PhP - CloudConvert: Peer certificate cannot be authenticated with known CA certificates. - php

I'm trying to use CloudConvert API in PhP and I'm getting the following error:
CURLE_SSL_CACERT (60)
Peer certificate cannot be authenticated with known CA certificates.
Reading their API source code I see that they use the GuzzleClient for requests. I guess if I just disable the SSL verification on cURL it would work. I just don't know how to do it globally. I know how to do it for the request: curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); but that doesn't help me since I don't have the control on how CloudConvert do their API requests.
Does anyone have an idea on how to solve this? I'm running my project using MAMP and macOS Sierra.
Thanks for any help


Just found the solution. As I told before the CloudConvert API can take a Guzzle client in the constructor, so I create the client and set the certificate to it:
$client = new \GuzzleHttp\Client(['verify' => $this->config->application->sslDir . "cacert.pem" ]);
$api = new Api("xxxxxxx", $client);
$api->convert([
'inputformat' => 'html',
'outputformat' => 'docx',
'input' => 'upload',
'file' => fopen('/Users/andre/Projects/x/Quote.html', 'r'),
])
->wait()
->download('/Users/andre/Projects/x/Quote.docx');

Related

any idea of how curl cacert broke my php app?

------Answer below--------
I know many post already talk about this but I've tried everything and I think nothing worked.
I use Google API for connection to a website and after to manage Google drive with API and Google library in PHP.
Pretty simple, I've got an issue with curl error 60, so I've checked curl.se website to get the last cacert.pem.
for those who would have my code, in my connection module, if i delete the verify line :
$client = new Client([
'timeout' => 2.0,
'verify' => __DIR__ . '/cacert.pem'
]);
i got this :
cURL error 60: SSL certificate problem: unable to get local issuer certificate
If i keep the verify, it work.
And my drive manager module :
$client = new Google_Client([
'timeout' => 2.0,
'verify' => __DIR__ . '/cacert.pem'
]);
$client->useApplicationDefaultCredentials();
$client->addScope(Google_Service_Drive::DRIVE);
$driveManager = new Google_Service_Drive($client);
$client->setSubject('api#test.fr');
// Print the names and IDs for up to 10 files.
$optParams = array(
'fields' => 'nextPageToken, files( name)',
'q' => 'folder',
);
$results = $driveManager->files->listFiles($optParams);"
Of course there is require vendor/autoload and putenv blablabla to open my credentials json file before and the printf foreach $results under..
The thing is, with the same cacert.pem verification, since the last update of cacert.pem on curl.se website (aka the 19/01/2021), this module doesn't work at all with the same error!
I'm a new user with Google API and I don't understand everything.

i've finally hosted my app today, to get it online, and it seems to work.
As my host use ssl by let's encrypt, my app dont use the cacert.pem as scpecified just above in the post, but it use the main certificate of my website, which is my host certificate.
When i've tested it, the error seems appear when the app request to : https://oauth2.googleapis.com/token, and it appear just when i've updated to the last cacert.pem file, so i guess there is an error somewhere that is not made by my hand...

PodioConnectionError for localhost using PHP client library

I used OpenSSL to generate an SSL Certificate for my localhost, but the self-signed certificate seems to be causing problems when authenticating with Podio:
Fatal error: Uncaught PodioConnectionError: Connection to Podio API failed: [60] SSL certificate problem: self signed certificate in certificate chain
I tried downloading cacert.pem and adding it to my php.ini file curl.cainfo=<path-to>cacert.pem, but after restarting the server, I still get the same error.
With some other library's I've had to set CURLOPT_SSL_VERIFYPEER, but I'm not sure how I would do that anyway using the Podio PHP client library...
Any tips on debugging this error?

I found out how to set CURLOPT_SSL_VERIFYPEER => false when using the Podio PHP client library:
$options = array('curl_options' => array(CURLOPT_SSL_VERIFYPEER => false));
Podio::setup($client_id, $client_secret, $options);
Now I just have to remember to remove this in production...

endpoint not exist for Mailgun V3 issue with Yii2 extension

I am using https://github.com/boundstate/yii2-mailgun
Yii2 extension for Mailgun and extending it on my wrapper class.
i configure as shown in documentation in web.php ,
'mailer' => [
'class' => 'boundstate\mailgun\Mailer',
'key' => 'key-85886fafb248373bd90a396',// valid key
'domain' => 'sandbox5d98013abb1749fd94b68.mailgun.org',//valid domain
],
Now,
when i am using it by,
Yii::$app->mailer->compose()
->setFrom('valid-email-address')
->setTo('valid-email-address')
->setSubject("test mail from mailgun api")
->send();
first , i got issue with SSL for my localhost.
GuzzleHttp\Exception\RequestException
cURL error 60: SSL certificate problem: unable to get local issuer certificate
↵
Caused by: GuzzleHttp\Ring\Exception\RingException
there is no any configuration to set SSL => false through config as we can do with sendgrid extension.
and also i am facing this error after this,
Mailgun\Connection\Exceptions\MissingEndpoint
The endpoint you've tried to access does not exist. Check your URL
In mailgun Api , they are using "api.mailgun.net" ,although it throws such kind of error ..
Is there any solution for these two issues ??

Maybe you can read this issue in github first #130 and #175.
To solve your problem you can manually add this line in your php.ini(based on Comment on that issues)
[curl]
; A default value for the CURLOPT_CAINFO option. This is required to be an
; absolute path.
curl.cainfo = "C:\php\extras\cacert.pem"
Or you can use my way, by added it manually with instance Client adapter from guzzle like this. If you want use ssl, you can set verify to false
use Http\Adapter\Guzzle6\Client;
$httpClient = Client::createWithConfig([
'verify' => __DIR__ . '/../config/ca-cert.pem'
]);
$mailgun = new Mailgun(self::$apiKey, $httpClient);

SOAP-ERROR: Parsing WSDL: Couldn't load from - but works on WAMP

This works fine on my WAMP server, but doesn't work on the linux master server!?
try{
$client = new SoapClient('http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl', ['trace' => true]);
$result = $client->checkVat([
'countryCode' => 'DK',
'vatNumber' => '47458714'
]);
print_r($result);
}
catch(Exception $e){
echo $e->getMessage();
}
What am I missing here?! :(
SOAP is enabled
Error
SOAP-ERROR: Parsing WSDL: Couldn't load from 'http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl' : failed to load external entity "http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl"/taxation_customs/vies/checkVatService.wsdl"
Call the URL from PHP
Calling the URL from PHP returns error
$wsdl = file_get_contents('http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl');
echo $wsdl;
Error
Warning: file_get_contents(http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl): failed to open stream: HTTP request failed! HTTP/1.0 503 Service Unavailable
Call the URL from command line
Calling the URL from the linux command line HTTP 200 is returned with a XML response
curl http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl

For some versions of php, the SoapClient does not send http user agent information. What php versions do you have on the server vs your local WAMP?
Try to set the user agent explicitly, using a context stream as follows:
try {
$opts = array(
'http' => array(
'user_agent' => 'PHPSoapClient'
)
);
$context = stream_context_create($opts);
$wsdlUrl = 'http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl';
$soapClientOptions = array(
'stream_context' => $context,
'cache_wsdl' => WSDL_CACHE_NONE
);
$client = new SoapClient($wsdlUrl, $soapClientOptions);
$checkVatParameters = array(
'countryCode' => 'DK',
'vatNumber' => '47458714'
);
$result = $client->checkVat($checkVatParameters);
print_r($result);
}
catch(Exception $e) {
echo $e->getMessage();
}
Edit
It actually seems to be some issues with the web service you are using. The combination of HTTP over IPv6, and missing HTTP User Agent string, seems to give the web service problems.
To verify this, try the following on your linux host:
curl -A '' -6 http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl
this IPv6 request fails.
curl -A 'cURL User Agent' -6 http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl
this IPv6 request succeeds.
curl -A '' -4 http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl
curl -A 'cURL User Agent' -4 http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl
both these IPv4 request succeeds.
Interesting case :) I guess your linux host resolves ec.europa.eu to its IPv6 address, and that your version of SoapClient did not add a user agent string by default.

Security issue: This answer disables security features and should not be used in production!
Try this. I hope it helps
$options = [
'cache_wsdl' => WSDL_CACHE_NONE,
'trace' => 1,
'stream_context' => stream_context_create(
[
'ssl' => [
'verify_peer' => false,
'verify_peer_name' => false,
'allow_self_signed' => true
]
]
)
];
$client = new SoapClient($url, $options);

This issue can be caused by the libxml entity loader having been disabled.
Try running libxml_disable_entity_loader(false); before instantiating SoapClient.

It may be helpful for someone, although there is no precise answer to this question.
My soap url has a non-standard port(9087 for example), and firewall blocked that request and I took each time this error:
ERROR - 2017-12-19 20:44:11 --> Fatal Error - SOAP-ERROR: Parsing
WSDL: Couldn't load from 'http://soalurl.test:9087/orawsv?wsdl' :
failed to load external entity "http://soalurl.test:9087/orawsv?wsdl"
I allowed port in firewall and solved the error!

Try changing
$client = new SoapClient('http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl', ['trace' => true]);
to
$client = new SoapClient('http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl', ['trace' => true, 'cache_wsdl' => WSDL_CACHE_MEMORY]);
Also (whether that works or not), check to make sure that /tmp is writeable by your web server and that it isn't full.

Try enabling openssl extension in your php.ini if it is disabled.
This way I could access the web service without need of any extra arguments, i.e.,
$client = new SoapClient(url);

None of the above works for me, so after a lot of research, I ended up pre-downloading the wsdl file, saving it locally, and passing that file as the first parameter to SoapClient.
Worth mentioning is that file_get_contents($serviceUrl) returned empty response for me, while the url opened fine in my browser. That is probably why SoapClient also could not load the wsdl document. So I ended up downloading it with the php curl library. Here is an example
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $serviceUrl);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
$wsdl = curl_exec($ch);
curl_close($ch);
$wsdlFile = '/tmp/service.wsdl';
file_put_contents($wsdlFile, $wsdl);
$client = new SoapClient($wsdlFile);
You can of course implement your own caching policy for the wsdl file, so it won't be downloaded on each request.

503 means the functions are working and you're getting a response from the remote server denying you. If you ever tried to cURL google results the same thing happens, because they can detect the user-agent used by file_get_contents and cURL and as a result block those user agents. It's also possible that the server you're accessing from also has it's IP address blackballed for such practices.
Mainly three common reasons why the commands wouldn't work just like the browser in a remote situation.
1) The default USER-AGENT has been blocked.
2) Your server's IP block has been blocked.
3) Remote host has a proxy detection.

After hours of analysis reading tons of logs and internet, finally found problem.
If you use docker and php 7.4 (my case) you probably get error because default security level in OpenSSL it too high for wsdl cert. Even if you disable verify and allow self-signed in SoapClient options.
You need lower seclevel in /etc/ssl/openssl.cnf from DEFAULT#SECLEVEL=2 to
DEFAULT#SECLEVEL=1
Or just add into Dockerfile
RUN sed -i "s|DEFAULT#SECLEVEL=2|DEFAULT#SECLEVEL=1|g" /etc/ssl/openssl.cnf
Source: https://github.com/dotnet/runtime/issues/30667#issuecomment-566482876
You can verify it by run on container
curl -A 'cURL User Agent' -4 https://ewus.nfz.gov.pl/ws-broker-server-ewus/services/Auth?wsdl
Before that change I got error:
SSL routines:tls_process_ske_dhe:dh key too small

It was solved for me this way:
Every company from which you provide "Host" has a firewall.
This error occurs when your source IP is not defined in that firewall.
Contact the server administrator to add the IP.
Or the target IP must be defined in the server firewall whitelist.

I use the AdWords API, and sometimes I have the same problem.
My solution is to add
ini_set('default_socket_timeout', 900);
on the file
vendor\googleads\googleads-php-lib\src\Google\AdsApi\AdsSoapClient.php line 65
and in the
vendor\googleads-php-lib\src\Google\AdsApi\Adwords\Reporting\v201702\ReportDownloader.php line 126
ini_set('default_socket_timeout', 900);
$requestOptions['stream_context']['http']['timeout'] = "900";
Google package overwrite the default php.ini parameter.
Sometimes, the page could connect to 'https://adwords.google.com/ap
i/adwords/mcm/v201702/ManagedCustomerService?wsdl and sometimes no.
If the page connects once, The WSDL cache will contain the same page, and the program will be ok until the code refreshes the cache...

Adding ?wsdl at the end and calling the method:
$client->__setLocation('url?wsdl');
helped to me.

I might have read all questions about this for two days. None of the answers worked for me.
In my case I was lacking cURL module for PHP.
Be aware that, just because you can use cURL on terminal, it does not mean that you have PHP cURL module and it is active.
There was no error showing about it. Not even on /var/log/apache2/error.log
How to install module:
(replace version number for the apropiated one)
sudo apt install php7.2-curl
sudo service apache2 reload

I had the same problem
From local machines everything work (wamp + php5.5.38 or vagrant + php 7.4), but from prod linux server I had error
SOAP-ERROR: Parsing WSDL: Couldn't load from 'http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl' : failed to load external entity "http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl"
From redirect path plugin in chrome I discovered permanent redirect to https, but change url to https doesnt help.
Status Code URL IP Page Type Redirect Type Redirect URL
301 http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl 147.67.210.30 server_redirect permanent https://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl
200 https://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl 147.67.210.30 normal none none
After few attempts of different code solutions helped my our server provider. He discovered problem in IP forwarding with ipv6.
http://ec.europa.eu/
Pinging ec.europa.eu [147.67.34.30] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Recommendation was user stream_context_create with socket and bind to 0:0. this forces ipv4
// https://www.php.net/manual/en/context.socket.php
$streamContextOptions = [
'socket' => [
'bindto' => '0:0'
],
];
$streamContext = stream_context_create($streamContextOptions);
$soapOptions = [
'stream_context' => $streamContext
];
$service = new SoapClient('https://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl', $soapOptions);

I had similar error because I accidently removed attribute
[ServiceContract] from my contract, yet the service host was still opening successfully. Blunders happen

May try to see if the endpoint supports https as well

Below solution worked for me.
1- Go to php.ini in ubuntu with apache is /etc/php/7.4/apache2
( note: you should use your php version replace by 7.4 )
2- Remove ; from this line ;extension=openssl to make in uncommented.
3- Restart your web server sudo service apache2 restart

SSl Certificate issue with Omnipay and CI

I am trying to make a simple payment through my paypal sandbox from my local machine. I am using the Omnipay library in Codeigniter.
I setup a sandbox account at developer.paypal.com and a test application. This is the code I am using:
$gateway = GatewayFactory::create('PayPal_Express');
$gateway->setUsername([username]);
$gateway->setPassword([password]);
$gateway->setSignature([signature]);
$gateway->setTestMode(true);
$params = array(
'amount' => '1.00',
'currency' => 'USD',
'description' => 'test purchase',
'transactionId' => '123',
'transactionReference' => '123ref',
'returnUrl' => [returnUrl],
'cancelUrl' => [cancelUrl],
);
$response = $gateway->purchase($params);
I am getting the following error:
Fatal error: Uncaught exception 'Buzz\Exception\ClientException' with message 'SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed' in...
I installed omnipay using composer with something called BUZZ. I am pretty new to doing paypal transactions online and not sure If I need to setup a local ssl certificate. If I do, can someone point me in the direction for setting that up?
Thanks.

That sounds pretty dodgy. Omnipay uses Guzzle to make the HTTPS requests to PayPal, and Guzzle bundles the latest root SSL certificates for you. So you should not see any HTTPS warnings.
Does this work locally for you? Have you tried different servers? If you are on shared hosting it is possible that your web host is trying to proxy your requests, which means they are essentially performing a man in the middle attack, potentially making your website insecure.
EDIT: Just noticed that error is actually coming from Buzz, not Guzzle. How did you install that? What does your composer.json file look like? Which version of Omnipay are you running? If you upgrade to the latest version of Omnipay (2.0) it will use Guzzle internally and this should fix the SSL error.

I found an answer on omnipay's issues page (at least for testing): https://github.com/omnipay/omnipay/issues/13
For Local Testing Only:
Add these lines to the file /buzz/lib/Buzz/Client/Curl.php, just before curl_exec method...
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);

Categories