I tried to connect to AmazonMQ with amqps protocol in AmazonMQ and get this error:
NOTICE: PHP message: [error] Symfony\Component\Messenger\Exception\InvalidArgumentException
cfi-lms-api_1 | No CA certificate has been provided. Set "amqp.cacert" in your php.ini or pass the "cacert" parameter in the DSN to use SSL. Alternatively, you can use amqp:// to use without SSL.
Where I can get this certificate and how to properly work with amqps in case AmazonMQ? What path for cacert I should specify?
I tried use amqp protocol but Amazon MQ does not support it.
In the docs:
If you want to use TLS/SSL encrypted AMQP, you must also provide a CA certificate. Define the certificate path in the amqp.cacert PHP.ini setting (e.g. amqp.cacert = /etc/ssl/certs) or in the cacert parameter of the DSN (e.g amqps://localhost?cacert=/etc/ssl/certs/).
(at https://symfony.com/doc/current/messenger.html)
It says cacert is "Path to the CA cert file in PEM format."
You can download the file through your web browser, clicking the "locker" icon next to "https" in the url bar. For example, the ca cert for StackOverflow can be downloaded like so :
Prefer the one from the "root" tab, which is usually valid way longer (+ 10 years).
Source:
https://github.com/symfony/amqp-messenger/blob/5.4/Transport/Connection.php#L232
https://github.com/symfony/amqp-messenger/blob/4175a0a98507e7ec575dca9b36e6c0a5a072d3fd/Transport/Connection.php#L285
For the noobs o news with AmazonMQ/rabbitmq
Get the PEM from this url : https://www.amazontrust.com/repository/AmazonRootCA1.pem
and pass = ?cacert=/path/to/pem/Amazon_Root_CA_1.pem
I hope it helps.
#Musa thanks for the answer! I will provide more details for somebody like me who never setup this certificate:
If you need work with Amazon MQ you should download the root certificate for mq.eu-central-1.amazonaws.com in pem format (see the answer from #Musa on how to do it).
Then you should change MESSENGER_TRANSPORT_DSN in .env file to add the new parameter cacert (see Symfony doc for more details https://symfony.com/doc/current/messenger.html#amqp-transport):
MESSENGER_TRANSPORT_DSN=amqps://username:password#your-secure-url.mq.eu-central-1.amazonaws.com:5671/%2f/_messages?cacert=/path-to-root-cert/mq-eu-central-1-amazonaws-com.pem
Another possible solution is to specify Amazon Root CA 1. Every Linux distribution has this certificate (see package ca-certificates). In this case, MESSENGER_TRANSPORT_DSN must be like this:
MESSENGER_TRANSPORT_DSN=amqps://username:password#your-secure-url.mq.eu-central-1.amazonaws.com:5671/%2f/_messages?cacert=/etc/ssl/certs/Amazon_Root_CA_1.pem
Related
I'm trying to access a webservice from the prefecture that consolidate commercial invoices, the website provides those 2 certificates .cer and .p7b, I've tried both curl and soap clients with several different options in the params array, but still only get 403 or error on loading key.
Can someone explain me which of the certificates I should use, or if both, which goes in which option and others params needed?
Using curl I at least get a 403 answer (which is something expected without the certificate), but on soap client it only gives SOAP-ERROR: Parsing WSDL even it's the very same URL.
Trying loading the keys leads to:
.CER: "unable to set private key file ... type PEM"
.P7B: "could not load PEM client certificate, OpenSSL error:02001002:system library:fopen:No such file or directory, (no key found, wrong pass phrase, or wrong file format?)"
though the path seems to be correct.
Get same errors using cmd line curl with --cert options (though I tried each cert file individually, is there a way to use both simultaneously?)
At the moment I am able to write to the datastore once I deploy my code, but I can't write to the datastore emulator with code running locally since it throws a ca-bundle error. The local datastore is visible at localhost:8000
use google\appengine\api\users\User;
use google\appengine\api\users\UserService;
use google\appengine\api\app_identity\AppIdentityService;
echo AppIdentityService::getApplicationId()."<br>";
echo AppIdentityService::getDefaultVersionHostname()."<br>";
# Includes the autoloader for libraries installed with composer
require __DIR__ . '/vendor/autoload.php';
use Google\Cloud\ServiceBuilder;
$cloud = new ServiceBuilder([
'projectId' => AppIdentityService::getApplicationId(),
'keyFilePath'=>'review-9504000716d8.json'
]);
$datastore = $cloud->datastore();
# The kind for the new entity
$kind = 'Task';
# The name/ID for the new entity
$name = 'sampletask1';
# The Cloud Datastore key for the new entity
$taskKey = $datastore->key($kind, $name);
# Prepares the new entity
$task = $datastore->entity($taskKey, ['description' => 'Buy milk']);
# Saves the entity
$datastore->upsert($task);
This code runs without any issues when deployed. But locally throws:
Fatal error: Uncaught exception 'Google\Cloud\Exception\ServiceException' with message 'No system CA bundle could be found in any of the the common system locations. PHP versions earlier than 5.6 are not properly configured to use the system's CA bundle by default. In order to verify peer certificates, you will need to supply the path on disk to a certificate bundle to the 'verify' request option: http://docs.guzzlephp.org/en/latest/clients.html#verify. If you do not need a specific certificate bundle, then Mozilla provides a commonly used CA bundle which can be downloaded here (provided by the maintainer of cURL): https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt. Once you have a CA bundle available on disk, you can set the 'openssl.cafile' PHP ini setting to point to the path to the file, allowing you to omit the 'verify' request option. See http://curl.haxx.se/docs/sslcerts.html for more information.' in D:\Google\php\appengine-php-guestbook-phase0-helloworld\appengine-php-guestbook-phase0-hellowo in D:\Google\php\appengine-php-guestbook-phase0-helloworld\appengine-php-guestbook-phase0-helloworld\vendor\google\cloud\src\RequestWrapper.php on line 219
I didn't manage to make the local server even consider the php.ini file nor did I manage to upgrade the bundled php55 to at least php56.
Thus I actually have 2 questions:
how to properly connect from the local instance (dev_appserver.py) on windows to Google's remote datastore?
how to properly connect from the local instant to the local emulated datastore so I can view the data on localhost:8000?
The APIs are using CA certificate files for authentication more specifically they are using curl.cainfo.
Now you server might already have this file configured in php.ini. You can check in server file. Remember there could be different ini files for different environments like apache, cli.
Now you can either copy that file or Create your own authority file
Option 1:
Set absolute path in php.ini
Option 2:
Use ini_set to set this config.
Option 3:
Try with some other mode of authentication, i am sure google will have that.
Option 4:
As given in your question itself.
If you do not need a specific certificate bundle, then Mozilla provides a commonly used CA bundle which can be downloaded here
https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt. Once you have a CA bundle available on disk, you can set the 'openssl.cafile' PHP ini setting to point to the path to the file, allowing you to omit the 'verify' request option
I use paypal IPN class Quixotix-PHP-PayPal-IPN
Now, I get notifcation from paypal to my ipn listener,
and i activate the class, but i get the next error:
exception 'Exception' with message 'cURL error: [77] error setting certificate verify locations:
CAfile: /home/star1231/public_html/cert/api_cert_chain.crt
CApath: none' in /home/star1231/public_html/ipn.php:79
Stack trace:
#0 /home/star1231/public_html/ipn.php(175): IpnListener->curlPost('cmd=_notify-val...')
#1 /home/star1231/public_html/ipn.php(7): IpnListener->processIpn()
#2 {main}
I search about this error,
and i read that i need to install ca-certificates package,
in this question: How do I deal with certificates using cURL while trying to access an HTTPS url?
i have no exprince in that staff, and i dont know where to run commands and what i need to download
so someone can please explain me how can i install the package in Cpanel on Godaddy?
Check out: https://github.com/Quixotix/PHP-PayPal-IPN/issues/37
seting $listener->use_curl = FALSE; problem was solved
I am not a PHP dev, and I will be of little help assisting you with Linux, but you should be able to get this working by thoroughly reviewing the answers to these two questions:
Paypal IPN Getting blank confirmation ( should be "VERIFIED" or "INVALID" )
How do I deal with certificates using cURL while trying to access an HTTPS url?
The problem appears to be your Certificate Authority bundle, as meda writes: (source: https://stackoverflow.com/a/26260710/399124)
curl performs SSL certificate verification by default, using a
"bundle" of Certificate Authority (CA) public keys (CA certs). The
default bundle is named curl-ca-bundle.crt ... If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
To verify that that is the problem, I would try is adding the -k or --insecure switch to the code in Quixotix-PHP-PayPal-IPN that's failing. Based on the stack trace, that's probably in /home/star1231/public_html/ipn.php(175).
Assuming that fixes it, we now need to figure out what's wrong with the bundle.
Does the file at /home/star1231/public_html/cert/api_cert_chain.crt even exist? If not, download it from (https://raw.githubusercontent.com/Quixotix/PHP-PayPal-IPN/master/cert/api_cert_chain.crt) and put it in the folder.
If you're still having trouble after you're sure the file is in the right place, you could have a security issue:
if there is no tls/certs folder: create one and change permissions using chmod 777 -R folderNAME
OK, if someone need the solution ...
First, Download api_cert_chain.crt
(if this link dosent work, just search in google "download api_cert_chain.crt" or something like that.)
Second, After you download this file put this file in "cert" Folder where your ipn listener is found.
and you ready to go.
If I have pkey, csr (generated from pkey), bundle certificate and domain certificate files. How can I validate if both certificates are made for pkey?
Also is that the right way to validate ssl certificates. Any suggestions?
I would like to avoid using openssl cli tool and use php openssl library or any third party php library.
#HannoBinder was close but it was a bit trickier. Apparently in PHP openssl one must get resource variables from certificate (tested also on certificate bundle file containing domain certificate for nginx) and private key file.
You can get certificate resource with openssl_pkey_get_public. But for private key you must get it with openssl_pkey_get_private. Its not to clearly written in documentation since probably these functions are quite universal.
Also i could not at first understand how to get public key from those resources. Apparently openssl_pkey_get_details can do that.
So in the end I resolved it this way.
$certPubKeyResource = openssl_pkey_get_public(file_get_contents($cert));
$publicKey1 = trim(openssl_pkey_get_details($certPubKeyResource)['key']);
$private_key = openssl_pkey_get_private(file_get_contents($pkey));
$publicKey2 = trim(openssl_pkey_get_details($private_key)['key']);
echo (!strcmp($publicKey1, $publicKey2) ? 'OK' : 'FAIL') . PHP_EOL;
I hope someone will have use for this since I could not find this particular case.
Also If someone will give more in depth answer with maybe some references to useful materials about SSL in PHP I could mark it as a correct answer instead of mine since im quite interested into getting full picture of this topic.
I am testing my codes on my localhost and I tried dtisgodsson/laravel4-twilio
to apply on my current website but I got this error
SSL certificate problem: self signed certificate in certificate chain
right after I put this code inside my index.blade.php:
Twilio::to('119061539155')->message('This is so, damn, easy!');
What do I need to do to get rid of this error?
Twilio Developer Evangelist here.
This error is caused by not having an up-to-date bundle of CA root certificates with your PHP installation. You need to download the latest CA root certificate bundle and update your php.ini to use this bundle. This blog post shows you how to accomplish both of those things.
Let me know if that gets you all fixed up!
If solution selected as answer to this question did not work, and you continue to have SSL authentication problems try this:
Change the setting twilio_use_certificate from false to true.
Find file OpenVBX/config/config.php and search for "twilio_use_certificate"
Then change FROM:
$config['twilio_use_certificate'] = false;
TO:
$config['twilio_use_certificate'] = true;