I'm facing a hard problem at the moment and I didn't find anything online that can help me.
I want to connect from my server to another one through SSH in order to send instructions (the second server manage Wi-Fi authorizations).
As much as I can say, I think the problem occurred because we updated one server. (I'm not really sure if the problem has appeared because of it).
I'm from a Windows Server and I want to call a Linux one.
Here is the script :
function executeCommand($command) {
$infoConnection = getInfoConnection();
$out = '';
//The Warning occurs here, impossible to go further
$connection = ssh2_connect($infoConnection["hostname"], 22);
if ($connection === false) {
$error = error_get_last();
throw new Exception("
Error Type : ".$error["type"]."<br/>
Message : ".$error["message"]."<br/>
File : ".$error["file"]."<br/>
Line : ".$error["line"]."<br/>");
}
ssh2_auth_password($connection, $infoConnection["username"], $infoConnection["password"]);
$stdio_stream = ssh2_shell($connection);
sleep(2);
fwrite($stdio_stream,$infoConnection["username"]."\n");
sleep(1);
fwrite($stdio_stream,$infoConnection["password"]."\n");
sleep(1);
fwrite($stdio_stream, $command."\n");
sleep(1);
while($buffer = fgets($stdio_stream)) {
$out .= $buffer;
}
fwrite($stdio_stream, 'exit');
unset($connection);
return $out;
}
Here is the warning :
Warning: ssh2_connect() [function.ssh2-connect]: Error starting up SSH connection(-5): Unable to exchange encryption keys in ../aff_wifi.php on line 203
The line 203 is this one :
$connection = ssh2_connect($infoConnection["hostname"], 22);
When I "catch" the warning, I have this :
Error type : 2 Message : ssh2_connect() [function.ssh2-connect]:
Unable to connect to ipAdress
File: ..\aff_wifi.php
Line: 203
Do you have any idea why this occurs?
When I try to connect from my server to the other with PuTTY, everything works fine
Have a good day!
I had this problem when trying to access a focal ubuntu server from a little old xenial through ssh2_connect. The solution was to update libssh2-1. Even with php showing the old version, it worked normally.
In the xenial, I added the focal repository, then installed the latest version of libssh2-1, restarted PHP to apply and removed focal repository.
sudo add-apt-repository "deb http://archive.ubuntu.com/ubuntu/ focal main restricted universe multiverse"
sudo apt-get update
sudo apt -y install libssh2-1
sudo add-apt-repository -r "deb http://archive.ubuntu.com/ubuntu/ focal main restricted universe multiverse"
sudo apt-get update
Warning: ssh2_connect() [function.ssh2-connect]: Error starting up SSH connection(-5): Unable to exchange encryption keys in ../aff_wifi.php on line 203
libssh2 0.x only supports Diffie-Hellman SHA1 based key exchange. OpenSSH has disabled DH SHA1 by default. That leaves libssh2 0.x high and dry.
Option 1: Update libssh2
libssh2 1.7 and up supports DH SHA256 and ECDH key exchange. These will work with the latest OpenSSH. 1.x releases require PHP 7.
Option 2: use phpseclib
If you're stuck on PHP 5 then libssh2 isn't usable. The highest version available for PHP5 is libssh2 0.13 which still only supports the SHA1 key exchanges. An alternate library that worked for me was phpseclib. That supports diffie-hellman-group-exchange-sha256 and I was able to connect to updated OpenSSH servers.
If you have access to the SSH server, and the SSH server is running on a Linux system, the /var/log/messages and /var/log/secure logs on the Linux system might contain events that could be helpful in identifying why "Unable to exchange encryption keys" is being returned. For example, the /var/log/secure log could have something like this.
Jan 29 07:02:46 docker1 sshd[3245780]: Unable to negotiate with 192.168.0.15 port 55736: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
Notice in this example that the /var/log/secure log captures "no matching host key type found" as the underlying issue. By default, the PHP ssh2_connection functions offers the following host key types.
ssh-rsa
ssh-dss
If the SSH server does not accept ssh-rsa or ssh-dss as host key types, then the /var/log/secure log will capture something like "no matching host key type found" and PHP should log "Unable to exchange encryption keys". In this scenario, the SSH server would need to be updated to accept the ssh-rsa or ssh-dss host key types.
For example, if the SSH server is OpenSSH, this could mean appending ssh-rsa and ssh-dss to the HostKeyAlgorithms line in the /etc/crypto-policies/back-ends/opensshserver.config on the OpenSSH Linux System.
Related
I updated the language of my question, because the original question seemed to be worded in a confusing way (evident from downvotes and unhelpful comments). Hope this makes more sense.
Hi, I'm trying to upgrade the PHP version on a site, I followed this thread and it worked nicely on my development site - I basically changed all instance of PHP "7.1" in the trellis directory to "7.4", and required a PHP version of at least 7.4 in composer and ran composer update.
I happily pushed the update to the staging site, but when I attempted to provision the server with ansible-playbook server.yml -e env=staging, I received the following error:
TASK [Install Python 2.x] ************************************************************************************* ***********************************
System info:
Ansible 2.3.0.0; Linux
Trellis at "Update PHP from 7.1 to 7.4"
---------------------------------------------------
Shared connection to 107.170.41.149 closed.
fatal: [107.170.41.149]: FAILED! => {"changed": false, "failed": true, "rc": 100, "stderr": "Shared connection to 107.170.41.149 closed.\r\n", "stdout": "/usr/bin/python\r\nE: Unmet dependencies. Try 'apt-get -f install' with no packages (or specify a solution).\r\n", "stdout_lines": ["/usr/bin/python", "E: Unmet dependencies. Try 'apt-get -f install' with no packages (or specify a solution)."]}
Ansible seems to be getting stuck on the "Install Python 2." task. The staging server cannot be provisioned, and when I run php -v on the server it says it's running PHP 7.2.
How do I update PHP? I am avoiding doing it manually, because my gut's telling me there's a special roots way.
The server in question is Ubuntu 16.04 running PHP 7.2 (as mentioned above).
Below is the verbose output of the error from provisioning the staging server:
System info:
Ansible 2.3.0.0; Linux
Trellis at "Update PHP from 7.1 to 7.4"
---------------------------------------------------
OpenSSH_7.6p1 Ubuntu-4, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /home/jill/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: auto-mux: Trying existing master
debug2: fd 3 setting O_NONBLOCK
debug2: mux_client_hello_exchange: master version 4
debug3: mux_client_forwards: request forwardings: 0 local, 0 remote
debug3: mux_client_request_session: entering
debug3: mux_client_request_alive: entering
debug3: mux_client_request_alive: done pid = 16490
debug3: mux_client_request_session: session request sent
debug1: mux_client_request_session: master session id: 2
debug3: mux_client_read_packet: read header failed: Broken pipe
debug2: Received exit status from master 100
Shared connection to 107.170.41.149 closed.
fatal: [107.170.41.149]: FAILED! => {
"changed": false,
"failed": true,
"rc": 100,
"stderr": "OpenSSH_7.6p1 Ubuntu-4, OpenSSL 1.0.2n 7 Dec 2017\r\ndebug1: Reading configuration data /home/jill/.ssh/config\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 19: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 16490\r\ndebug3: mux_client_request_session: session request sent\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r\ndebug2: Received exit status from master 100\r\nShared connection to 107.170.41.149 closed.\r\n",
"stdout": "/usr/bin/python\r\nE: Unmet dependencies. Try 'apt-get -f install' with no packages (or specify a solution).\r\n",
"stdout_lines": [
"/usr/bin/python",
"E: Unmet dependencies. Try 'apt-get -f install' with no packages (or specify a solution)."
]
}
This is neither a PHP composer nor a Python problem nor an Ansible problem. The underlying operating system (Ubuntu) has a problem with its apt libraries. The error comes from APT. Sadly you didn't tell us, what ansible module you use in the task named "Install Python 2.x".
Try 'apt-get -f install' with no packages
I think, some package installations hang on the system and need to be installed or configured. This may not have anything to do with your current job of upgrading PHP. Something went wrong in the past. APT will continue to stop operating til this issue is solved. Normally you would do it manually and have a look at the output of apt-get -f install to get an advice of what is the problem with that system. I think it will try to fix the issue automatically or throw an error what is the real issue (for example with two packages that cannot be installed at the same time or a file or directory that is missing or contains wrong values).
This is nothing "normal" which should happen all the time, when you update 100 hosts. This is very specific and part of the so called "configuration gap". Of course -if you dont want to login manually- you can ignore that error in your playbook task, but register the result, if the task failes, check, if the error messages in the registered var contains the above message in stderr and call a command module in your playbook. This would be a little bit of "self-healing".
Something like this
- package:
name: "..."
ignore_errors: true
register: installation
- shell: "apt -f install"
register: self_healing
when:
- "installation is failed"
- "'apt -f install' in installation.stderr"
- debug:
var: self_healing
when: "self_healing is defined"
got some space at an intern SUSE Linux Enterprise Server 11 (x86_64) for the apache-webserver (apache 2.2.29, php 5.4.40) of our department.
Our php is built with Oracle, not MySQL. I wanna install MySQL additionally but due to our very strict guidelines I only have permissions to write in my "/usd/[user]"-directory, not "/var/lib" etc. so there is no possibility to run the command "rpm -i MySQL-server-5.6.25-1.sles11.x86_64.rpm" or sth like that.
user:/usd/as07100a/soft> rpm -i MySQL-server*
error: can't create transaction lock on /var/lib/rpm/__db.000
user:/usd/as07100a/soft> touch /var/lib/rpm/__db.000
touch: cannot touch `/var/lib/rpm/__db.000': Permission denied
Is there any known option I can install MySQL with my restricted permissions (e. g. kinda portable version)?
It seems that this is possible:
Install MySql without root access
Also see this post for additional configuration information: Mysql - specify socket location
You will also likely need to change the port number in your configuration since OracleSQL is probably running on that port already. You can use netstat to see if any other program is listening on 3306.
netstat -ntl
I sucessfully run the APNS code in my macbook air, but it turns out that I can not run it in my other computer:
I checked that these are the same:
1. .pem file ( to be specific )
2. Program
The computers can not work are:
Windows 7,XAMPP,OpenSSL supported,No firewall
And
EC2 Linux server with 2195 and 2196 opened
What might be other issues causing that I got this error in my php code?
Unable to connect to 'ssl://gateway.sandbox.push.apple.com:2195'
I know there might be cause by not opening SSL, but I checked the phpInfo(), it should be correct.
openssl
OpenSSL support enabled
OpenSSL Library Version OpenSSL 1.0.1c 10 May 2012
OpenSSL Header Version OpenSSL 0.9.8x
I tried telnet in EC2 server, it gives:
telnet gateway.push.apple.com 2195
Trying 17.149.36.239...
Connected to gateway.push-apple.com.akadns.net.
Escape character is '^]'.
In case of MAC,
(built-in server was working fine using terminal but not through browser, for me, so i installed MAMP.)
1.Go to---> /Library/WebServer/Documents/----copy both php and ckdev.pem file here.
2 go to terminal-->$open /private/etc-->go to--->apache2>originals>httpd.config file-->
**"#LoadModule php5_module libexec/apache2/libphp5.so", remove "#"..(perhaps, you would have to change the permission also..!)
then goto browser and check--> localhost/yourPhpFile.php
In Case of Windows system,
1.Install WAMP,
2.goto php.ini file--->search for this ";extension=php_openssl.dll" line and remove semicolon ";".
3.click WAMP icon from right-bottom goto PHP>PHP Extensions>select php_openssl..
That's it..hope this may help further seekers.
if you are getting an error like this "Unable to find the socket transport “ssl” – did you forget to enable it
when you configured PHP?" then follow the next step
if php has not got ssl enabled then goto php.ini and change this to ";extension=php_openssl.dll"
"extension=php_openssl.dll" (remove the semicolon) and save it and run the program.
Thanks for help, so far I solved the solution.
The problem is that I used the same pem file for both my cert and the root cert.
There is a root cert that is different from my own cert, during connection, both cert is used so I have to get the root cert of apple push notification.
Thanks!
I am having serious problem connecting to external ORA DB 11g from local Zend server CE.
OCI8 is enabled and running version 1.4.6 (due to phpinfo()).
I have tried many connection options (listed below) with the same error returned:
oci_connect(): ORA-28547: connection to server failed, probable Oracle Net admin error
After googling for whole day I am only able to say that this error means that PHP was able to comunicate with the server but was unable to connect to a concrete service/database and that the error shouldn't come from PHP itself...
I have set environment variable TNS_ADMIN to c:\oracle_instantclient_11_2 where the file tnsnames.ora is located containing this connection description:
MYDB =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = X.X.X.X)(PORT = 1521))
)
(CONNECT_DATA = (SID = MYDB)(SERVER = DEDICATED))
)
Using this description like
(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=X.X.X.X)(PORT=1521)))(CONNECT_DATA=(SID=MYDB)(SERVER=DEDICATED)))
I am able to connect to the server and the service/database with sqlplus console, so the connection is very right. I am also using the very same HOST, PORT and SID to connect to the server with Sqldeveloper tool. The problem is when connecting to the server within a PHP...
What have I tried so far:
oci_connect("user", "password", "X.X.X.X:1521", "AL32UTF8", 0);
oci_connect("user", "password", "MYDB", "AL32UTF8", 0);
oci_connect("user", "password", "(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=X.X.X.X)(PORT=1521)))(CONNECT_DATA=(SID=MYDB)(SERVER=DEDICATED)))", "AL32UTF8", 0);
All of these oci_connect calls above return the same error mentioned.
I had also tried the ezconnect way for 11g as stated here - [//]host_name[:port][/service_name][:server_type][/instance_name]:
oci_connect("user", "password", "X.X.X.X:1521/MYDB", "AL32UTF8", 0);
but the problem is I do not know the service name, only the service ID (SID), thus the error returned is this:
oci_connect(): ORA-12514: TNS:listener does not currently know of service requested in connect descriptor
that says there is no service running with the service name provided (or that the ORA listener does not know of such service).
PHP version: 5.3.14
Appache v.: 2.2.22 (32bit) Zend
Zend server CE: 5.3.6
PHP info for OCI8:
OCI8 Support enabled
Version 1.4.6
Revision $Revision: 313688 $
Active Persistent Connections 0
Active Connections 0
Oracle Instant Client Version Unknown
Temporary Lob support enabled
Collections support enabled
Directive Local Value Master Value
oci8.connection_class no value no value
oci8.default_prefetch 100 100
oci8.events Off Off
oci8.max_persistent -1 -1
oci8.old_oci_close_semantics Off Off
oci8.persistent_timeout -1 -1
oci8.ping_interval 60 60
oci8.privileged_connect Off Off
oci8.statement_cache_size 20 20
Maybe the problem is that there is unknown version of Oracle instant client though it's path is set within both the TNS_ADMIN and PATH environment variables...
My question is: does anybody know of what have I done wrong? Am I missing something? I have googled for a whole day yesterday so probably (with 99% chance) any google links You would like to provide me with I have already seen and tried...
Though this question could be considered as an exact duplicate of this one - it has not been yet answered and I guess nobody will return back to that old question even if I post a comment I am having the connection problems too. Also keep in mind that in that similar question a different error is returned and asked about.
Due to several misconfigurations and 3 days lost while looking for a solution I moved to develop on Linux server and all of the problems are gone.
What I have found:
both php_oci8.dll and php_oci8_11g.dll are depending on the Oracle Instant Client libraries
these libraries does not contain oci_ functions (like oci_connect), only ociX functions (like ociLogon) which is strange...
though I am pretty sure I have downloaded Oracle Instant Client Basic and all of the extensions, I was not able to connect to another Oracle server due to unknown charset and the error was saying I am using only Lite instant client...
I tried both 64bit and 32bit instant client version at no avail
my Apache is 64bit, windows is 64bit, PHP is 32bit, remote Oracle server is 64bit, remote Linux server is 64bit...
tried many environment settings (ORA_HOME, TNS_ADMIN, adjusted PATH to look to instant client installation) at no avail
tried uninstalling local Oracle XE server due to possible environment settings interference at no avail
almost lost my head - at no avail...
So finaly on Linux server I have no problems connecting to remote Oracle server. Somewhere (while surfing over thousands of PHP-Oracle related pages) I have found an information that "one shouldn't develop PHP application connecting to Oracle server under windows" and should stick to UNIX system instead...
So anybody experiencing similar or same problems - be so kind and do not waste Your time, install a VirtualBox, run Linux on it and move forward!
to connect php to Oracle 11g version 11.2 you need to do following;
Step-1:
login to you db with sys as sysdba and execute following scripts.
**
execute dbms_connection_pool.start_pool();
execute dbms_connection_pool.restore_defaults();
**
Step-2:
in you PHP script
**
$conn = oci_connect("username", "password", "//hostname/servicename");
if (!$conn) {
$m = oci_error();
echo $m['message'], "\n";
exit;
}
else {
print "Connected to Oracle!";
}
// Close the Oracle connection
oci_close($conn);
**
Note: i). Make sure PHP_OCI8 and PHP_OCI8_11g exertions are enabled
ii). Oracle 11 is case sensitive.
Best Regards
Yasir Hashmi
I have had the same issue and tried to connect from my local machine to a remote server.
after 2 weeks of tring I finally got it to work.
the solution is very simple but not documented in the PHP documentation
so let us take the sample PHP provided:
$conn = oci_connect('hr', 'welcome', 'localhost/XE');
what they did not mention is that it points to the default port on the server.
if yours is set up to a different one you need to specify that.
see the new example below:
$conn = oci_connect('hr', 'welcome', 'localhost:1234/XE');
try that with your specified port.
Hope this helps
Just adding my two cents, as I Banged my head against the wall with this one... If all else fails, try this, Once you have downloaded the instant client, http://www.oracle.com/technetwork/topics/winsoft-085727.html, copy it's extracted contents to the apache/bin folder. It'll likely ask you to over-write the oci.dll. Do so, then restart apache/php. With luck this will fix the problem...
Good luck.
My solution on fedora 17:
1. yum install httpd httpd-devel.
2. yum install php php-mysql php-pear php-devel
3. Install oracle instantclient:
rpm -Uvh oracle-instantclient11.2-basic-11.2.0.3.0-1.x86_64.rpm
rpm -Uvh oracle-instantclient11.2-devel-11.2.0.3.0-1.x86_64.rpm
4. pecl install oci8
This gives:
**
downloading oci8-1.4.7.tgz ...
Starting to download oci8-1.4.7.tgz (Unknown size)
.....done: 168,584 bytes
10 source files, building
running: phpize
Configuring for:
PHP Api Version: 20100412
Zend Module Api No: 20100525
Zend Extension Api No: 220100525
Please provide the path to the ORACLE_HOME directory.
Use 'instantclient,/path/to/instant/client/lib' if you're compiling
with Oracle Instant Client [autodetect] :'
**
Just press enter.
5. Enable the OCI8 extension by creating a file, oci8.ini for example, with the following line at /etc/php.d/:
extension=oci8.so
6. service httpd restart
For the record (PHP 8.0.12), you can also try:
In the Apache bin folder, copy inside the next files
📁 apache24
....📁 bin
....... 📃oraociei12.dll
....... 📃oci.dll
....... 📃oraons.dll
You can find those files in the Instant client folder and in the bin folder.
Then restart Apache and that is.
The instant client, apache version and PHP version must be or 32bits or 64bits.
You can also try to connect using ez-connection (if you want to avoid using the tnsnames).
I'm getting:
Warning: ldap_start_tls()
[function.ldap-start-tls]: Unable to
start TLS: Connect error in
/var/www/X.php on line Y
/etc/ldap/ldap.conf:
TLS_CACERT /etc/ssl/certs/ca.crt
ca.crt is the CA which signed the LDAP server certificate. The certificate on the LDAP server is expired and I can't change it.
You can ignore the validity in windows by issuing
putenv('LDAPTLS_REQCERT=never');
in your php code. In *nix you need to edit your /etc/ldap.conf to contain
TLS_REQCERT never
Another thing to be aware of is that it requires version 3 (version 2 is php default):
//$hostnameSSL example would be "ldaps://just.example.com:636" , just make sure it has ldaps://
$con = ldap_connect($hostnameSSL);
ldap_set_option($con, LDAP_OPT_PROTOCOL_VERSION, 3);
To get a better idea of what's going on, you can enable debug logging by:
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
This can be done before the ldap_connect takes place.
The specific scenario presented in the question--with an expired certificate that can't be changed--does appear to require disabling certificate validation on the LDAP client.
However, I suspect a lot of people, like me, reach this page for other root causes of receiving opaque LDAP TLS errors, where disabling validation of TLS certificates is not an appropriate answer.
In my case--using the LDAP Authentication extension for Mediawiki on an Ubuntu 18.04 LTS server, and authenticating against Active Directory on a Windows Server 2012 server--authentication stopped working in January/February 2020. The server certificate and the CA certificate were still both valid, and openssl s_client -verify 2 -connect <AD server>:636 from the Mediawiki server passed just fine.
Eventually I noticed that the signature algorithm in the SSL certificate served by AD/LDAP was SHA1, which I remembered recently suffered from the first known chosen-prefix collision exploit. This led me to investigate the changelog for packages that had recently been updated on the system, which turned up "Mark SHA1 as insecure for certificate signing" in the gnutls28 changelog circa January 8th, 2020. (The chain of dependencies from the php-ldap package in Ubuntu 18.04 goes to php7.2-ldap -> libldap-2.4-2 -> libgnutls30, whose source package is gnutls28.)
I followed some instructions to update the Windows CA to use SHA256 and then selectively followed instructions to renew the AD/LDAP cert, installed the new CA cert on my Mediawiki server, and the problem was solved! Briefly, these steps included:
In an Admin PowerShell on the AD server, run certutil -setreg ca\csp\CNGHashAlgorithm SHA256
In the Certification Authority MMC, right click on the CA -> All Tasks -> Renew CA Certificate
In a blank MMC, add snap-in for Certificates; select Local Computer
Under Personal -> Certificates, find the current entry used by LDAPS (Kerberos Authentication template type) -> All Tasks -> Advanced Options -> Renew This Certificate with the Same Key
In the same window, open the new CA certificate -> Details -> Copy to file -> no private key -> base64-encoded X.509
Copy the resulting file to /usr/share/ca-certificates/ on the Mediawiki server, then run sudo dpkg-reconfigure ca-certificates and select the new CA cert for inclusion.
P.S. For SEO purposes, depending on the mode I was using, error messages included:
ldap_start_tls(): Unable to start TLS: Connect error in /var/www/mediawiki/extensions/LdapAuthentication/LdapAuthenticationPlugin.php in the HTTP error log
ldap_start_tls(): Unable to start TLS: Can't contact LDAP server in [...]
Failed to start TLS. in the Mediawiki debug log (when using wgLDAPEncryptionType = ssl, i.e. encrypted LDAP port, 636)
Failed to bind as CN=foobar,CN=Users,DC=myOrgName,DC=local in the Mediwiki debug log (when using wgLDAPEncryptionType = tls, i.e. STARTTLS on the unencrypted LDAP port, 389)
My solution/workaround is to use
/etc/ldap/ldap.conf:
#TLS_CACERT /etc/ssl/certs/ca.crt
TLS_REQCERT never
If you have any better idea, please post another answer.
The path for ldap.conf in Windows is fixed:
c:\openldap\sysconf\ldap.conf
A restart of the web server may be required to apply changes.
In debian based systems:
Install the package: ldap-utils and in the file
/etc/ldap/ldap.conf, edit the line:
TLS_CACERT /etc/ldap/cacerts/cacert.asc
Create the directory /etc/ldap/cacerts and copy the cacert to
/etc/ldap/cacerts/cacert.asc
Restart apache.
In redhat based systems:
Install the package: openldap-clients and in the file
/etc/openldap/ldap.conf edit the line:
TLS_CACERT /etc/openldap/cacerts/cacert.asc
Create the directory /etc/openldap/cacerts and copy the cacert to
/etc/openldap/cacerts/cacert.asc
Restart httpd
I was able to get this working properly with openldap on Amazon Linux (Elastic Beanstalk PHP 7.0) with MacOS Server 5 LDAP, with TLS set to demand.
in /etc/openldap/ldap.conf:
TLS_REQCERT demand
TLS_CACERT /etc/openldap/certs/yourcacert.pem
(note that if you are not using openldap, the path will be /etc/ldap/certs/yourcacert.pem). This setup did not work until I placed the certificate inside the certs folder; it did not work from any other path.
The certificate to be placed in that path is NOT the TLS certificate of the server. It is the CA (Certificate Authority) certificate of the authority whom issued the server/domain specific TLS certificate. Only the CA certificate placed in that path will allow TLS to work before attempting an LDAP bind in php. Get the CA certificate from your server or download it from the authority's site, they are freely available.
To test if LDAP bind is even working without TLS, set TLS_REQCERT never temporarily (may need to comment # out TLS_CACERT). If you get "Can't connect to LDAP" it is not a TLS error; it simply cannot connect to the server and you likely need to open port 389 (not 636 for TLS).
Remember to restart your Apache server every time you make a change to the config file or certificate.
Some additional help for others, the certificate solution here solved my ldapsearch command line issue, but still PHP complained **Can't contact LDAP server**
Turned out to be SELinux on RHEL7 ( CentOS7 ) blocks HTTPD from using LDAP ports 389 and 636 by default, you can unblock with:
setsebool -P httpd_can_network_connect 1
Check your SELinux audit log file for things being blocked.