I need to establish a TLS connection between my backend and a web service API. I'm using the HttpClientInterface class within the Symfony framework. I would really like to understand what I'm doing here.
This is the situation:
I recieved a .p12 file containing my certificate and its private key, these have been extracted with openssl to .pem files. In the PHP: SSL context options, I have set local_cert = /mypath/mycert.pem, local_pk = /mypath/mykey.pem and passphrase = 'pwtoextractfiles'. Are all these options neccessary? Whats happening here really?
I also got a server certificate. I set cafile = /mypath/servercert.pem. However the issuer of the server cert tells me I'm supposed to add the issuer of the server cert as trusted root and add the issuer in my trust store. How is this done in PHP? Have I done this correctly by setting the cafile option?
Related
We're using the Docusign RestAPI (PHP SDK) from our app and it works great. Authentication mode is JWT. I want to use all the code I've written on a different subdomain, but I get this error:
API call to https://account.docusign.com/oauth/token failed: SSL certificate problem: unable to get local issuer certificate
Both domains, my-domain.com and new.my-domain.com have SSL certs installed. What do I do now? What have I missed?
The DocuSign public certificates page lists all certificates.
Scroll down and look for this:
Install the certificate on your server where you are running the code from.
Do you have the standard set of trusted root certs installed in PHP?
This article may help you.
SOLVED: the new subdomain was operating on a different version of PHP. I added the cert paths to that php.ini file and it works as it should now.
I am using magento community edition 2.2 on wamp on windows server 2016. Whenever I am trying to Sign in to sync your Magento Marketplace purchases through System > Web Setup Wizard > System Config using the private and public keys taken from magento market place, I am getting the error:
"SSL certificate problem: unable to get local issuer certificate"
I tried solutions provided in some of the other threads in this forum to download cacert.pem and do the following settings in the php.ini
curl.cainfo = "C:\wamp64\bin\php\php7.1.9\cacert.pem" (this is where I put the cacert.pem file). It did not work!!
Other threads advice to put the self certified certificate in a convenient directory and specify the name with path for "curl.cainfo" and "openssl.cafile".
The issue is that I am not using self certified certificate. I have bought a commercial certificate, where they have given two files a certificate and a certificate chain file. Along with the key file I used to create the request, I have successfully installed configured apache to get https for the website.
The question is, how to get rid of the above error ""SSL certificate problem: unable to get local issuer certificate". The answers in the threads are all for the self signed certificates, where I am having a commercially purchased certificate (with multiple files)
I am using php 7.1.9 on wamp 3.1.0 magento CE 2.2.0
Please Advice....
You must have received the root and the intermediate certificate along with the main certificate.
The error states that its unable to verify the certificate uptil the root certificate. Rename the CACert.pem file with .crt extension . Also change the extension of the public key to .crt. Now, verify Whether the ISSUES BY of public key is the ISSUED TO of cartcert.pem is same. if its not the same then the intermediate in the cacert.pem is incorrect.
My php code need to connect to a remote ssl server using stream_socket_client(), The ssl server owner provide me this document:
All clients must use a publicly verifiable certificate. We support a
wide range of public certificate authorities. All those in the Mozilla
CA Certificate Store (as used in the Firefox browser and Debian
operating systems), are supported as well as the free public
certificate authority CACert (www.cacert.com).
I do know I can use stream_context_create() with "local_cert" and "local_pk" to provide my client certificate.
As they mention of www.cacert.com, I can download certificate files from http://www.cacert.org/index.php?id=3
My question is: With the certificate files I downloaded from www.cacert.org, what need to be set for "local_cert" and "local_pk"?
My knowledge is improved after this, here is what I did to get over:
I used "WHM SSL/TLS »Generate an SSL Certificate and Signing Request" tool to generate Signing Request, Certificate and Private Key, then submit them all to CAcert.org, and they generate me a SSL certificate.
Then use SSL certificate as "local_cert", Private Key as "local_pk" and everything works well.
I'm trying to install Vaprobash via CURL but I get this message everytime I try to download something through CURL. I'm using a Mac.
curl -L http://bit.ly/vaprobash > Vagrantfile
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Append option in curl call:
-k/--insecure
The curl will be not trying to verify SSL cert.
The link is redirecting to a secure HTTP (SSL) server, and curl doesn't have access to the proper chain of trusted certificates to confirm that the site says it is who it is.
If you're sure the site is legitimate, and this is a once-off effort, you can use the --insecure option (it will ignore any certificate errors). Opening the link in a browser directs to GitHub with no issues, and curl fetches it fine on my Ubuntu 12.04 box.
It's likely a missing certificate in your SSL installation. Run with the -v option to get a detailed output if you need to confirm this.
I'm testing an API that uses curl_exec php function and a CA certificate but something is going wrong and I'm a little lost.
I have configured SSL on my apache VirtualHost and looks ok ( opening https:://[myVHost]... works ).
However the API curl call give me back this message:
SSL peer certificate or SSH remote key was not OK
I'm not very experienced with SSL so I have few ideas about the cause of that.
UPDATE:
This is the code I'm using in my cURL request, I have commented 2 lines and changes their value (look at 'TODO' line ) and in this way it is working, however this is just a work arround ...
$opts[CURLOPT_URL] = $url;
$opts[CURLOPT_RETURNTRANSFER] = true;
$opts[CURLOPT_CONNECTTIMEOUT] = 50;
$opts[CURLOPT_TIMEOUT] = 100;
$headers = array(
'Accept: application/json',
"User-Agent: APIXXX-PHP-Client");
$opts[CURLOPT_HTTPHEADER] = $headers;
$opts[CURLOPT_USERPWD] = $env->getApiKey() . ':';
if (certificatePresent()) {
// $opts[CURLOPT_SSL_VERIFYPEER] = true;
// $opts[CURLOPT_SSL_VERIFYHOST] = 2;
// TODO: SET IT BACK
$opts[CURLOPT_SSL_VERIFYPEER] = 0;
$opts[CURLOPT_SSL_VERIFYHOST] = 0;
$opts[CURLOPT_CAINFO] = $path
}
curl_setopt_array($curl, $opts);
$response = curl_exec($curl);
You are probably using self-signed SSL certifiacate, which will not pass when the CURLOPT_SSL_VERIFYPEER options is set.
There are two solutions:
Set up valid SSL certificate.
Disable SSL verification in Curl. (add --insecure option)
If you disable verification, you can't be sure if you are really communicating with your host.
So it depends on level of security you need.
Beside CURLOPT_SSL_VERIFYPEER there are two other settings which might be changed to false/0:
CURLOPT_SSL_VERIFYHOST
CURLOPT_SSL_VERIFYSTATUS
Beware that you should fix your SSL certificates & settings instead of disable security!
Although I am answering an old post, I think it will help the new viewers-
You can check the problem by adding
$opts[CURLOPT_VERBOSE] = 1
For self signed certificate your client may connect with the server using IP address, because the host name is not available in DNS cache. In that case the COMMON NAME(CN) of your server certificate needs to match with the Server IP (put IP address as common name when generating the server certificate). When you do it correctly, you can see this message:
common name: 192.168.0.1 (matched)
Here 192.168.0.1 is an example.
You're right to want to enable SSL_VERIFYPEER if you are worried about man-in-the-middle attacks.
Is your $path set to point to the certificate (or certificate bundle) provided by the API owner? Is that certificate readable by the web server user? If so, have you verified that the certificate(s) is the same as when you visit the https address manually in a browser and inspect the certificate?
If you can't get it to work, and the API you are connecting to has a SSL certificate that works in your normal browser without warnings, you should be able to set $path to your CA root bundle on your server.
You can build a valid SSL certificate and ensure that it is stored in the trusted folder.
Valid SSL certificate can be created by including the following command in the developer command prompt of VS2012. (This can be obtained by typing developer in the start)
The following command creates a self-signed certificate that can be used to test a web application that uses Secure Sockets Layer (SSL) on a web server whose URL is www.example.com. The OID defined by the -eku option identifies that certificate as an SSL server certificate. The certificate is stored in the my store and is available at the machine (rather than user) level. The certificate's private key is exportable, and the certificate is valid from May 10, 2010 through December 22, 2011.
Makecert -r -pe -n CN="www.example.com" -b 05/10/2010 -e 12/22/2011 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
For more on how to create the SSL certificate
Now make sure that this certificate is trusted, this can be done by typing CERTMGR in the cmd..
now the cert created is in the PERSONAL folder.. copy it and paste it to the TRUSTED PEOPLE FOLDER.
This should do the trick. Let me know if that doesn't work.
I had the same issue. I follow the instruction here: http://siteber.com/download-failed-ssl-peer-certificate-or-ssh-remote-key-was-not-ok/ and it fixed mine.
basically I went to /etc/resolv.conf
and Replace any
OpenDNS server:
208.67.222.222
208.67.220.220
With
Google’s public DNS servers:
nameserver 8.8.8.8
nameserver 8.8.4.4
This error can also occur if you update packages on a linux server that has a self-signed certificate.
Solution:
Stop your existing Apache/nginx server.
Run certbot (if you are using lets encrypt)
Restart your Apache/nginx server.
Note: If you're using Springboot, add System.setProperty("https.protocols", "TLSv1,TLSv1.1,TLSv1.2,TLSv1.3"); to your application.properties file
Voila!
I spent almost all day for this error, and problem was in using ipv6, and called api server does not support ipv6.
Solution:
curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_VERSION_IPV4);