I simply can't find a solution to this. I migrated a Wordpress site with a woocommerce shop and payment gateway "Payunity" to a new EC2 machine with a bitnami wordpress stack.
I generated a Let's Encrypt SSL certificate and the entire site works as expected.
Only problem I have is that for some reason on the woocommerce checkout page I suddenly get this error message:
SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate
verify failed
I googled extensively and tried figuring this out but no chance.
Any idea what I have to set on the server to have this go away? I tried modifying the php.ini with the capath and cafile like some threads pointed out but no luck.
Any ideas?
Update: I now moved to Cloudflare as DNS Manager and have the "Full (strict) setting so that the Cloudflare SSL is the one in use. However still the same error, so I figure this has nothing todo with the original Let's Encrypt or now Cloudflare SSL Certificate.
I believe this error message is caused by CURL. According to the CURL FAQ (https://github.com/curl/curl/blob/master/docs/FAQ) section 4.12 (where exactly this error message is mentioned), "it means that curl couldn't verify that the server's certificate was good. Curl verifies the certificate using the CA cert bundle that comes with the curl installation." (vsince CURL 7.10).
As your CURL version is quite old (released on Oct 7, 2015), I would assume that one of the CA/root certificates it is using is too old. I would recommend updating CURL separately (e.g. using this guide: http://pavelpolyakov.com/2014/11/17/updating-php-curl-on-ubuntu/, depending on your OS).
Furthermore, you can check the openssl.cafile option in php.ini that should point to an absolute path containing a more or less recent CA bundle (e.g. "C:\xampp7.3\apache\bin\curl-ca-bundle.crt" for my XAMPP installation). You can try to extract the bundle from the XAMPP .zip (https://www.apachefriends.org/download.html) and replace the path in your php.ini and then restart the server.
In addition, you can check your php.ini if extension=php_openssl.* (extension e.g. dll for Windows) is uncommented, i.e. activated.
Maybe (and this is why I asked what should be shown normally at this place) a script inside the Payunity plugin is trying to fetch something from an URL with a broken certificate or something similar.
EDIT: As pointed out by Sebastian B., you can check the error.log (in case of Apache) for failed file_get_contents() (or similar) calls because the actual URL of the "file" the site PHP tried to fetch is mentioned there.
EDIT: CURL Perl script to create a fresh ca-bundle.crt file based on Mozilla's chain: https://github.com/curl/curl/blob/master/lib/mk-ca-bundle.pl You can try this (or extract one from a fresh CURL installation) and set this as a path in php.ini. Or you can use this from the Nextcloud project (https://github.com/nextcloud/server/blob/master/resources/config/ca-bundle.crt) or another one (just for testing purposes, of course).
EDIT
I’m on the move at the moment, and only have SO on the Stack Exchange app on my iPhone, so there’s some weird formatting with the quotes in the code below - Apologies! I have real ones in the real code :)
I’ve been trying to figure this out for two days with some other questions on SO, but here goes...
Just trying to use file_get_contents() to capture the webpage of another file located on the same server and same domain, and include that. I’m using MAMP with a self signed cert for production (so that I can have the server force SSL etc) so there’s that, and I also have that certificate as “Always Trusted” locally on my Mac as it’s self-signed obviously.
So now I have the issue where I want one page to capture the contents of another.. I initially tried using cURL and it was failing without giving me any exceptions, and no information using curl_error() so I switched over to file_get_contents() where I get the exception SSL operation failed with code 1... ssl3_get_server_certificate:certificate verify failed
I assume this is in issue with OpenSSL not trusting the self-signed (but I thought it used the trusted CA’s of the underlying OS?) and I can’t get it to work using the following stream context:
stream_context_create([
"ssl" => [
"allow_self_signed" => true
]
]);
And if I set verify_peer and verify_peer_name to false, the request is made but HTTPS cookies aren’t sent which breaks the whole thing.
I’ve tried adding the actual text of the cert to the cacert.pem file under the OpenSSL directory in MAMP, and set that file in the openssl.cafile option in the php.ini file as stated in another answer, but alas no luck...
Any ideas? Your help would be much appreciated! Thank you! ☺️💛
EDIT 2
So I tried it again using cURL, and this time got cURL to give me some verbose output to a file, and this is what it gives me (note the line third from the bottom):
* Trying ::1...
* TCP_NODELAY set
* Connected to admin.voyagerisc (::1) port 8890 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:#STRENGTH
* successfully set certificate verify locations:
* CAfile: /Applications/MAMP/Library/OpenSSL/certs/cacert.pem CApath: none
* SSL certificate problem: unable to get local issuer certificate
* Curl_http_done: called premature == 1
* Closing connection 0
...and this is the file where I have added the raw certificate to the top.. ugh, STUCK!
TLDR; You need to become your own (mini) CA so you have a Root Cert that can be trusted
So after a few painstaking days, I have finally figured this out and I hope below will help those few MAMP / PHP users who will undoubtedly run into this issue!!
Basically, file_get_contents() and cURL operate above OpenSSL, and (as I have now learnt, I was an SSL noob!) OpenSSL, like every device basically has big list of all the main Certificate Authority's root certificates. So if any certificate has been signed by one of those root certificates in can be trusted in the eyes of OpenSSL.
Now you can go into that file that OpenSSL uses that has all the big root certs, and I thought it would be as easy as placing the raw self-signed certificate of the development site at the top of the list and everything would fall into place. However, for some reason OpenSSL wouldn't trust it if it's not a ROOT CERTIFICATE.
So long story short, here's the steps:
Follow this guide to becoming your own CA in literally under 5 minutes. (As a side note, this now means that you can trust just the newly created root certificate, and for every development site you want with SSL, self-sign with that root certificate and you won't need to re-trust etc)
Once you've trusted the root certificate as per the article, and pointed MAMP to the key and certificate for the specific site, in your IDE open up the .pem file for the ROOT CERTIFICATE that you created, NOT the specific one for your development site
For MAMP, the file OpenSSL uses as the core list of trusted Certificate Authorities is located in /Applications/MAMP/Library/OpenSSL/certs/ - Open the cacert.pem in your IDE as well
Now, under the comments and before the first real CA, copy and paste in the raw data of your Root Certificate. You can also add in before that long piece of data (and BEFORE the -----BEGIN CERTIFICATE----- line) the name you set for your Certificate Authority earlier in Step 1, and format it with the ='s as is with the other Certificate Authorities.
The usual: Save & restart MAMP
Now, if you're running a local development server with MAMP and have self-signed SSL enabled, you should now be able to make the SSL calls back to the server itself, and have the server trust.... itself? I guess? Weird when you think about it!
As a final note, if you had visited any other similar questions here on SO, you would've seen many answers prompt you to create either a stream context with get_file_contents() or set some options with your cURL resource that suggested turning "verify_peer" => false & "verify_peer_name" => false in a stream context, or the equivalent options for cURL. I cannot stress enough that the approach completely defeats the purpose of SSL and shouldn't even be used for local development, due to the possibility of you forgetting to turn it back on or some other obscure event that causes trust to remain off within production.
The method I described above is more tedious, yes, but it will get you through development until you have a real SSL cert in production signed by a true CA, at which point this won't even be an issue anymore.
Feel free to comment if this explanation is not clear / precise enough, I'm only still getting my head around it! Cheers :)
As Mike mentioned (see comments), in the current version of MAMP (6.4) there's an invalid certificate file added to /Applications/MAMP/Library/OpenSSL/certs/cacert.pem. Just open this file and access the link shown in the 301 redirect (https://curl.se/ca/cacert.pem), download it and replace the file.
Mark MAMP_PRO_Root_CA as trusted in Keychain Access
After a ton of hassle and problems related to this, and the situation getting even worse over time as Chrome updated, breaking my automated testing as well, I finally found the solution, as described in the MAMP docs on SSL.
We simply have to add the root certificate that MAMP uses to sign it's custom SSL certs to Keychain Access and set it to always trust:
Open Keychain Access on your Mac
Search for MAMP_PRO_Root_CA
Double click it and expand the Trust section
Set When using this certificate to Always Trust
Close the little window and enter your system password to save the change
After that, any SSL certs you create through the MAMP interface will work automatically, as far as I can tell! If you've been creating your own self-signed certs through the terminal, you might have to go back and update them, but it's easy and reliable, so I don't see why you wouldn't want to if you're already committed to the hot mess which is the MAMP Pro lifestyle 😅
Here's the UI where you create SSL certs in MAMP Pro:
Honestly, I can't tell if this solution was staring me in the face the whole time, or if it was recently enabled in the new versions of MAMP or Chrome. In the end it doesn't matter. Our long national nightmare is finally over 🙏🏻
I am learning to work with youtube data api v3 (using PHP). So I downloaded sample api code and some how i manage to download and install composer in my working directory(version 1.4.x) successfully.
Ater this i run the serach.php script it shows following error
Fatal error: Uncaught exception 'GuzzleHttp\Exception\RequestException' with message 'cURL error 60: SSL certificate problem: unable to get local issuer certificate (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)' in C:\wamp\www\youtube feeds\vendor\guzzlehttp\guzzle\src\Handler\CurlFactory.php on line 187
( ! ) GuzzleHttp\Exception\RequestException: cURL error 60: SSL certificate problem: unable to get local issuer certificate (see http://curl.haxx.se/libcurl/c/libcurl-errors.html) in C:\wamp\www\youtube feeds\vendor\guzzlehttp\guzzle\src\Handler\CurlFactory.php on line 187 .
I am using wamp with php 5.5.12 and apache 2.4.9. Also I enabled curl extension from tray and in php.ini file.
If just starting out, do not try to jump into the deep end.
Start with the "restfull" api side of things.
As an example, you can do this.
$url_link = 'https://www.googleapis.com/youtube/v3/videos?part=snippet&id=[VIDEO_ID]&key=[API_KEY]';
$video = file_get_contents($url_link);
$data= json_decode($video, true);
Then you can grab the required info in that call as you like. Like this
$vid = $data['id'];
LIB's are good for streamlining large programs and code, but not always needed.
The issue is due to a missing "cacert.pem" file (or provided by the host operating system that runs php). This file verifies certificate authorities, so that curl can connect to youtube securely (and know it's youtube, and not a victim of a man in the middle attack).
You cna download these files manually, and specify them in your php ini, but the better option is to use the "certainty" php package to manage these. I would advise using composer, it's very easy to start using.
I'm using Socialite for my Facebook login. I was able to follow the steps here until I was able to encouter a cURL certificate error upon clicking the "Continue as ..." on facebook oAuth.
RequestException in CurlFactory.php line 187:
cURL error 60: SSL certificate problem: unable to get local issuer certificate (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)
I have download the cacert.pem and added it to my php.ini by following the steps here.
[cURL]
curl.cainfo=C:\xampp\php\cacert.pem
Restarted apache and still the same error. I'm running it under a Windows machine. What's going on?
I was able to solve this by checking the php path on the environment variables. I needed to add the php path on the path. This is to make sure that the PHP that I am running using php artisan serve is running the correct PHP instance.
I'm having problems with the facebook example code.
Fatal error: Uncaught CurlException: 60: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed thrown in C:\inetpub\wwwroot\src\facebook.php on line 616
I found a solution that I don't know what to do with here. I'm running IIS7 and trying to test this on localhost. The solution specified that I should add
$opts[CURLOPT_CAINFO] = [PATH]/apache/conf/ssl.crt/ca-bundle.crt"; //Or your path to "ca-bundle.crt"
to the code. I found the array where this info should go but I have absolutely no idea where the certificates are stored. I searched my machine for my self-signed cert ("myown") but couldn't find it. I googled for the location of cert files on IIS7 but realized I'd be better of here since maybe I don't even need to specify SSL certs.
Any suggestions? What I want to do is just to be able to run the code, I don't have any requirements of SSL right now.
i think that the certificate is being returned but can not be validated, within C# you can usually do something like so:
ServicePointManager.ServerCertificateValidationCallback = delegate{
return true;
};
so this is a callback that's executed before the certificate is validate and acts as a user validation method.
WARNING: this will validate all certificates regardless
never used IIS but im sure it would be something along these lines.