I am using magento community edition 2.2 on wamp on windows server 2016. Whenever I am trying to Sign in to sync your Magento Marketplace purchases through System > Web Setup Wizard > System Config using the private and public keys taken from magento market place, I am getting the error:
"SSL certificate problem: unable to get local issuer certificate"
I tried solutions provided in some of the other threads in this forum to download cacert.pem and do the following settings in the php.ini
curl.cainfo = "C:\wamp64\bin\php\php7.1.9\cacert.pem" (this is where I put the cacert.pem file). It did not work!!
Other threads advice to put the self certified certificate in a convenient directory and specify the name with path for "curl.cainfo" and "openssl.cafile".
The issue is that I am not using self certified certificate. I have bought a commercial certificate, where they have given two files a certificate and a certificate chain file. Along with the key file I used to create the request, I have successfully installed configured apache to get https for the website.
The question is, how to get rid of the above error ""SSL certificate problem: unable to get local issuer certificate". The answers in the threads are all for the self signed certificates, where I am having a commercially purchased certificate (with multiple files)
I am using php 7.1.9 on wamp 3.1.0 magento CE 2.2.0
Please Advice....
You must have received the root and the intermediate certificate along with the main certificate.
The error states that its unable to verify the certificate uptil the root certificate. Rename the CACert.pem file with .crt extension . Also change the extension of the public key to .crt. Now, verify Whether the ISSUES BY of public key is the ISSUED TO of cartcert.pem is same. if its not the same then the intermediate in the cacert.pem is incorrect.
Related
We're using the Docusign RestAPI (PHP SDK) from our app and it works great. Authentication mode is JWT. I want to use all the code I've written on a different subdomain, but I get this error:
API call to https://account.docusign.com/oauth/token failed: SSL certificate problem: unable to get local issuer certificate
Both domains, my-domain.com and new.my-domain.com have SSL certs installed. What do I do now? What have I missed?
The DocuSign public certificates page lists all certificates.
Scroll down and look for this:
Install the certificate on your server where you are running the code from.
Do you have the standard set of trusted root certs installed in PHP?
This article may help you.
SOLVED: the new subdomain was operating on a different version of PHP. I added the cert paths to that php.ini file and it works as it should now.
I have a PHP application on Apache 2.4 server with installed mySql server and PHPmyAdmin.
To do some tests for educational purposes I need to enable SSL / TLS both on the PHP WEB application and on PHPmyAdmin.
all tests are performed on a local network between two computers, so there is the problem of generating certificates, but I followed this guide:
https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/
I generated the certificate of the certification authority that I installed on both machines of the local network (the server and the client), and the 3 files needed by Apache:
server.crt (server signed certificate)
server.csr (certificate signing request)
server.key (private key)
following the guide I then enabled TLS 1.3 on the PHP application successfully.
Now I should repeat the thing on phpMyAdmin and enable SSL. I've read that I need to add these directives to the config.inc.php file:
$cfg['Servers'][$i]['ssl'] = true
$cfg['Servers'][$i]['ssl_cert']
$cfg['Servers'][$i]['ssl_key']
$cfg['Servers'][$i]['ssl_ca']
The first must be set TRUE, while the others require the path of the certificates. Can I use the same certificates I use for the app?
I tried to do it: for the certificate of the CA, I exported it, converted it to .pem, put it in a folder in c: and entered the path in ssl_ca, for the signed certificate of the server, I simply converted it to .pem and entered the path, while the keys I left it like this and entered the path.
However, phpmyAdmin gives me an error:
mysqli::real_connect(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificat e verify failed
Happens because I don't use the csr file?
Thanks!
I'm using Rackspace API in PHP, and it just stopped working (everything worked fine 3 days ago). It uses guzzle, who uses curl. And curl just stopped working.
[Thu Jun 21 14:55:36 2018] [error] [client xxx.xx.xxx.xx] PHP Fatal error: Uncaught exception 'Guzzle\\Http\\Exception\\CurlException' with message '[curl] 60: [url] https://identity.api.rackspacecloud.com/v2.0/tokens' in
/var/www/passline.com/vendor/guzzle/http/Guzzle/Http/Curl/CurlMulti.php:359\nStack trace:\n#0
/var/www/passline.com/vendor/guzzle/http/Guzzle/Http/Curl/CurlMulti.php(292): Guzzle\\Http\\Curl\\CurlMulti->isCurlException(Object(Guzzle\\Http\\Message\\EntityEnclosingRequest), Object(Guzzle\\Http\\Curl\\CurlHandle), Array)\n#1
/var/www/passline.com/vendor/guzzle/http/Guzzle/Http/Curl/CurlMulti.php(257): Guzzle\\Http\\Curl\\CurlMulti->processResponse(Object(Guzzle\\Http\\Message\\EntityEnclosingRequest),
Object(Guzzle\\Http\\Curl\\CurlHandle), Array)\n#2
/var/www/passline.com/vendor/guzzle/http/Guzzle/Http/Curl/CurlMulti.php(240): Guzzle\\Http\\Curl\\CurlMulti->processMessages()\n#3
/var/www/passline.com/vendor/guzzle/http/Guzzle/Http/Curl/CurlMulti.php(224): Guzzle\\Http\\Curl\\CurlMulti->executeHandles()\n#4
/var/www/passline.com/vendor/guzzle/http/Guzzle/Http/Curl/CurlMulti.php(111)
The important part from the error is the following:
[curl] 60: [url] https://identity.api.rackspacecloud.com/v2.0/tokens
I get an error 60 from Curl, who means is an SSL cert error. Most answer say's the solution to this problem is: deactivate ssl or download a new cert.
curl: (60) SSL certificate : unable to get local issuer certificate
https://es.stackoverflow.com/questions/174276/curl-60-ssl-certificate-problem-unable-to-get-local-issuer-certificate-url-h
I won't deactivate SSL, I can't use http instead of https and I want to avoid having to get into the machine and downloading a new cert.
If someday I have an old cert again, my site is going to stop working. What is the correct way to fix this?
This server has CenOs 6, We're using PHP 5.3.3 and curl 7.19.7
---- Edit ----
So, my problem is because of the change in the certificates of curl. From https://curl.haxx.se/docs/caextract.html
This bundle was generated at Wed Jun 20 03:12:06 2018 GMT .
There is a tool on linux called update-ca-certificates who solves this problem, also, the curl site say's you can run
curl --remote-name --time-cond cacert.pem https://curl.haxx.se/ca/cacert.pem
But, I don't know, someday I'll see the system stop working properly, I gonna get into the machine an run this command, and, that's all?, What doest the other people do?, set a cron with this command? or what?
Older versions of Guzzle made use of their own CA file that was bundled with the Guzzle library. It would use that file instead of system's (/etc/pki/tls/certs).
If you can get things working with cURL from the command line but get this error in Guzzle that is likely the culprit.
Things were changed to use the system CA bundle by default in late 2014.
https://github.com/guzzle/guzzle/issues/623
https://github.com/guzzle/guzzle/pull/800
The behaviour of newer (> 3.0 ?) versions is described here (see verify configuration flag):
Check if openssl.cafile is set in your php.ini file.
Check if curl.cainfo is set in your php.ini file.
Check if /etc/pki/tls/certs/ca-bundle.crt exists (Red Hat, CentOS, Fedora; provided by the ca-certificates package)
Check if /etc/ssl/certs/ca-certificates.crt exists (Ubuntu, Debian; provided by the ca-certificates package)
Check if /usr/local/share/certs/ca-root-nss.crt exists (FreeBSD; provided by the ca_root_nss package)
Check if /usr/local/etc/openssl/cert.pem (OS X; provided by homebrew)
Check if C:\windows\system32\curl-ca-bundle.crt exists (Windows)
Check if C:\windows\curl-ca-bundle.crt exists (Windows)
If someday I have an old cert again, my site is going to stop working. Curl should download a new cert by himself? isn't it?.
The concept of TLS is that the server sends its certificate to the client, shows a prove that it actually owns the private key belonging to the certificate and then the client checks if the certificate is considered trusted. Trusted means among others that the certificate was issued by a locally trusted CA (certificate authority).
Typically the client has a set of CA it trusts, i.e. CA like Let's Encrypt. If the certificate was issued by such an already trusted CA no changes to the client are needed whenever the certificate is changed as long as the issuer CA is still trusted and the server is configured properly to provide all intermediate CA certificates which are needed to build the trust path.
If instead you have a self-signed certificate or a certificate signed by some private CA the client has no kind of trust anchor it can use to verify the certificate. In this you need to provide the necessary trust anchor to the client. In case of a private CA it is sufficient to setup the client once with this private CA and it will accept also later certificates issued by this CA. But in case of a self-signed certificate this means that you need to update the expected certificate at the client whenever you update the certificate at the server. There is no automatic way to do it - because how should the client verify that it gets the correct new certificate without having an established trust to the party providing the new certificate?
This issue was caused by the change in the certificates of curl. From https://curl.haxx.se/docs/caextract.html
This bundle was generated at Wed Jun 20 03:12:06 2018 GMT .
There is a tool on linux called update-ca-certificates who solves this problem, also, the curl site say's you can run
curl --remote-name --time-cond cacert.pem https://curl.haxx.se/ca/cacert.pem
Just consider any of these commands may be needed to run again in the future if the certificates are renovated again.
When I enable CURLOPT_SSL_VERIFYPEER i get this error from curl:
SSL certificate problem: unable to get local issuer certificate.
I read that i should include something to the php.ini file but i do not have access to that file because it's not a self hosted site. I alredy purchased ssl certification for my site and the host said that they will set everything.
Where could be the problem at my site or at the host?
You might have to talk about this issue with the technical support from your host. The installation/configuration of the ssl certificate might not be completed yet.
Trying to sort out an LDAPs connection over windows / PHP:
I have .pfx certificate available to me and an LDAP(s) configuration requirement running on Windows 2012R2 / IIS 8.5. I currently have a folder structure: C:\OpenLDAP\sysconf and within here is my LDAP.Conf file with an entry:
TLS_CACERT c:\openldap\sysconf\XXX.pfx
The pfx file is encrypted so I am assuming I need to 'install' the certificate on the IIS server.
I have the required password for the chain but I'm a little fuzzy on exactly where / process for installing the certificate on the IIS Server for this particular requirement.
Can anyone explain / guide me as to how to complete this side of it ?
Very Very appreciated in advance for your help
You can import/install the pfx (private key & certificate archive) for the ActiveDirectory services using Microsoft management console.
You need to launch MMC then import the certificate by selecting
File->Add or remove snap-in->select Certificates->click add(to add it
to the selected snap-ins)->click ok->select service account , then
selecting local computer then selecting active directory
service->finish.
This site will guide you through your configuration:
A complete and step by step info is given
https://www.digicert.com/ssl-certificate-installation-microsoft-active-directory-ldap-2012.htm
You can verify your Ldap configuration by importing the public certificate to your personal certificate store through MMC or by just double clicking it and following the wizard then use ldp tool to verify the SSL connectivity.