I am trying to make a simple payment through my paypal sandbox from my local machine. I am using the Omnipay library in Codeigniter.
I setup a sandbox account at developer.paypal.com and a test application. This is the code I am using:
$gateway = GatewayFactory::create('PayPal_Express');
$gateway->setUsername([username]);
$gateway->setPassword([password]);
$gateway->setSignature([signature]);
$gateway->setTestMode(true);
$params = array(
'amount' => '1.00',
'currency' => 'USD',
'description' => 'test purchase',
'transactionId' => '123',
'transactionReference' => '123ref',
'returnUrl' => [returnUrl],
'cancelUrl' => [cancelUrl],
);
$response = $gateway->purchase($params);
I am getting the following error:
Fatal error: Uncaught exception 'Buzz\Exception\ClientException' with message 'SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed' in...
I installed omnipay using composer with something called BUZZ. I am pretty new to doing paypal transactions online and not sure If I need to setup a local ssl certificate. If I do, can someone point me in the direction for setting that up?
Thanks.
That sounds pretty dodgy. Omnipay uses Guzzle to make the HTTPS requests to PayPal, and Guzzle bundles the latest root SSL certificates for you. So you should not see any HTTPS warnings.
Does this work locally for you? Have you tried different servers? If you are on shared hosting it is possible that your web host is trying to proxy your requests, which means they are essentially performing a man in the middle attack, potentially making your website insecure.
EDIT: Just noticed that error is actually coming from Buzz, not Guzzle. How did you install that? What does your composer.json file look like? Which version of Omnipay are you running? If you upgrade to the latest version of Omnipay (2.0) it will use Guzzle internally and this should fix the SSL error.
I found an answer on omnipay's issues page (at least for testing): https://github.com/omnipay/omnipay/issues/13
For Local Testing Only:
Add these lines to the file /buzz/lib/Buzz/Client/Curl.php, just before curl_exec method...
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
Related
I used OpenSSL to generate an SSL Certificate for my localhost, but the self-signed certificate seems to be causing problems when authenticating with Podio:
Fatal error: Uncaught PodioConnectionError: Connection to Podio API failed: [60] SSL certificate problem: self signed certificate in certificate chain
I tried downloading cacert.pem and adding it to my php.ini file curl.cainfo=<path-to>cacert.pem, but after restarting the server, I still get the same error.
With some other library's I've had to set CURLOPT_SSL_VERIFYPEER, but I'm not sure how I would do that anyway using the Podio PHP client library...
Any tips on debugging this error?
I found out how to set CURLOPT_SSL_VERIFYPEER => false when using the Podio PHP client library:
$options = array('curl_options' => array(CURLOPT_SSL_VERIFYPEER => false));
Podio::setup($client_id, $client_secret, $options);
Now I just have to remember to remove this in production...
I am tryng to send SMS using Textmagic from godaddy using php. I have used the official git-hub page to get API https://github.com/textmagic/textmagic-rest-php
The above setups works fine from my local Ubuntu PC and able to send SMS,
Where as when I host the API to Godaddy Windows shared hosting, and executed the same php code, I got following error.
[ERROR- ] error setting certificate verify locations: CAfile: c:\cgi\php56\curl-ca-bundle.crt CApath: none
What could be the reason.
Php version:5.6
I'm not sure if there is something GoDaddy configures that would not make this possible, but the best/most secure way to tackle this is to NOT use CURLOPT_SSL_VERIFYPEER = FALSE, but instead export the certificate chain to X.509. Then use CURLOPT_CAINFO to point to that certificate.
IE
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_CAINFO, "/path/to/the/certificate-you-exported.crt");
If GoDaddy does not let you do this, my suggestion would be to find another provider.
you can use :
curl_setopt($link, CURLOPT_SSL_VERIFYPEER, FALSE);
but please be sure : you will lose the benefit of certification verification.
bypassing verification is not a good idea , ( may any one with you on the server get the URL and your api key )
if you have a root access on the server please enable permission for the user on the server verification folder :
chmod 755 /usr/share/ssl/certs
this link can help for goddady : https://blog.hqcodeshop.fi/archives/304-Fixing-curl-with-Go-Daddy-Secure-Certificate-Authority-G2-CA-root.html
I'm trying to use CloudConvert API in PhP and I'm getting the following error:
CURLE_SSL_CACERT (60)
Peer certificate cannot be authenticated with known CA certificates.
Reading their API source code I see that they use the GuzzleClient for requests. I guess if I just disable the SSL verification on cURL it would work. I just don't know how to do it globally. I know how to do it for the request: curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); but that doesn't help me since I don't have the control on how CloudConvert do their API requests.
Does anyone have an idea on how to solve this? I'm running my project using MAMP and macOS Sierra.
Thanks for any help
Just found the solution. As I told before the CloudConvert API can take a Guzzle client in the constructor, so I create the client and set the certificate to it:
$client = new \GuzzleHttp\Client(['verify' => $this->config->application->sslDir . "cacert.pem" ]);
$api = new Api("xxxxxxx", $client);
$api->convert([
'inputformat' => 'html',
'outputformat' => 'docx',
'input' => 'upload',
'file' => fopen('/Users/andre/Projects/x/Quote.html', 'r'),
])
->wait()
->download('/Users/andre/Projects/x/Quote.docx');
On an Ubuntu 14.04.3 this code works fine:
$url_login = "https://test.example.com/login.do";
$cert_file = '/var/www/html/test/cert.pem';
$ssl_key = '/var/www/html/test/cert_private.pem';
$post_fields = 'userAction=1&cancelReason=&cancelType=&account=&memoType=&userText=&userid=99999999&password=xxxxxxxxxxxxxxxx';
$ch = curl_init();
$options = array(
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_HEADER => 1,
CURLOPT_FOLLOWLOCATION => 1,
CURLOPT_SSL_VERIFYHOST => 0,
CURLOPT_SSL_VERIFYPEER => 0,
CURLOPT_USERAGENT => 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)',
CURLOPT_VERBOSE => 0,
CURLOPT_URL => $url_login ,
CURLOPT_SSLCERT => $cert_file ,
CURLOPT_SSLCERTTYPE, 'PEM',
CURLOPT_SSLKEY => $ssl_key,
CURLOPT_COOKIESESSION => 1,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => $post_fields
);
curl_setopt_array($ch , $options);
$output = curl_exec($ch);
The php on Ubuntu is using curl with openssl.
On a Centos 7 if fails with:
Curl Error : SSL peer was unable to negotiate an acceptable set of security parameters.
curl is here with nss.
The "cert.pem" contains only the client certificate with the cert-chain, and the "cert_private.pem" contains the private key not password protected. (-----BEGIN RSA PRIVATE KEY-----).
How can i get the above PHP code work with both? openssl and nss implementations of curl?
How about correcting:
CURLOPT_SSLCERTTYPE, 'PEM',
to
CURLOPT_SSLCERTTYPE => 'PEM',
?
I've also come across this problem using client certificate authentication with nss, while openssl works fine.
After much testing, this is what I've established with the server we're trying to contact:
curl using TLS v1.2 (default in some cases) with client certificate fails
curl using TLS v1.2 with client cert required by server, but not used by client, connects successfully. However client is not authenticated.
curl using TLS v1.0 with client certificate is successful
The above happens regardless of cipher suite, generally we're using rsa_aes_256_cbc_sha_256.
The quick workaround is to force TLS v1.0:
CURLOPT_SSLVERSION => 4,
Clearly this isn't ideal, and your server may not support it.
Another option is to compile curl with openssl or even GnuTLS (although I haven't tested the latter) instead of nss. Again, this may not be an option.
So far this points to a problem with NSS. I'll update this answer if further debugging generates any useful information.
Just for reference, this is the full error message using curl on the command line:
* NSS error -12227 (SSL_ERROR_HANDSHAKE_FAILURE_ALERT)
* SSL peer was unable to negotiate an acceptable set of security parameters.
* Closing connection 0
curl: (35) SSL peer was unable to negotiate an acceptable set of security parameters.
Update 2015-11-24: Further testing with Wireshark and ssltap shows the initial handshake is succeeding and the connection gets as far as the client sending ChangeCipherSpec, followed by its encrypted "Finished" message.
The server should then decrypt the client's "Finished" message, verify the hash and MAC and respond with its own encrypted "Finished" message. Instead, the server is responding with "handshake_failure" at this point.
This should provide a clue as to where NSS is failing.
Chrome, Openssl and Charles Proxy can all authenticate using the client certificate. Firefox (using NSS) and curl (with NSS) both fail at this point.
Update 2015-11-27: Additional information provided by the server's operations team suggests this may be an issue with a non-compliant server. The problem only arises when using TLS 1.2 under certain circumstances. This would explain why some SSL libraries, such as OpenSSL, are flexible enough to work around it.
NSS may be more strict in its compliance with RFCs. I'll update the answer if/when we hear more from the operations team managing the server.
Update 2017-01-25: The webserver software and load balancers are custom built for a specific bank's payment gateway. We've recently tried again with a new client and the server now appears to work with both Curl built with either NSS or OpenSSL and are no longer seeing the error. In summary: the workaround was to use a different SSL library and wait for the developers to fix the server software.
I'm attempting to interface with the Google PHP API client and I am having issues with the certificate provided by Google:
Google error:
SSL certificate problem, verify that the CA cert is OK.
Retrying with the CA cert bundle from google-api-php-client.
PHP cURL error:
SSL certificate problem: unable to get local issuer certificate
I had no problems whatsoever on a Linux box. These errors are occuring on a Windows box.
I've tried a couple of different solutions:
https://code.google.com/
http://richardwarrender.com/
but to no avail.
PS:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
won't be acceptable ...
Courtesy of rmckay at webaware dot com dot au:
Please everyone, stop setting CURLOPT_SSL_VERIFYPEER to false or 0. If your PHP installation doesn't have an up-to-date CA root certificate bundle, download the one at the curl website and save it on your server:
http://curl.haxx.se/docs/caextract.html
Then set a path to it in your php.ini file, e.g. on Windows:
curl.cainfo=c:\php\cacert.pem
Turning off CURLOPT_SSL_VERIFYPEER allows man in the middle (MITM) attacks, which you don't want!
\Google_Client::$io->setOptions(array(CURLOPT_SSL_VERIFYPEER => FALSE));
#sKophek is correct and I appreciate the help as I was struggling with this. For those that prefer a touch more detail, here it is: (this is true, at least, for the 0.6.x version of the google-api-php-client)
1) \google-api-php-client\src\io\Google_CurlIO.php
2)
private $curlParams = array (
...
CURLOPT_SSL_VERIFYPEER => false,
... );