I am trying to debug a problem with ssl certificate verification and have determined that openssl get cert locations with returning incorrect paths. (See below)
How do I figure out how to set this? I looked in the php.ini file and couldn't find this reference anywhere.
cmuench-air:bin cmuench$ ./php -r "print_r(openssl_get_cert_locations());"
Array
(
[default_cert_file] => /bitnami/mampstack56Dev-osx-x64/output/common/openssl/cert.pem
[default_cert_file_env] => SSL_CERT_FILE
[default_cert_dir] => /bitnami/mampstack56Dev-osx-x64/output/common/openssl/certs
[default_cert_dir_env] => SSL_CERT_DIR
[default_private_dir] => /bitnami/mampstack56Dev-osx-x64/output/common/openssl/private
[default_default_cert_area] => /bitnami/mampstack56Dev-osx-x64/output/common/openssl
[ini_cafile] =>
[ini_capath] =>
)
php.ini (relevant parts)...I don't see bitnami/mampstack56Dev anywhere...
[openssl]
; The location of a Certificate Authority (CA) file on the local filesystem
; to use when verifying the identity of SSL/TLS peers. Most users should
; not specify a value for this directive as PHP will attempt to use the
; OS-managed cert stores in its absence. If specified, this value may still
; be overridden on a per-stream basis via the "cafile" SSL stream context
; option.
;openssl.cafile=
; If openssl.cafile is not specified or if the CA file is not found, the
; directory pointed to by openssl.capath is searched for a suitable
; certificate. This value must be a correctly hashed certificate directory.
; Most users should not specify a value for this directive as PHP will
; attempt to use the OS-managed cert stores in its absence. If specified,
; this value may still be overridden on a per-stream basis via the "capath"
; SSL stream context option.
;openssl.capath=
;Curl ca bundle certificate
curl.cainfo="/Applications/phppos/common/openssl/certs/curl-ca-bundle.crt"
EDIT:
I know this is dumb but there are times where the ssl certificate will be self signed. Is there an ini setting I can modify to disable checking all certificates? or do I have to do this in code for sockets and curl?
If you check the PHP source for the openssl_get_cert_locations() function, it is getting those locations by calling various OpenSSL functions such as X509_get_default_cert_file and looking at php.ini values openssl.cafile and openssl.capath described here.
What certificates/paths are you looking for exactly? If you are trying to get a CA bundle file you could set the above referenced php.ini values so they are returned by openssl_get_cert_locations.
The default php.ini file for PHP 5.6 has no default settings for those OpenSSL ini settings as they need to be defined manually. This configuration is located near the end of php.ini
[openssl]
; The location of a Certificate Authority (CA) file on the local filesystem
; to use when verifying the identity of SSL/TLS peers. Most users should
; not specify a value for this directive as PHP will attempt to use the
; OS-managed cert stores in its absence. If specified, this value may still
; be overridden on a per-stream basis via the "cafile" SSL stream context
; option.
;openssl.cafile=
; If openssl.cafile is not specified or if the CA file is not found, the
; directory pointed to by openssl.capath is searched for a suitable
; certificate. This value must be a correctly hashed certificate directory.
; Most users should not specify a value for this directive as PHP will
; attempt to use the OS-managed cert stores in its absence. If specified,
; this value may still be overridden on a per-stream basis via the "capath"
; SSL stream context option.
;openssl.capath=
When using cURL, you can use the option CURLOPT_CAINFO to provide the full path to the file holding one or more certificates to verify the peer with by using curl_setopt():
curl_setopt($ch, CURLOPT_CAINFO, "/path/to/ca/bundle");
This can also be set in php.ini:
[curl]
; A default value for the CURLOPT_CAINFO option. This is required to be an
; absolute path.
;curl.cainfo =
Related
I use MAMP as local development environment. I want to implement a Google Auth - but keep getting this SSL Error.
As other SO topics suggest, I already added this line of code in my PHP.ini file:
curl.cainfo ="C:/MAMP/bin/php/php7.4.1/extras/ssl/cacert.pem"
and added the latest CA certificate from here: https://curl.se/docs/caextract.html in my PHP SSL folder: C:\MAMP\bin\php\php7.4.1\extras\ssl
Any ideea how to pass this SSL error on my local enviroment?
This is the code:
$google_client = new \Google_Client();
$google_client->setClientId($clientID);
$google_client->setClientSecret($clientSecret);
$google_client->setRedirectUri($redirectUri);
$google_client->addScope("email");
$google_client->addScope("profile");
if($this->request->getVar('code')){
$token = $google_client->fetchAccessTokenWithAuthCode($this->request->getVar('code'));
if(!isset($token['error'])){
$google_client->setAccessToken($token['access_token']);
$this->session->set('access_token', $token['access_token']);
//get Google profile data
$google_service = new \Google_Service_Oatuth2($google_client);
$data = $google_service->userinfo->get();
print_r($data);
Setting the value for "curl.cainfo" didn't help me.
Instead i had to set the value in the "openssl"-section of my current php.ini (Find the current "php.ini"-file in shell with command 'which php'.):
Uncomment and set the openssl.cafile (path is for MacOS):
openssl.cafile="/Applications/MAMP/Library/OpenSSL/certs/cacert.pem"
(Downloaded the pem-file as suggested from https://curl.se/docs/caextract.html )
Update the location of the cacert.pem in your openssl.cnf file to point to the latest version you got from curl.se and you should be right.
The solution described by #tFranz works great! Please note, you can also use your system's cert file instead of MAMP's. This is how I did it:
Find the folder that should contain your cert.pem using this line:
$ openssl version -d
OPENSSLDIR: "/private/etc/ssl"
Open this folder in Finder using:
$ open /private/etc/ssl
Look for a cert.pem file. If you have it, you can add it to your php.ini file:
openssl.cafile="/private/etc/ssl/cert.pem"
I am using Firebase php SDK link and working with laravel latest version on XAMMP server on windows 10 but when i try to use Firebase APi using above php SDK i get this error.i download .pem certificate manually but still not working
Error
Kreait \ Firebase \ Exception \ ApiException
cURL error 77: error setting certificate verify locations: CAfile: C:\xampp\apache\bin\curl-ca-bundle.crt CApath: none (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)
Previous exceptions
cURL error 77: error setting certificate verify locations: CAfile: C:\xampp\apache\bin\curl-ca-bundle.crt CApath: none (see http://curl.haxx.se/libcurl/c/libcurl-errors.html) (0)
In your case, simply do this
Open your php.ini file and update this
;openssl.cafile=
with
openssl.cafile="C:\xampp\apache\bin\curl-ca-bundle.crt"
For others who might face this error, follow this:
It has to do with your cURL certification. Take these steps:
Head over to http://curl.haxx.se/ca/cacert.pem. This link gets you (downloads) the latest cacert.pem file.
Use this command on your terminal on the application you are currently working on so that you would know the exact PHP used in cases of multiple installations of PHP on your computer, php -i | grep 'Configuration File'. This shows you the exact location of the php.ini file for the current application you are running. For instance, mine is C:\php-7.4.11\php.ini. Note this location as we will use it soon.
Go into this location C:\php-7.4.11 ie. the folder containing the php.ini file in my case, open "extras", open "ssl" (for clarity sake, mine looks like this C:\php-7.4.11\extras\ssl). In this folder, paste in the newly downloaded cacert.pem file from Step 1 above.
Right-click on the cacert.pem file and unblock it from "Properties" as it could complain of coming from another computer. Still on this Properties section pop-up, copy the new file location link from the "Security" section (mine is C:\php-7.4.11\extras\ssl\cacert.pem ensure to copy yours). You can also copy this from the file browser header.
Go to this location C:\php-7.4.11\php.ini (this is my php.ini location. Go to yours) and update the following 2 fields on your php.ini file.
;curl.cainfo =
;openssl.cafile=
with
curl.cainfo ="C:\php-7.4.11\extras\ssl\cacert.pem"
openssl.cafile="C:\php-7.4.11\extras\ssl\cacert.pem"
Restart your xampp/wamp server. In my case, I also restart every other server running.
NB: You get cURL 60 error if curl.cainfo is not updated. And cURL 77 if openssl.cafile is not updated.
Also, do not forget to uncomment the ; before curl.cainfo and openssl.cafile.
Hope this helps someone.
In my case using MAMP PRO I had this error :
CURL error: error setting certificate verify locations:
CAfile: /Applications/MAMP/Library/OpenSSL/cert.pem
CApath: none
The file /Applications/MAMP/Library/OpenSSL/cert.pem was a symlink to /Applications/MAMP/Library/OpenSSL/certs/cacert.pem
it appeared that the file was here but seems to be corrupted or out of date.
I downloaded the new one from here and replaced it. Then it worked again.
I have a PHP site that queries several APIs via HTTPS. All work, except for reCAPTCHA. This produces the following error:
cURL error 60: SSL certificate problem: unable to get local issuer certificate (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)
A common solution to this problem is to download a .pem file from the curl site and add it to the PHP.ini file, which I did:
[curl]
; A default value for the CURLOPT_CAINFO option. This is required to be an
; absolute path.
curl.cainfo="/var/www/cacert.pem"
[openssl]
; The location of a Certificate Authority (CA) file on the local filesystem
; to use when verifying the identity of SSL/TLS peers. Most users should
; not specify a value for this directive as PHP will attempt to use the
; OS-managed cert stores in its absence. If specified, this value may still
; be overridden on a per-stream basis via the "cafile" SSL stream context
; option.
openssl.cafile="/var/www/cacert.pem"
The error still happens. If I check phpinfo() the curl property is not set, but the openssl property is:
I have restarted php-fpm and hard rebooted the server to no avail. There are no relevant errors in the startup log.
I am using PHP Version 7.2.4-1+ubuntu14.04.1+deb.sury.org+1
This issue was solved by upgrading OpenSSL to the latest version, OpenSSL 1.1.0h 27 Mar 2018.
I'm trying to run composer update on windows 10 behind a proxy server, it gives me an error.
and I set http proxy using below command
SET HTTP_PROXY="http://192.168.1.6:808"
SET HTTPS_PROXY="http://192.168.1.6:808"
this also return same error.
Here are the key points to make Composer work behind a proxy (works on Windows, didn't try on Linux):
1) URL encode your password (for special characters)
You can do that easily with the PHP command line, for example:
Input:
php -r "echo urlencode('P*a/$$/w!0%r$d');"
Output:
P%2Aa%2F%24%24%2Fw%210%25r%24d
Use the generated value to set the HTTP_PROXY and HTTPS_PROXY env variables.
2) Remove the quotes around the HTTP_PROXY and HTTPS_PROXY env variables
From:
SET HTTP_PROXY="http://username:password#hostname:port"
SET HTTPS_PROXY="http://username:password#hostname:port"
To:
SET HTTP_PROXY=http://username:password#hostname:port
SET HTTPS_PROXY=http://username:password#hostname:port
Composer WON'T WORK with quotes, it uses the PHP core function "parse_url" to parse the variable:
With quotes:
php -r "print_r(parse_url('\"http://username:password#proxy:8080\"'));"
Array
(
[path] => "http://username:password#proxy:8080"
)
Without quotes:
php -r "print_r(parse_url('http://username:password#proxy:8080'));"
Array
(
[scheme] => http
[host] => proxy
[port] => 8080
[user] => username
[pass] => password
)
3) Make sure the certificate authority file or path is correctly set for HTTPS connections
Composer will use the first readable file or path in the following order:
Env variables:
SSL_CERT_FILE
SSL_CERT_DIR
php.ini:
openssl.cafile
openssl.capath
Files:
/etc/pki/tls/certs/ca-bundle.crt
/etc/ssl/certs/ca-certificates.crt
/etc/ssl/ca-bundle.pem
/usr/local/share/certs/ca-root-nss.crt
/usr/ssl/certs/ca-bundle.crt
/opt/local/share/curl/curl-ca-bundle.crt
/usr/local/share/curl/curl-ca-bundle.crt
/usr/share/ssl/certs/ca-bundle.crt
/etc/ssl/cert.pem
/usr/local/etc/ssl/cert.pem
/usr/local/etc/openssl/cert.pem
Non-empty folder:
/etc/pki/tls/certs/
/etc/ssl/certs/
/etc/ssl/
/usr/local/share/certs/
/usr/ssl/certs/
/opt/local/share/curl/
/usr/local/share/curl/
/usr/share/ssl/certs/
/etc/ssl/
/usr/local/etc/ssl/
/usr/local/etc/openssl/
If none of the above is valid, Composer will use its embedded file:
composer.phar /vendor/composer/ca-bundle/res/cacert.pem
4) If you experience the "certificate verify failed" error
[Composer\Downloader\TransportException]
The "https://packagist.org/packages.json" file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
failed to open stream: Cannot connect to HTTPS server through proxy
This means that the used CA file or path does not contains the required certificates.
You may then:
extract the default file from composer.phar:
php -r "(new Phar('composer.phar'))->extractTo('/tmp/cacert/', 'vendor/composer/ca-bundle/res/cacert.pem');"
then add the required certificates (e.g. your company proxy certificates) to the end of the file
and force this file in php.ini
[openssl]
; The location of a Certificate Authority (CA) file on the local filesystem
; to use when verifying the identity of SSL/TLS peers. Most users should
; not specify a value for this directive as PHP will attempt to use the
; OS-managed cert stores in its absence. If specified, this value may still
; be overridden on a per-stream basis via the "cafile" SSL stream context
; option.
openssl.cafile=/tmp/cacert/vendor/composer/ca-bundle/res/cacert.pem
Maybe it needs authentication too? Try this if so:
SET HTTP_PROXY="http://username:password#hostname:port"
SET HTTPS_PROXY="http://username:password#hostname:port"
encode your password then use
SET HTTP_PROXY="http://username:encodedPassword#hostname:port"
SET HTTPS_PROXY="http://username:encodedPassword#hostname:port"
The best way if it fails to work is to enter this command
SET HTTP_PROXY=0
SET HTTPS_PROXY=0
This will empty the proxy then you can now use composer.install
OS: Ubuntu 16.01
PHP: 7/0
Based on some googling, and input from questions on StackOverflow, I am setting the following Curl options:
CURLOPT_SSL_VERIFYPEER => true,
CURLOPT_SSL_VERIFYHOST => 2,
CURLOPT_CAINFO = '/etc/ssl/certs',
I verified that /etc/ssl/certs directory exists, and that it is current.
I also modified the file /etc/php/7.0/cli/php/ini:
openssl.capath='/etc/ssl/certs'
When I try to make the Curl call, I get the following error:
[error] => error setting certificate verify locations:
CAfile: /etc/ssl/certs
CApath: /etc/ssl/certs
I edited the permissions in the /etc/ssl/certs to:
rwxr-xr-x
But I am getting the same error.
Any ideas?
CURLOPT_CAINFO should only be set if the certs you want to use are in just one file. If you want use a whole directory (as you would typically want to do on Ubuntu), only set the CURLOPT_CAPATH value.
From the docs:
CURLOPT_CAINFO: The name of a file holding one or more certificates to verify the peer with.
CURLOPT_CAPATH: A directory that holds multiple CA certificates.