error.
Main causes and steps to fix Wget SSL error?
It is a very generic error. When the Wget SSL error occurs, it normally pops an error message «Unable to establish SSL connection«.
Here are a few causes of the error. Let’s discuss them in detail.
1. Wget not supporting https downloads resulting in Wget SSL error
This error occurs when Wget does not support the https downloads in some distributions.
If we find any such error our Support Engineers fix this by compiling the source code manually using OpenSSL. After that, we can do https downloads.
2. Errors with the secure protocol option
Sometimes, the error may be with the secure protocol option. In such cases, our Support Engineers fix this by adding a secure-protocol option with a suitable protocol argument.
We set this using the command below;
secure-protocol=protocol
We can set the protocol to any of these ‘auto’, ‘SSLv2’, ‘SSLv3′,’TLSv1_1’, ‘TLSv1_2’.
And, this can resolve the error easily. However, the older versions of TLS are vulnerable.
3. Wget error due to Date/time
Date/time mismatch can be a cause for the error to popup.
We double-check the date/time and refresh the SSL certificate to fix this error. We use the command below for refreshing.
/usr/sbin/update-ca-certificates --fresh
4. No-check-certificate
Similarly, we can also fix the error by setting “–no-check-certificate“. On setting this, Wget does not check for servers certificate.
This will generally prompt for a password check. But this method is not always recommended.