I'm new about SSL subject.
I'm trying to send emails though my website (built with Laravel 4.2) and it gives me this error:
stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
If I run this command in the server with root user:
openssl s_client -connect mail.mywebsite.com -starttls smtp
It shows me the correct certificate and gives me this answer at the end:
Verify return code: 0 (ok)
But if I run this command with another user:
su myuser
openssl s_client -connect mail.mywebsite.com -starttls smtp
It shows a different certificate and it gives me this answer at the end:
Verify return code: 18 (self signed certificate)
If I run top -c I see my php processes run with myuser and php-cgi, and since myuser has the wrong certificate, emails are not send.
Can anybody help me?
While I was checking Steffen Ullrich response about openssl path, I found out that I needed to install through WHM the SSL certificate for my non-privileged user, and that was it.
Thanks.
Related
I have a bunch of PHP scripts that use curl to communicate with various services. Currently, one of those services' SSL certificate got updated and my curl started crying about it when I try to get it from my server's CLI:
~$ curl https://example.com
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
Currently, I hardcoded verify => false to all of my requests in order to keep my scripts operating but that's not something I would like to have laying around.
I got the latest cacert file from mozilla, put it in /etc/ssl/certs/ca-certificates.crt and then ran sudo update-ca-certificates which ran successfully (I suppose..)
~$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
But then again curl is not too happy about it, still can't get my resource without passing the -k flag.
You can use the openssl s_client command to further debug the issue, in order to find out what exactly seems to be the problem with the certificate.
openssl s_client -showcerts -servername myservice.com -connect myservice.com:443
I am attempting to running the Symfony Security Checker locally however I am experiencing an issue relating to the SSL connection.
I have tried trashing the SSL_CERT_FILE env variable with:
unset SSL_CERT_FILE
...but that had no effect after logging out and back in to my session.
I've looked at my ~/.bash_profile but can't see anything in here:
alias ll='ls -lG'
alias composer="php /usr/local/bin/composer.phar"
if [ -f `brew --prefix`/git/contrib/completion/git-completion.bash ]; then
. `brew --prefix`/git/contrib/completion/git-completion.bash
fi
...or in my ~/.gitconfig
[user]
name = Picco
email = crmpicco#ayrshireminis.com
The error I get is:
An error occurred: SSL: certificate verification failed (result: 5).
openssl s_client -host security.sensiolabs.org -port 443
CONNECTED(00000003)
5357:error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.50.6/src/ssl/s23_clnt.c:593:
openssl s_client -host security.sensiolabs.org -port 443 -cipher 'DEFAULT:!ECDH'
CONNECTED(00000003)
3172:error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.50.6/src/ssl/s23_clnt.c:593:
curl -sik -H "Accept: application/json" -F "lock=#composer.lock" https://security.sensiolabs.org/check_lock
Returns no error or output at all.
Can't figure out what could be:
In my local environment, after I updated my OSX to the last version of Yosemite, I get this error:
CurlException: [curl] 51: SSL: certificate verification failed (result: 5) [url]
I'm using Symfony2 so it is related to PHP. I tried to reinstall openssl but nothing happen.
Any suggestion?
Look at the certificate chain for whatever domain is giving you this error. For me it was googleapis.com
openssl s_client -host www.googleapis.com -port 443
You'll get back something like this:
CONNECTED(00000005)
depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.googleapis.com
i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
1 s:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
Note: I captured this after I fixed the issue. Also, your chain output will look different.
Then you need to look at the certificates allowed in php running under apache. Run phpinfo() in a page.
<?php echo phpinfo();
Then look for the certificate file that's loaded from the page output by searching the page for openssl.cafile:
openssl.cafile openssl.cafile /usr/local/php5/ssl/certs/cacert.pem
This is the file you'll need to fix by adding the correct certificate(s) to it.
sudo nano /usr/local/php5/ssl/certs/cacert.pem
You basically need to append the correct certificate "signatures" to the end of this file.
You can find some of them here:
https://pki.google.com/
https://www.geotrust.com/resources/root-certificates/index.html
They look like this:
(Note: This is an image so people will not simply copy/paste certificates from stackoverflow)
If you need to convert a .crt to pem, you'll need to do something like this:
openssl x509 -inform DER -outform PEM -in GIAG2.crt -out GIA2.pem
Once the right certificates are in this file, restart apache and test.
Someone already asked a similar question, please look here: HTTPS and SSL3_GET_SERVER_CERTIFICATE:certificate verify failed, CA is OK
also, there is an article here: http://unitstep.net/blog/2009/05/05/using-curl-in-php-to-access-https-ssltls-protected-sites/
Fix for this problem is to unset the value for SSL_CERT_FILE
Run the command :
export SSL_CERT_FILE=""
And then try performing the desired actions and it will work properly.
Reference : Curl 'certificate verification failed' on mac
Try to downgrade curl from 7.37.1 (shipped with beta2) to 7.37.0
Add those options to ignore ceritificate:
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
First of all, it is not a problem about certification or dev/distribution.
I used distribution certification, and server url -> gateway.push.apple.com:2195
I tested in my local server(apache2), and it work!
However, in my real server(IIS/Window server) I used same php code, same certification file(.pem), and same iphone application... etc, it printed "Connected to APNS Message successfully delivered", but my phone didn't receive message.
One suspect is, I tested my certification file(.pem) by cmd command line 'openssl s_client -connect gateway.push.apple.com:2195 -cert xxxx.pem', It returned "Verify return code: 20 (unabled to get local issuer certificate). So I found solution that downloaded entrust certification(.cer) and did "openssl s_client -connect gateway.push.apple.com:2195 -cert xxxx.pem -CAfile entrust_2048_ca.cer", and it returned 'Verify return code :0'. So I added my php code 'stream_context_set_option($ctx, 'ssl', 'CAfile', 'entrust_2048_ca.cer');', but it didn't work same problem.
I'm having some problems connecting to a SOAP Service at https://test.salesforce.com. I use the Toolkit-for-PHP v20.0 (https://github.com/developerforce/Force.com-Toolkit-for-PHP) which is based on PHP's native SoapClient.
Software:
MacOS 10.8
Macports 2.1.2
PHP 5.3.15
OpenSSL 1.0.1_c
The only error message I receive after 30 seconds (timeout?) is:
[SoapFault]
Could not connect to host
Strangely, connecting to http://test.salesforce.com (without SSL) or connecting to https://login.salesforce.com (with SSL) works as expected.
I even managed to log into https://test.salesforce.com using soapUI.
So my guess is there has to be some certification/handshake problem but i can't figure out how to get a more detailed error message or how to change anything about the toolkit setup.
I searched google, stackoverflow and the SalesForce discussion boards but nobody seems to have this specific sandbox+SSL problem.
Does anyone have a clue how to debug this problem?
OK, i think it's an issue with macports' openssl binary. Apparently the handshake fails because my client is attempting a SSLv2/SSLv3 handshake which the server does not understand.
openssl s_client -connect test.salesforce.com:443 -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
[...end...]
Same command with forced SSLv3:
openssl s_client -ssl3 -connect test.salesforce.com:443 -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 O = VeriSign Trust Network, OU = "VeriSign, Inc.", OU = VeriSign International Server CA - Class 3, OU = www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
verify error:num=20:unable to get local issuer certificate
verify return:0
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
[...and so forth...]
Not really sure what to make out of this... the SalesForce toolkit-for-php uses PHP's native SoapClient and I don't know how to force it to use SSLv3.
This is a known bug of the latest versions of macports' port of openssl 1.0.1:
http://trac.macports.org/ticket/33715
Possible solution: install an older openssl version, in this case openssl 1.0.0h:
cd /opt/local/src
sudo svn checkout -r 90715 http://svn.macports.org/repository/macports/trunk/dports/devel/openssl
cd openssl
sudo port install
Taken from:
https://trac.macports.org/wiki/howto/InstallingOlderPort
http://trac.macports.org/ticket/33715#comment:30