When using file_get_contents() to access an HTTPS URL, I get the following in my logs:
[21-Jun-2021 10:21:23 Australia/Sydney] PHP Warning: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in C:\path\to\script.php on line 174
[21-Jun-2021 10:21:23 Australia/Sydney] PHP Warning: file_get_contents(): Failed to enable crypto in C:\path\to\script.php on line 174
[21-Jun-2021 10:21:23 Australia/Sydney] PHP Warning: file_get_contents(https://...): failed to open stream: operation failed in C:\path\to\script.php on line 174
The website loads just fine in my browser. I have also downloaded cURL's CA certificates and told PHP where to find them.
It turned out that I had an incomplete certificate in my Apache configuration. I only had the certificate itself, not also its intermediate. The site worked fine in the browser, but failed when I tried to do it in PHP. The web firewall at work also refused to let me through to similarly configured websites for the same reason. Replacing it with a certificate file that included its intermediary solved this issue.
To check your site, go to https://whatsmychaincert.com and enter your website domain. If your site doesn't have its intermediary, it'll supply you with a certificate file complete with the relevant intermediary for you to install.
If the website in question is internal, you can paste the certificate into the second form and it'll do the same:
No need to get the root certificate, since the client will already have that.
I'm running the next script from my local host and the production server, and Im getting different outputs. Anyone knows why am I getting that false from my localhost?
<?php
$host = 'ssl://mail.companyname.org';
$port = 993;
$error = 0;
$errorString = "";
var_dump(fsockopen($host, $port, $error, $errorString, 30));
var_dump($errorString);
var_dump($error);
Local host output:
bool(false)
Production server output:
resource(4) of type (stream)
UPDATE: after the comments/answer I have modified the code and now Im getting this output on my local host:
PHP Warning: fsockopen(): SSL operation failed with code 1. OpenSSL
Error messages: error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed in
/tmp/test.php on line 7 PHP Warning: fsockopen(): Failed to enable
crypto in /tmp/test.php on line 7 PHP Warning: fsockopen(): unable to
connect to ssl://mail.twmdata.org:993 (Unknown error) in /tmp/test.php
on line 7 bool(false) string(0) "" int(0)
it seems this is problem with server certificate :
first you can check if your server certificate and its chains are valid by this:
https://www.sslshopper.com/ssl-checker.htm
if somethings were wrong in ssl-checker?
you can try to correct SSL certificate configs in companyname.org
if you succeed and error was persists ?
you have to add Certificate files manually.
if you have a self-signed certificate:
you have to add Certificate files manually.
if you dont have certificate nor you dont care about man-in-the-middle attack,
you can still use SSL without Certificate.
turn off php fsock Certificate check (not recommended)
its recommended to have a certificate at least a self-signed. if you have a self-signed try 1 solution.
I have found the Problem
You have exposed your Domain name in your PHP Warning Log, so i have checked your domain SSL.
after i check your company`s domain certificate using this tool:
https://www.sslshopper.com/ssl-checker.html#hostname=twmdata.org
it had 2 errors with your certificates:
This certificate has expired (0 days ago). Renew now.
None of the common names in the certificate match the name that was entered (twmdata.org). You may receive an error when accessing this site in a web browser.
so it seems you have to renew your certificate first
Update:
i have found this answer maybe helpful
https://stackoverflow.com/a/40962061/9287628
it suggested to use
stream_context_create(['ssl' => [
'ciphers' => 'RC4-MD5'
]])
as #ChrisHaas suggested connecting with stream_context_create and stream_socket_client brings you a lot of option if you want to dictate the cert directory or you want to turn off certificate check.
Per the documentation for fsockopen
The function stream_socket_client() is similar but provides a richer set of options, including non-blocking connection and the ability to provide a stream context.
Basically, fsockopen is very low-level but without many options, or, arguably, "sane defaults".
Instead, you can switch to stream_socket_client which will allow you to specify a context as the last parameter, and that object has many options, including a dedicated one with over a dozen options specific to SSL. The object created from this function is compatible with fwrite and other functions, so it should do everything you are hoping for.
$context = stream_context_create([/*Options here*/]);
$connection = stream_socket_client($host, $errno, $errorString, 30, null, $context);
Now, what options should you use?
The worst option that might work is probably verify_peer. I say "worst" because you are throwing away the verifiability part of SSL/TLS and only using it for encryption, and doing this will make you susceptible to MitM attacks. However, there's a place and time for this, so you could try it if the other options are too complicated.
$context = stream_context_create(['ssl' => ['verify_peer' => false]]);
$connection = stream_socket_client($host, $errno, $errorString, 30, null, $context);
Instead, I'd recommend using either cafile or capath which do the same thing except the former is for a file while the latter is for a directory.
$context = stream_context_create(['ssl' => ['verify_peer' => true, 'cafile' => '/path/to/file']]);
$connection = stream_socket_client($host, $errno, $errorString, 30, null, $context);
What certs should you use? We use this library to pull in recent CA files on a periodic basis, very convenient. There's a little bit of setup that's per-project but once you get it it goes pretty fast. See this for pulling in a CA file at a well-known location.
One other last option is local_cert which you can use with a PEM file that holds the certificate and private key from the server, if you have access to that.
EDIT
The cert on mail.twmdata.org:993 is different than the web server's cert that other people are talking about, which is generally a best practice. You can inspect that cert using:
openssl s_client -connect mail.twmdata.org:993 -servername mail.twmdata.org
If you do that, you'll see that the server has a self-signed cert which you can get around by setting the verify_peer option to false.
Remove the # symbol. You are hiding error messages that might tell you what the problem is. You should also set a variable in the errorno argument to fsockopen() and echo it for debugging.
My guess would be that you haven't installed PHP with SSL support on your local server. See here.
Companyname.org might also block requests from your local server that are allowed from the production server.
Is there any way to create PHP SoapServer with local secure WSDL URL using self-signed SSL certificate? Following code:
$soapServer = new SoapServer("https://mysite.local/my-document?wsdl");
throws always exception:
SoapServer::SoapServer(): SSL operation failed with code 1. OpenSSL
Error messages: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
(/var/www/app/modules/generators/components/WsSoap.php:110)
I could not find anything on how to turn off SSL validation for SoapServer.
Most of issues are related to SoapClient, which is not the case.
I also want to avoid installing any ca.pem local files with valid certificates, because it would be difficult on many servers, just need to create SoapServer for one-time unit testing, don't care about valid/invalid local domain. Using PHP 7.0.19. Thank you.
A week ago I was testing some components in WAMP with PHPMailer and everything worked correctly. The next day it just stopped working. No configuration in WAMP has changed. Using SMTPDebug this is the following error when I try to send an email:
Connection failed. Error #2: stream_socket_enable_crypto(): SSL
operation failed with code 1. OpenSSL Error
messages:error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed
[C:...\SMTP.php line 404]
I did other tests using the x86 version of WAMP and XAMPP (I currently use x64 WAMP) but without success, I get the same error.
All tests were performed with gmail "Allow less secure apps" enabled.
After a quick search in the documentation I discovered that the problem is due to verification of the SSL certificate. And as a workaround I can use the following code to skip this check:
$mail->SMTPOptions = array(
'ssl' => array(
'verify_peer' => false,
'verify_peer_name' => false,
'allow_self_signed' => true
)
);
But as has been said, this is a workaround. I wanted to know where the source of the problem is, I do not understand why it stopped working. I have already tried replacing the certificates in the WAMP / XAMPP folders but without success. Also did extensive research but no results. Any idea how I can solve the certificate verification problem without any workaround?
possible duplicate: Warning: stream_socket_enable_crypto(): SSL operation failed with code 1
there is lot of configs that makes this error come up. but more often is that your system's configuration is not set properly. to do it correctly follow this: 1- check if have cacert.pem file for OPENSSL or not if you have not, download proper version from of cacert.pem according to your php version and config your php.ini file as "2-"
2- if you have this file then you have to lookup inside of your php.ini file and see if it has been set in it or not. to do so: lookup for line
openssl.cafile ="example address..\cacert.pem"
if you find the line with an specific address, look for cacert.pem file in that address, if you find it, than it is all done with cacert.pem file. else, you should use the correct address.
hope this help you.. good luck..!
I'm using readfile() to serve a download from Rapidshare's API through my server. This is the relevant code:
readfile("http://rs$server_id$short_host.rapidshare.com/cgi-bin/rsapi.cgi?sub=download&fileid=$file_id&filename=$file_name&login={$account['username']}&password={$account['password']}");
But when I request the page, I get this error:
Warning: readfile(http://rs869l34.rapidshare.com/cgi-bin/rsapi.cgi?sub=download&fileid=3457766962&filename=some_file.rar&login=mylogin&password=mypassword) [function.readfile]: failed to open stream: Unable to find the socket transport "ssl" - did you forget to enable it when you configured PHP? in C:\xampp\htdocs\dl\downloaders\rapidshare_com.php on line 25
According to the Rapidshare API, there's no way to stop it returning an SSL response.
Do I need to configure some special wrapper to handle this or something?
Thanks for any help!
libCurl is used to download file from a remote server like as readfile(http://....).
Though it can handle finer details like as cookie, post and ssl certificates. read more at http://cn.php.net/manual/en/book.curl.php
enable curl in php.ini and try the following code :
$ch=curl_init("http://rs$server_id$short_host.rapidshare.com/cgi-bin/rsapi.cgi?sub=download&fileid=$file_id&filename=$file_name&login={$account['username']}&password={$account['password']}");
curl_setopt($ch,CURLOPT_FOLLOWLOCATION,true); // follow http redirect
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,true); //temporary ignore certificate error for easier testing
$data=curl_exec($ch);