I need to access the Web Service of Navision that is using Navision User + SSL. The connector I am using is based in PHP.
I am able to connect to simple http access and using Window's User. This is the tutorial that helped me achieve this Navision Web Service PHP written by Freddy.
I'm still using it but played around on adding the certificate in the curl/request. Researched and read a lot of article but I still cannot achieve it.
I am now able to access it using the base php connector shared above (link) but when retrieving data I am receiving the details below:
... successfully set certificate verify locations:
* CAfile: /Path/Navision.pem
* SSL connection using TLSv1.0 / AES256-SHA
* Server certificate:
...
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Server auth using NTLM with user 'user'
POST Navision Page URL Name HTTP/1.1
Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=
...
Method: POST
Connection: Keep-Alive
User-Agent: PHP-SOAP-CURL
Content-Type: text/xml; charset=utf-8
SOAPAction: "urn:microsoft-dynamics-schemas/page/pda_item_list:ReadMultiple"
...
< HTTP/1.1 401 Unauthorized ...
I used the certificate by using the makecert.exe. I have these files 2 .cer, a pvk and a .crl.. We used one of the .cer file took the thumbprint to apply it on the navision service instance. Which of the file is the correct one to be used by the php curl connector.
Here is my request php code:
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $request);
curl_setopt($ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_NTLM);
curl_setopt($ch, CURLOPT_USERPWD, USERPWD);
curl_setopt($ch, CURLOPT_VERBOSE, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_CAINFO, __DIR__ . '/Navision.pem');
Any link that is related would be much appreciated specially if I'll be able to use the web service of Navision using PHP connector by accessing it using Navision User and SSL.
UPDATE
I am now able to use the valid certificate and able to pass through properly.
Still it doesn't now work and returns the the same error above.. Unauthorized 401.
Most likely it is because of my Navision setup or I am just passing the credentials in a wrong way? I am still researching and playing so currently I am still not able to pull the data.
you have two options :
have second service tier which is using Username authentication. This will enable PHP to use Basic Auth. You'll need a cert in this case
the second option is to use the same service tier but generate a Web Service Key for the use what the PHP is using. You can use Basic Auth using the same Username but using the Web Service Key as password
PHP is not a fan of NTLM authentication...
Cheers
Related
I try to send curl request with my correct APP_ID, APP_SECRET etc. to the
https://oauth.vk.com/access_token?client_id=APP_ID&client_secret=APP_SECRET&code=7a6fa4dff77a228eeda56603b8f53806c883f011c40b72630bb50df056f6479e52a&redirect_uri=REDIRECT_URI
I need to get access_token from it, but get a FALSE and curl_error() print next message otherwise:
60: SSL certificate problem: self signed certificate in certificate chain
My code is:
// create curl resource
$ch = curl_init();
// set url
curl_setopt($ch, CURLOPT_URL, $url);
//return the transfer as a string
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
// $output contains the output string
$output = curl_exec($ch);
if ( ! $output) {
print curl_errno($ch) .': '. curl_error($ch);
}
// close curl resource to free up system resources
curl_close($ch);
return $output;
When I move manually to the link above, I get access_token well. Why it doesn't work with curl? Help, please.
Answers suggesting to disable CURLOPT_SSL_VERIFYPEER should not be accepted. The question is "Why doesn't it work with cURL", and as correctly pointed out by Martijn Hols, it is dangerous.
The error is probably caused by not having an up-to-date bundle of CA root certificates. This is typically a text file with a bunch of cryptographic signatures that curl uses to verify a host’s SSL certificate.
You need to make sure that your installation of PHP has one of these files, and that it’s up to date (otherwise download one here: http://curl.haxx.se/docs/caextract.html).
Then set in php.ini:
curl.cainfo = <absolute_path_to> cacert.pem
If you are setting it at runtime, use (where $ch = curl_init();):
curl_setopt ($ch, CURLOPT_CAINFO, dirname(__FILE__)."/cacert.pem");
This workaround is dangerous and not recommended:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
It's not a good idea to disable SSL peer verification. Doing so might expose your requests to MITM attackers.
In fact, you just need an up-to-date CA root certificate bundle. Installing an updated one is as easy as:
Downloading up-to-date cacert.pem file from cURL website and
Setting a path to it in your php.ini file, e.g. on Windows:
curl.cainfo=c:\php\cacert.pem
That's it!
Stay safe and secure.
If the SSL certificates are not properly installed in your system, you may get this error:
cURL error 60: SSL certificate problem: unable to get local issuer
certificate.
You can solve this issue as follows:
Download a file with the updated list of certificates from https://curl.haxx.se/ca/cacert.pem
Move the downloaded cacert.pem file to some safe location in your system
Update your php.ini file and configure the path to that file:
Important: This issue drove me crazy for a couple days and I couldn't figure out what was going on with my curl & openssl installations. I finally figured out that it was my intermediate certificate (in my case, GoDaddy) which was out of date. I went back to my godaddy SSL admin panel, downloaded the new intermediate certificate, and the issue disappeared.
I'm sure this is the issue for some of you.
Apparently, GoDaddy had changed their intermediate certificate at some point, due to scurity issues, as they now display this warning:
"Please be sure to use the new SHA-2 intermediate certificates included in your downloaded bundle."
Hope this helps some of you, because I was going nuts and this cleaned up the issue on ALL my servers.
To add a more specific answer, I ran into this when using Guzzle v7, the PHP HTTP request package. Guzzle allows you to bypass this like so:
use GuzzleHttp\Client;
$this->client = new Client([
'verify' => false,
]);
Original source comment: https://github.com/guzzle/guzzle/issues/1490#issuecomment-375667460
Error: SSL certificate problem: self signed certificate in certificate
chain
Solution:
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_FAILONERROR, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
I create a php-curl file to akses API from another server:
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://192.168.4.2/sdk_service/rest/users/login/v1.1');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
// curl_setopt($ch, CURLOPT_CAINFO, "C:/xampp/htdocs/curl/cibinong/cacert.pem");
// curl_setopt($ch, CURLOPT_CAPATH, "C:/xampp/htdocs/curl/cibinong/");
$result = curl_exec($ch);
if (curl_error($ch)) {
echo curl_error($ch);
}
print_r($result);
I got error message:
SSL certificate problem: unable to get local issuer certificate
Help Me, maybe i miss something?
The problem is in the fact that you get an invalid SSL certificate, you need to turn off some checks. Can you try it with the following options?
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
This will skips the verification of the SSL host and SSL peer. Because, that is what you need in this case.
You're accessing a HTTPS URL using an IP address, which is very rarely actually working. Most sites require a name for SNI to be used to get the correct server cert and many CAs don't even sell you certs for plain IP addresses.
Instead of disabling the cert-check you should consider accessing this server using its "proper" and offical name so that the server knows which cert to offer in the TLS handshake.
If you really want to connect to this specific IP address and still use the right name in the URL, you can do so with the CURLOPT_RESOLVE option. Documented among the other CURL options.
Don't settle with disabling the cert-check. That's a poor work-around that only risks sticking around forever and makes you vulnerable.
I'm wondering i export the certificate of a website will it get exported with some of my personal info?
Basically I'm working on a cURL script and other people are gonna use it too so the following would not be the best option:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
So i came across a guide on how to verify the certificate and it says i need to export it and attach those lines to my code:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_CAINFO, getcwd() . "/CAcerts/BuiltinObjectToken-EquifaxSecureCA.crt");
Now the problem is i don't really know how this thing works, is it safe to export a certificate and let others use the cURL with it or the certificate has some of my own info (Users/Password/Activity etc..) when exported thru my browser?
SOLVED: This is the guide i was using for those who will find this topic later: LINK and the Certificate i was talking about is from Facebook.
:)
That depends. Server HTTPS certificates are global, and so are CA certificates (which is what you seem to be after). These are used by the client to verify that it's talking to the correct server securely.
On the other hand, it is possible for the server to verify a client-side certificate, to verify "who is the user" (that does not seem to be the case here).
Using PHP, I send a .PEM certificate to a remote host with an outgoing request like this:
curl_setopt($curl, CURLOPT_SSLCERT, '/path/to/file.pem');
Is there a way to do this using VB .NET?
Look at the X509Certificate2 Class...load the certificate object then use the
ToString(True)
To get a verbose result...then transport that however you wish (including via SSL)...HttpWebRequest if the remote machine is open to accept http...here is a stackoverflow question on that.
I need to access a RESTful webservice from PHP (only GET for now). The service can only be accessed over HTTPS with a valid client certificate.
I found plenty of basic auth examples for PHP, but not a single one for client-side cert-based HTTP auth. Is there a PHP HTTP client which can also send certificates to the server?
For now I am using an external application (wget), but this is rather slow and hacky.
Certificate-based authentication is not part of HTTP but part of SSL/TLS.
You can use cURL to do such authentication:
$ch = curl_init('https://example.com/');
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, '1');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, '1');
curl_setopt($ch, CURLOPT_CAINFO, '/path/to/cert/ca.crt');
curl_setopt($ch, CURLOPT_SSLCERT, '/path/to/cert/client-cert.pem');
$response = curl_exec();
curl_close($ch);
See the manual page of curl_setopt for more information on the options.