I'm trying out Mandrill. It looks nice. I signed up with an account and got an api key. Downloaded the Mandrill PHP wrapper from
https://bitbucket.org/mailchimp/mandrill-api-php
This post seemed to have a pretty good hello-world Mandrill email example, so I tried it out:
Simple php function to send an email with Mandrill
Kept getting this error:
API call to templates/add failed: Problem with the SSL CA cert (path? access rights?)
I followed the instructions from these S.O. posts:
error in send email using Mandrill (php)
HTTPS and SSL3_GET_SERVER_CERTIFICATE:certificate verify failed, CA is OK
Grabbed the .pem file from http://curl.haxx.se/docs/caextract.html
and made sure the the curl api pointed to that file inside the Mandrill api
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, TRUE);
curl_setopt ($ch, CURLOPT_CAINFO, "pathto/cacert.pem");
The .pem file is readable. No crazy permissions situations.
No help. Same deal:
API call to templates/add failed: Problem with the SSL CA cert (path? access rights?)
Googling around I followed the CentOS 6.0 steps here:
http://kb.kerio.com/product/kerio-connect/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html
As well as the steps here:
http://unitstep.net/blog/2009/05/05/using-curl-in-php-to-access-https-ssltls-protected-sites/
Same error. As a last try, I set curl to ignore the ssl-step entirely. This of course is not advised, but I just wanted to feel solid ground under my feet. I went back into Mandrill.php and gave this a shot.
curl_setopt($this->ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($this->ch, CURLOPT_SSL_VERIFYPEER, 0);
Again, same error. I was wondering if someone else can shed some light on this for me. I've exhausted google. (It gave me a recaptcha because I was using it too much). Thanks for your time!
(System: CentOS 6.5, PHP 5.3)
Odd that you're having this issue on Linux (known problem in Windows though).
The only thing I kan think of is that you try to load the the .pem as a default via your php.ini-file, check curl.cainfo and supply an absolute path to the cacert.pem-file. That should make so that you don't have to use CURLOPT_CAINFO – and perhaps gives a better result?
Half off-topic; if you don't need all the features that the API gives you, you can also use an SMTP-connection (always easier to work with).
Related
I am tryng to send SMS using Textmagic from godaddy using php. I have used the official git-hub page to get API https://github.com/textmagic/textmagic-rest-php
The above setups works fine from my local Ubuntu PC and able to send SMS,
Where as when I host the API to Godaddy Windows shared hosting, and executed the same php code, I got following error.
[ERROR- ] error setting certificate verify locations: CAfile: c:\cgi\php56\curl-ca-bundle.crt CApath: none
What could be the reason.
Php version:5.6
I'm not sure if there is something GoDaddy configures that would not make this possible, but the best/most secure way to tackle this is to NOT use CURLOPT_SSL_VERIFYPEER = FALSE, but instead export the certificate chain to X.509. Then use CURLOPT_CAINFO to point to that certificate.
IE
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_CAINFO, "/path/to/the/certificate-you-exported.crt");
If GoDaddy does not let you do this, my suggestion would be to find another provider.
you can use :
curl_setopt($link, CURLOPT_SSL_VERIFYPEER, FALSE);
but please be sure : you will lose the benefit of certification verification.
bypassing verification is not a good idea , ( may any one with you on the server get the URL and your api key )
if you have a root access on the server please enable permission for the user on the server verification folder :
chmod 755 /usr/share/ssl/certs
this link can help for goddady : https://blog.hqcodeshop.fi/archives/304-Fixing-curl-with-Go-Daddy-Secure-Certificate-Authority-G2-CA-root.html
I'm getting this error:
SSL problem: can't identify local issuer
once I call the function to save an image or retrieve user's Facebook image:
file_get_contents()
What I've done is:
I have my website running on Azure *.azurewebsites.com
I added my custom domain and ssl certificate which were both bought from GoDaddy
I created Certificate Signing Request (CSR) (which GoDaddy asked for) using OpenSSL on my Mac
Signed it with it and downloaded it to get .p7b file and .crt file
I added the .crt file to Azure and everything works fine, my custom domain now has the lock beside it
So after those steps, logging in with Facebook got that error also so I did a temporary fix:
curl_setopt($rest, CURLOPT_SSL_VERIFYPEER, false);
This is not recommended of course, but it allows me to test the rest of the site. The error still occurred but only when invoking file_get_contents(). I've tried these fixes from what I've seen scouring around:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_CAINFO, getcwd() . "/cacert/cacert.pem");
But no dice. Can someone explain exactly what the error means and also to combat it? That'd be great. And also, this might be due to creating my Certificate Signing Request with OpenSSL... not sure. Please confirm.
curl_setopt flags works only with handler you're passing to those calls. file_get_contents has no idea about any of CURLOPT_SSL_VERIFYPEER or CURLOPT_SSL_VERIFYHOST flags.
Change file_get_contents to curl calls.
I should have paid more attention to my classes that covered security. I'm quite confused about something. To start, here's the background of what I'm trying to accomplish.
I have a web service that I need to access. The web service is set up as HTTPS. The traffic between client and server is encrypted (this doesn't have to do with authentication).
I'm interacting with the web service via cURL and PHP. I've gotten an example to work locally over HTTP and I'm fairly confident I'm on the right track with regards to cURL/PHP side of things.
When using the HTTP version of the code to access a web service over HTTPS, I am getting an error code 60 "SSL certificate problem, verify that the CA cert is OK" (error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed)
From my reading, it seems that I need a PEM file and I need to set additional cURL options such as the following:
CURLOPT_CAINFO
CURLOPT_SSLCERT
CURLOPT_SSLKEYPASSWD
My question is how do I know where to get the PEM file or whether I can simply make it? This is probably going to be an obvious answer as I'm sure I'm missing something but I figure I just need to ask and get the background I'm missing.
Amendment: The web service is using a certificate signed by VeriSign. So it's not a self signed certificate. Also, the web service is owned and operated by an external organization.
Thanks.
Despite googling around prior to asking this, it seems I've stumbled upon the answer after a bit of back-n-fourth with 'thatidiotguy' (his user name, not my name for him. ;-) ).
cURL, out of the box, does not trust any CA (VeriSign or otherwise). This needs to be setup on your server. To "solve" the problem, you have two options. You can bypass the verification with the following command:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
Note that this is not optimal with regards to security. Any certificate, signed by a CA or not, will be accepted as trusted.
The proper fix involves getting the original certificate (in my case this means the web service) and "exporting" the certificate as a X.509 Certificate (PEM). The certificate then needs to appropriately moved to the server and the following configurations set:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); //Check that the common name exists and that it matches the host name of the server
curl_setopt($ch, CURLOPT_CAINFO, getcwd() . "/path/to/cert/my-exported.crt"); //PEM file
Source: http://unitstep.net/blog/2009/05/05/using-curl-in-php-to-access-https-ssltls-protected-sites/
The answer is very simple. You need to download a certificate bundle, one that also ships with regular browsers.
Luckily that work is already done for you here:
http://curl.haxx.se/docs/caextract.html
Once downloaded you specify the path to this file with CURLOPT_CAINFO.
I'm wondering i export the certificate of a website will it get exported with some of my personal info?
Basically I'm working on a cURL script and other people are gonna use it too so the following would not be the best option:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
So i came across a guide on how to verify the certificate and it says i need to export it and attach those lines to my code:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_CAINFO, getcwd() . "/CAcerts/BuiltinObjectToken-EquifaxSecureCA.crt");
Now the problem is i don't really know how this thing works, is it safe to export a certificate and let others use the cURL with it or the certificate has some of my own info (Users/Password/Activity etc..) when exported thru my browser?
SOLVED: This is the guide i was using for those who will find this topic later: LINK and the Certificate i was talking about is from Facebook.
:)
That depends. Server HTTPS certificates are global, and so are CA certificates (which is what you seem to be after). These are used by the client to verify that it's talking to the correct server securely.
On the other hand, it is possible for the server to verify a client-side certificate, to verify "who is the user" (that does not seem to be the case here).
I am using the latest Janrain openid library example and the discovery process seems to work well with Yahoo, myopenid.com and others...
But I am stuck with Google endpoint (https semicolon //www.google.com/accounts/o8/id). Consumer.php just returns a 406 apache error, before I am redirected to google's page.
All my installation is available here :
http://www.coplango.com/vendor/openid/examples/
Click on consumer to try the consumer example, but discovery.php fails the same way,proving it happens during discovery...
You can also check detect.php to check my installation - The HTTP fetching test fails with a 503 because it tries to reach an address which returns a 503. Rest is fine.
I supposed it was down to php-yadis specifying Accept: application/xrds+xml header but I checked the code and other types are also accepted such text/html and application/xhtml+xml.
Anyone came accross this?
Any clue?
Thank you very much!
Ok,
I have investigated further and it seems to be down to my provider, who returns a 406 error if any string containing the death word "/id" is passed as GET parameter. Took me days to figure out it was not down to openid !!
For info I am using PlanetHoster, if anyone else ever comes accross this. I have sent them a ticket request and waiting for their answer.
running the consumer example at my machine, i get the following error:
Got no response code when fetching https://www.google.com/accounts/o8/id
CURL error (60): SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
this means curl fails verifying google's https server certificate. you can workaround this by either providing curl with CA certificates to verify google's certificate via CURLOPT_CAINFO/CURLOPT_CAPATH, or - easier - stop validating the cert via CURLOPT_SSL_VERIFYPEER. the following change in Auth/Yadis/ParanoidHTTPFetcher.php accomplishes latter for me:
--- ParanoidHTTPFetcher.php.orig 2009-04-22 02:31:20.000000000 +0800
+++ ParanoidHTTPFetcher.php 2009-09-30 22:35:24.093750000 +0800
## -127,6 +127,9 ##
Auth_OpenID_USER_AGENT.' '.$curl_user_agent);
curl_setopt($c, CURLOPT_TIMEOUT, $off);
curl_setopt($c, CURLOPT_URL, $url);
+
+ // don't verify server cert
+ curl_setopt($c, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_exec($c);
of course, your curl installation must also support ssl - check your phpinfo(). also, if CURLOPT_SSL_VERIFYPEER is disabled, CURLOPT_SSL_VERIFYHOST may also need to be TRUE or FALSE.
see also http://www.openrest.eu/docs/openid-not-completely-enabled-for-google.php (via the Related Why doesn't Google OpenID provider work with PHP-OpenId on my server?).
SOLUTION:
In the .htaccess file put
SecFilterEngine Off