The ApacheDS generates a certificate (X.509v1) upon authentication. (As far as I understand)
How would I handle this with a PHP ldap_connect?
Do I need to install the ApacheDS certificate somewhere?
Using an app like LDAPAdmin authenticates fine, however there is a certificate prompt.
I have no idea how to handle this in PHP.
I tried to use Apache Directory Studio to see if I could download a certificate somewhere to no avail. (To somehow setup Apache with it: $dir/newcerts -> openssl.cnf)
I also tried connecting to the url directly with the correct port, it downloads a file containing the message: PROTOCOL_ERROR: The server will disconnect
I needed to create the following directory: C:\OpenLDAP\sysconf adding a file named ldap.conf containing the text TLS_REQCERT never
Related
I simply can't find a solution to this. I migrated a Wordpress site with a woocommerce shop and payment gateway "Payunity" to a new EC2 machine with a bitnami wordpress stack.
I generated a Let's Encrypt SSL certificate and the entire site works as expected.
Only problem I have is that for some reason on the woocommerce checkout page I suddenly get this error message:
SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate
verify failed
I googled extensively and tried figuring this out but no chance.
Any idea what I have to set on the server to have this go away? I tried modifying the php.ini with the capath and cafile like some threads pointed out but no luck.
Any ideas?
Update: I now moved to Cloudflare as DNS Manager and have the "Full (strict) setting so that the Cloudflare SSL is the one in use. However still the same error, so I figure this has nothing todo with the original Let's Encrypt or now Cloudflare SSL Certificate.
I believe this error message is caused by CURL. According to the CURL FAQ (https://github.com/curl/curl/blob/master/docs/FAQ) section 4.12 (where exactly this error message is mentioned), "it means that curl couldn't verify that the server's certificate was good. Curl verifies the certificate using the CA cert bundle that comes with the curl installation." (vsince CURL 7.10).
As your CURL version is quite old (released on Oct 7, 2015), I would assume that one of the CA/root certificates it is using is too old. I would recommend updating CURL separately (e.g. using this guide: http://pavelpolyakov.com/2014/11/17/updating-php-curl-on-ubuntu/, depending on your OS).
Furthermore, you can check the openssl.cafile option in php.ini that should point to an absolute path containing a more or less recent CA bundle (e.g. "C:\xampp7.3\apache\bin\curl-ca-bundle.crt" for my XAMPP installation). You can try to extract the bundle from the XAMPP .zip (https://www.apachefriends.org/download.html) and replace the path in your php.ini and then restart the server.
In addition, you can check your php.ini if extension=php_openssl.* (extension e.g. dll for Windows) is uncommented, i.e. activated.
Maybe (and this is why I asked what should be shown normally at this place) a script inside the Payunity plugin is trying to fetch something from an URL with a broken certificate or something similar.
EDIT: As pointed out by Sebastian B., you can check the error.log (in case of Apache) for failed file_get_contents() (or similar) calls because the actual URL of the "file" the site PHP tried to fetch is mentioned there.
EDIT: CURL Perl script to create a fresh ca-bundle.crt file based on Mozilla's chain: https://github.com/curl/curl/blob/master/lib/mk-ca-bundle.pl You can try this (or extract one from a fresh CURL installation) and set this as a path in php.ini. Or you can use this from the Nextcloud project (https://github.com/nextcloud/server/blob/master/resources/config/ca-bundle.crt) or another one (just for testing purposes, of course).
I have a problem with wordpress. When I want to do install of some plugin or update Wordpress to new version then I get error:
Download failed. cURL error 77: Problem with the SSL CA cert
Path? Access rights?
I didn't change anything on my website. I have shared hosting.
I have the same issue with OVH and a let's encrypt certificat. This is commun bug while you have a php version to 5.6. it's seems that is working fine with PHP 7.
Both, curl, file_get_contents and getimagesize running a file from my own server didn't work.
I correct the url and make it as a path on a direct URL.
https://example.com/file.css
Become
/home/example.com/file.css
And it works after.
Of course you will need to adapt your scripts with this to detect internal link that can cause the issue.
I have a LAMP application that uses LDAP binds (to Active Directory) to validate user credentials. This works on the production server running RHEL 6.2. I'm trying to set up my own test environment in a VM using CentOS 6.2 and similar versions of packages.
On my VM, calls to ldap_start_tls fail for the application when run inside Apache. I get:
PHP Warning: ldap_start_tls(): Unable to start TLS: Can't contact LDAP server in...
But on the same system, I installed phpsh. If I use phpsh to execute the PHP code file, it works.
The code is a basic sequence of ldap_connect, ldap_set_option (to set LDAPv3), ldap_start_tls, and ldap_bind.
The LDAP server is using an internal Active Directory-generated certificate authority, so it isn't automatically trusted. In /etc/openldap/ldap.conf, I have:
TLS_REQCERT allow
The setting seems to be working. If I change the value to always, ldap_start_tls fails in phpsh too. This is the same setting as in the production environment.
I tried installing what should be the AD root CA certificates by saving a .pem file (with 2 certificates) and adding this line to /etc/openldap/ldap.conf:
TLS_CACERT /etc/openldap/certs/ad_roots.pem
I didn't see any change, but perhaps I needed to do more. And I'm not 100% sure those were the right certificates.
I think using phpsh is a valid test for the PHP setup, but it is running as a different user (root) so the environment is different. SELinux is on (enforcing), but I do not see any messages about access denials for Apache in audit.log.
Why doesn't this work for Apache?
I am trying to query a remote LDAP server in a secure connection in a Windows php local test environment. I think I must have the access granted correctly because I can use an LDAP Browser application and that connects to the remote server fine. Also, if I do ' telnet remoteserverurl.com 636' then a blank screen shows up in command prompt, so I am at least connecting. But in my following .php code I get an error on bind: "PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in line..."
The same code works in a Linux server. I think there is some kind of missing LDAP libraries in my local php environment for secure LDAP connection? Anyway, here is the code:
$ds=ldap_connect("ldaps://serveraddress.com", "636"); // remote server
//$ds=ldap_connect("ldap://localhost", 389); // works
//putenv('LDAPTLS_REQCERT=never');//doesn't help with secure ldap
//ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); //works for local LDAP server (Open LDAP)
$r=ldap_bind($ds, "cn=xxx,ou=proxy,o=xxx", "passwordxxxx");//throws error for remote
Any idea? Thanks!
Know this is older, but I recently ran into a similar issue when using wordpress 3.x & 4.x on windows 2008 & 2012 (IIS 7.x & 8.x, PHP 5.6).
I had written a plugin for ldap authentication for wordpress - as was trying to get LDAPS (ldap secure over port 636 working).
Couple things:
When using PHP LDAPS, the documentation states you simply prefix the LDAP server with ldaps://. So server1.domain.com for LDAPS should be ldaps://server1.domain.com/ ...note you don't need to pass the port at all for the connection method (per http://php.net/manual/en/function.ldap-connect.php). This is very similar to what the original question has in its submission.
The windows PHP libraries are hard-coded to look for an open ldap config file (ldap.conf) in C:\openldap\sysconf\ldap.conf.
Create the text file mentioned in #2 above - this is where you point to your certificate store. Once you create this file, you can put in TLS_REQCERT never … but this means no certs are verified and all are trusted automatically (essentially) - should only be for testing...never for production, as you defeat part of TLS/SSL security measures (i.e. certifying you are indeed talking to the host you believe you are connected to).
Instead of the insecure TLS_REQCERT never option that seems to be a popular (and perhaps misguided) suggestion on the interwebs...grab the common public cert authority list used by curl and similar - http://curl.haxx.se/ca/cacert.pem. This essentially is what firefox comes with for public certificate authority trusts (i.e. it's why you can install firefox and go to https://amazon.com without a cert warning, etc.).
Drop the cacert.pem file you downloaded (it's just a text file with a bunch of certificate hashes and descriptions) with your PHP install. For instance, say i dumped it with my php install in c:\php5\cacert.pem. Your location may differ, but put it somewhere it can be accessed and will be grouped with php stuff since it is related. Here's a couple shots of the contents of the cacert.pem file to give you an idea of what's inside.
Edit the C:\openldap\sysconf\ldap.conf and add a line for the command TLS_CACERT like pictured.
This should allow you to now trust public, valid certificates just like modern web browsers do, etc. Note that it won't fix internally-issued or self-signed certificate trust issues. But you can easily do that as well by adding your own cert hashs to the cacert.pem file.
To add another certificate as a trusted has in the cacert.pem file, simply get a copy of the certificate in question (you just need to export it to .cer in base64 format - don't need the private key and extension really doesn't matter - just needs to be a hash output). If you've exported it in the right format, you can open the certificate file and see the hash - it will be similar (but not identical) to the screenshot here of the Thawte Server CA example. Simply append the hash you exported to the cacert.pem file and it will be trusted. If you are looking to be clever, you can instead import the issuing certificate for your private-issued certificate - this would then trust any cert signed by the imported cert. If in doubt, you can always just import the presented certificate.
After making such changes, I found it best to restart the web server (iis manager -> web server node -> restart option) so everything using php was reset.
For extra credit, you can use the same cacert.pem file for the curl implementation by editing your php.ini file and putting the full path to the cacert.pem file in the line curl.cainfo =.
Again, I know this is an older post, but I wanted to share what I had learned while hooking up wordpress to eDirectory via LDAPS.
Check your PHP libaries
<?php phpinfo() ?>
Since you can connect using a LDAP client i expect your LDAP runs SSL
Did you copy your SSL Cert?
Copy the server certificates to sys:/php5/cert directory. This location is configurable in php.ini file.
Use "ldaps://" prefix for host name argument or a value of 636 for port number argument in ldap_connect call.
I got this working! #s.lenders' 'answer' (thanks for that) pointed out toward some Certificate issue and indeed it was a Certificate issue. The remove LDAP Server had its Certificate in expired state--I got a warning about that even when I connected using the desktop application (SoftTerra LDAP Browser). So imported the Certificate to my Windows Certificates--SoftTerra LDAP Browser application allowed me that option. And, voila!. SSL LDAP calls are working.
** Update: Not sure if the above Certificate thingy helped or not but here is something more concrete which helped me: It looks like the php LDAP libraries look for a certain conf files; hard-coded to: C\OpenLDAP\sysconf\ldap.conf ?! So I basically created new folders per this info and put an ldap.conf file with nothing but 'TLS_REQCERT never' and that helps! I have tested it..if I were to remove this file then my Secure LDAP queries don't work and fail in the 'bind' step. Note, I am comfortable with the 'never' in my conf because this will be only on my own workstation.
Also note I am on a Windows 7 running IIS 7+ **
Hope this helps someone.
I am running PHP (on Apache/Windows) and I am trying to connect to a LDAP server to authenticate users. PHP's LDAP plugin is just OpenLDAP.
While I've been successful in connecting to the LDAP server without SSL, I can't do it WITH SSL. I know I got everything right, except OpenLDAP won't connect to the server without the CA certificate. The connection fails and it gives me this error:
"error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"
Now, I know I can suppress this behavior by setting TLS_REQCERT to "never" in the ldap.conf file. But the plugin on windows is just a dll file; and I have no idea on where to put the .conf file. Does anyone know?
Thanks in advance.
Apparently you need to place the ldap.conf file in the following directory:
C:\openldap\sysconf\
Since it's hardcoded into the DLL file. PHP.net Manual: LDAP Functions - Comment #47427