I am trying to connect to a server using ssl cert verification. on my local machine i run curl in verbose and i get:
* Trying X.X.X.X...
* TCP_NODELAY set
* Connected to server.com (X.X.X.X) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: ./XXX.pem
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
......<<connects correctly and does it's thing>>......
on my other linux box i do the exact same script and get:
* About to connect() to server.com port 443 (#0)
* Trying X.X.X.X...
* Connected to server.com (X.X.X.X) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* Closing connection 0
<< Curl error: 77 >>
I am using the exact same certs on both machines. I have tried a billion different things and cant figure it out.
What do i need to do on the failing machine to get it to connect correctly? What other info do you need to assist me. I am quite far out of my comfort zone on this one...I dont know if its a local cert on the machine thats causing the error....
here is the script I am using:
$path = "./someFile.pem";
$keyFile = "./someFile.key";
$ch = curl_init();
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSLCERT, $path);
curl_setopt($ch, CURLOPT_SSLKEY, $keyFile);
curl_setopt($ch, CURLOPT_SSLCERTPASSWD , $pass);
curl_setopt($ch, CURLOPT_CAPATH, $path);
curl_setopt($ch, CURLOPT_TIMEOUT, 300);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $xml);
curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
curl_setopt($ch, CURLOPT_VERBOSE, true);
curl_setopt($ch, CURLOPT_CERTINFO, true);
$response = curl_exec($ch);
EDIT***
I was given a pfx file and i did the following:
to export the private key: openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes
to export the certificate: openssl pkcs12 -in certname.pfx -nokeys -out cert.pem
to remove the passphrase from the private key: openssl rsa -in key.pem -out server.key
I then put each of those files in the dir that httpd.conf expects. access to the server works fine now over https://.
I did yum install ca-certifcates and got:
Package ca-certificates-2019.2.32-76.el7_7.noarch already installed and latest version
I dont know what else to do next. getting same error as above.
Related
I try yo make request for https url. I do it via cmd and curl like:
curl --cert cert.pem https://my_test.com
and it work fine. then i try do it with php and can't connect to url. I reale try many solutions
curl_setopt($curl, CURLOPT_VERBOSE, true);
curl_setopt($curl, CURLOPT_STDERR, fopen("D://curl_debug.txt", "w+"));
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($curl, CURLOPT_CAPATH, "D:\\xampp\\htdocs\\CA\\");
curl_setopt($curl, CURLOPT_CAINFO, "D:\\xampp\\htdocs\\cert.pem");
in curl_debug.txt I get: uccessfully set certificate verify locations:
CAfile: D:\xampp\apache\bin\curl-ca-bundle.crt
CApath: D:\xampp\htdocs\CA\
* SSL certificate problem: unable to get local issuer certificate
* stopped the pause stream
may be someone have any idea, what is problem? Thanks!
I'm struck with the same issue which many of them have faced before, hope someone can help me.
I'm getting this error after my client has added SSL certificate to the server.
I've been searching in google and forums the whole day but couldn't fix it so finally i'm posting it here.
My code below :
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, TRUE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_VERBOSE, 1);
//curl_setopt ($ch, CURLOPT_CAINFO, dirname(__FILE__)."\cacert.pem");
curl_setopt ($ch, CURLOPT_CAPATH, dirname(__FILE__)."\cacert.pem");
curl_setopt($ch, CURLOPT_STDERR, fopen(dirname(__FILE__)."/curl_debug.txt", "w+"));
if(curl_exec($ch) === false)
{
echo 'Curl error: ' . curl_error($ch);
}
exit;
I've added these two lines to php.ini file :
[curl]
curl.cainfo="C:\xampp\perl\vendor\lib\Mozilla\CA\cacert.pem"
[openssl]
openssl.cafile="C:\xampp\perl\vendor\lib\Mozilla\CA\cacert.pem"
And tried downloading the latest cacert.pem file
And tried the above code by giving the absolute path to the file :
//curl_setopt ($ch, CURLOPT_CAINFO, dirname(__FILE__)."\cacert.pem");
Nothing works, All i get is the same error :
Curl error: SSL certificate problem: unable to get local issuer certificate"
And I added "CURLOPT VERBOSE" to look in detail, below is what I received :
* Hostname in DNS cache was stale, zapped
* Trying xxx.xxx.x.x...
* Connected to mywebsite.com (xxx.xxx.x.x) port 443 (#0)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:#STRENGTH
* successfully set certificate verify locations:
* CAfile: C:\xampp\perl\vendor\lib\Mozilla\CA\cacert.pem
CApath: C:\xampp\htdocs\projects\myproject\includes\cacert.pem
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
Note : I added CAPath since it showed CAPath : None, when not specified.
Would be great if anyone could advise me on the above.
Many Thanks
In Windows XAMP, when using CURL I have to set curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); I understand this is some kind of bug.
Obviously this bypasses the verification intended when using SSL so it is a workaround only for development.
I'm getting the classic php curl error "unable to get local issuer certificate".
Here are some more information from the curl debug:
Trying 133.7.42.21...
TCP_NODELAY set
Connected to example.adress.com (133.7.42.21) port 443 (#0)
ALPN, offering http/1.1
Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:#STRENGTH
successfully set certificate verify locations:
CAfile: C:\some_absolute_path\cacert.pem
CApath: none
SSL certificate problem: unable to get local issuer certificate
Curl_http_done: called premature == 1\n* Closing connection 0\n
As you can see the i tried to used the "cacert.pem" file from Mozilla.
I tried all of them but none of them worked.
The PHP Code:
$curl = curl_init($location);
//set verifier from interface host
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 2);
//set host global certificate
curl_setopt($curl, CURLOPT_CAINFO, $globla_cert);
//set certificate
curl_setopt($curl, CURLOPT_SSLCERT, $ssl_cert);
//set private key
curl_setopt($curl, CURLOPT_SSLKEY, $ssl_cert_key);
//set private key password
curl_setopt($curl, CURLOPT_SSLKEYPASSWD, $ssl_cert_password);
//set curl debug output
curl_setopt($curl, CURLOPT_VERBOSE, true);
$verbose = fopen('php://temp', 'w+');
curl_setopt($curl, CURLOPT_STDERR, $verbose);
//curl_setopt($curl, CURLINFO_HEADER_OUT, true);
//set ssl version
curl_setopt($curl, CURLOPT_SSLVERSION, 6);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($curl, CURLOPT_POST, TRUE);
curl_setopt($curl, CURLOPT_POSTFIELDS, $request);
curl_setopt($curl, CURLOPT_HEADER, FALSE);
curl_setopt($curl, CURLOPT_HTTPHEADER, array("Content-Type: text/xml"));
curl_setopt($curl, CURLOPT_TIMEOUT, $timeout);
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT_MS, $connecttimeout);
$response = curl_exec($curl);
It will work without the Global cert when i disable CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST but this is a NOGO
I'm currently using XAMPP with PHP Version 7.0.15.
The Apache has the mod_ssl enabled.
PHP has the openssl and the curl extension enabled.
Things that i tried:
Set the path inside the php.ini:
openssl.cainfo= "C:\some_absolute_path\cacert.pem"
openssl.cafile= "C:\some_absolute_path\cacert.pem"
Throw the cert in the default path that i got with var_dump(openssl_get_cert_locations());
That was "C:\openssl-1.0.2j-win32\ssl" for me.
Throw the cert in "C:\xampp\php"
Now i don't find anymore "fixes" that i can try, has someone an idea what it could be?
The problem is resolved.
It wasn't a technical problem. The certificate that i received for the Service wasn't valid anymore and the new certificate isn't in the "cacert.pem" from Mozilla like the old one.
We've recently moved our web application to a new server and curl requests through PHP have stopped working for HTTPS addresses (HTTP still works fine).
The old server was running openSUSE 12.3 and the new server is Ubuntu 16.04.
I've tried curl_setopt( $ch, CURLOPT_SSLVERSION, 1 ); to force TLS as suggested in answers to similar questions here, but it makes no difference.
It's all the more confusing because an HTTPS request to the same location using curl at the command line works exactly as I'd expect.
I turned on verbose output in the PHP curl call to see if that would help me and got the following output:
* Trying xxx.xxx.xxx.xxx...
* Connected to www.somesite.com (xxx.xxx.xxx.xxx) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:#STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* Unknown SSL protocol error in connection to www.somesite.com:443
* Closing connection 0
but when I run the command at the command line (using something like curl -d "My=post&data=here" -X POST https://www.somesite.com/... -v) I get:
* Trying xxx.xxx.xxx.xxx...
* Connected to www.somesite.com (xxx.xxx.xxx.xxx) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 696 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.0 / RSA_3DES_EDE_CBC_SHA1
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: *.somesite.com (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: C=****,ST=****,L=****,O=****,OU=****,CN=*.somesite.com
* start date: Fri, 27 Jan 2017 00:00:00 GMT
* expire date: Wed, 26 Feb 2020 23:59:59 GMT
* issuer: C=US,O=thawte\, Inc.,CN=thawte SSL CA - G2
* compression: NULL
* ALPN, server did not agree to a protocol
...Response here...
Does anyone have any suggestions as to how to fix this, or what I can do to narrow down the cause of the issue?
UPDATE:
Here is the PHP code I'm using to try and find the cause of the problem:
$postvars="My=post&data=here";
$curl=curl_init(
"https://www.somesite.com/..."
);
curl_setopt($curl, CURLOPT_VERBOSE, true);
curl_setopt($curl, CURLOPT_STDERR, fopen('/tmp/sslerror', 'w'));
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, $postvars);
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_TIMEOUT, 30);
$result=curl_exec($curl);
echo curl_error($curl);
curl_close($curl);
echo var_export($result, true);
The following code works on Ubuntu versions below 14:
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://example.com");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$serverOutput = curl_exec($ch);
curl_close($ch);
This starts to run on Ubuntu 14 but times out on curl_exec. Have tried on two Ubuntu 14 boxes and neither are connecting properly.
Is there some configuration change or extra option for php5 on Ubuntu 14 that needs to be made to allow this to connect?
Output of curl_setopt($ch, CURLOPT_VERBOSE, true);:
* Hostname was NOT found in DNS cache
* Trying IP ADDRESS...
* Connected to example.com (IP ADDRESS) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
does not get any further.