I'm trying to send an SSL certificate with a soap message to a server and have only just managed to make cURL accept the certificate (.pem file spit out by putting a .pfx file through OpenSSL) and not return "unable to set private key file" (evidently the private key must keep its 'bag attributes'), however it's now returning exciting new errors:
SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I've tried setting the CA certificate with:
curl_setopt($soap_do, CURLOPT_CAINFO, $caFile);
But this yields no results with the root nor the intermediate ca files I have.
Disabling this check with:
curl_setopt($soap_do, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($soap_do, CURLOPT_SSL_VERIFYPEER, 0);
brings me to the new problem:
error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
This has been a thorn in my side for weeks now and while new error messages mean changes I'm not sure it means progress. Any advice or suggestions as to what is missing/I am doing wrong would be greatly appreiciated.
most likely the CA bundle is wrongful. verify the path & access permissions, maybe try setting an absolute path. if this not helps, get a CA bundle and set it alike curl_setopt($soap_do, CURLOPT_CAINFO,'cacert.pem');
sslv3 alert bad certificate means that CA information is missing. Use --cacert parameter and add CA cert.
unable to set private key file means that certificate passed as --cert is not the public key matched to private key
Related
I am getting the above error unless I set the following:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
which is insecure and defeats the purpose of SSL.
I have downloaded the most recent cacert.pem certificate from https://curl.haxx.se/ca/cacert.pem.
I have set the following in php.ini and restarted apache.
curl.cainfo = /etc/ssl/cacert.pem
Which produced the same error.
So I tried to set at runtime with:
curl_setopt($curl,CURLOPT_CAINFO, "/etc/ssl/cacert.pem");
and still getting the same error.
In case of SSL certificates signed by any Certification Authority (CA), the client app (e.g. browser) verify the SSL certificate with CA. CA tells the client that whether it is a trusted server or not.
When you are using self signed certificates and not using this option
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
you will get error because, your client app will try to verify your self signed SSL certificate with Certification Authority and CA will give error because it's a self signed certificate.
This is the reason we have to use this option to skip the SSL certificate validation step.
For some reason I am unable to use CURL with HTTPS. Everything was working fine untill I ran upgrade of curl libraries. Now I am experiencing this response when trying to perform CURL requests: Problem with the SSL CA cert (path? access rights?)
Following suggestions posted here on related issues I have tried to do the following:
Disable verification for host and peer
curl_setopt($cHandler, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($cHandler, CURLOPT_SSL_VERIFYPEER, true);
Enable CURLOPT_SSL_VERIFYPEER and point to cacert.pem downloaded from http://curl.haxx.se/docs/caextract.html
curl_setopt($cHandler, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($cHandler, CURLOPT_CAINFO, getcwd() . "/positiveSSL.ca-bundle");
I also tried to do the same thing with positiveSSL.ca-bundle which was provided as bundle CA certificate for the server I am trying to connect to.
Edit php ini settings with curl.cainfo=cacert.pem (file in the same directory and accessible by apache)
Rename /etc/pki/nssdb to /etc/pki/nssdb.old
Unfortunatelly none of the above are able to solve my problem and I constantly get Problem with the SSL CA cert (path? access rights?) message.
And I don't need this verification in the first place (I am aware of security issues).
Does anybody have any other suggestions?
UPDATE
After updating to the latest libraries and restart of the whole box, not just apache which I was doing it all seems to be working now again!!!
According to documentation: to verify host or peer certificate you need to specify alternate certificates with the CURLOPT_CAINFO option or a certificate directory can be specified with the CURLOPT_CAPATH option.
Also look at CURLOPT_SSL_VERIFYHOST:
1 to check the existence of a common name in the SSL peer certificate.
2 to check the existence of a common name and also verify that it matches the hostname provided.
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
$ch = curl_init();
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); // Return data inplace of echoing on screen
curl_setopt($ch, CURLOPT_URL, $strURL);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); // Skip SSL Verification
$rsData = curl_exec($ch);
curl_close($ch);
return $rsData;
We had the same problem on a CentOS7 machine. Disabling the VERIFYHOST VERIFYPEER did not solve the problem, we did not have the cURL error anymore but the response still was invalid. Doing a wget to the same link as the cURL was doing also resulted in a certificate error.
-> Our solution also was to reboot the VPS, this solved it and we were able to complete the request again.
For us this seemed to be a memory corruption problem. Rebooting the VPS reloaded the libary in the memory again and now it works. So if the above solution from #clover does not work try to reboot your machine.
I am trying to connect to secure link using CURL.
I have set the following two parameters in CURL of PHP page
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, TRUE);
curl_setopt ($ch, CURLOPT_CAINFO, "/cacert.pem");
But still I am getting the below error :SSL error.
After Adding the pem file now in NGINX Server i am getting the error as below in NGINX
SSL3_GET_RECORD:decryption failed or bad record mac
The Same PEM file works on the Windows WAMP Server but its not working in NGINX Server.
Please let me know if anything else i am missing.
Basically curl used to include a list of accepted CAS, but it will not accept longer bundles ANY CA certs. So by default it will reject all SSL certificates as unverifiable.
You'll have to get your CA's cert and point curl at it. More details here
I think you are using self-signed certificate. You should add it to your CA bundle. So that, curl can trusted it.
Alternatively you can use
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
SSL3_GET_RECORD:decryption failed or bad record mac
The above error was fixed by forcing the SSL version to 3.
curl_setopt($ch, CURLOPT_SSLVERSION, 3);
To aviod breaks in the transfer
curl_setopt ($ch, CURLOPT_TIMEOUT,0);
The above changes worked for me.
I have this error when using CURLOPT_SSL_VERIFYHOST:
Curl error: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
What I tried:
1 - turning off VERIFYHOST is not an option, I need this to login to https page
2 - downloaded certificate and I use it like this:
curl_setopt($c, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($c, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($c, CURLOPT_CAINFO, getcwd() . '/certificate.pl.crt');
And I still get the same error.
3 - I turned on ssl_module in Apache extensions (I use WAMP)
4 - I turned on php_openssl in PHP extensions
What else should I do? From phpinfo(); I know that I have:
mod_ssl/2.2.22
OpenSSL/0.9.8u
And it still doesn't work. What else should I do :( ?
had to edit this as I missed some comments before.
If you don't try to import your certificate and switch peer validation off, your transport should still be SSL secured if I'm not mistaking, so if the goal is to get it over ssl , then I wouldn't bother messing with the import of certificates. Of course if you do want some more peace of mind it's a different thing.
The error that alot of people get with Facebook authentication is:
CurlException: 60: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
And the only information I can find about it suggest to add the following lines of code to curl:
$opts[CURLOPT_SSL_VERIFYPEER] = false;
$opts[CURLOPT_SSL_VERIFYHOST] = 2;
I know this works, but what is going on here?
Isn't there any server settings/configuraton that can be changed instead of hacking up facebook.php.
What It Does & Meaning:
The following code tells the cURL to NOT verify that security certificates are correct. Hence, the error disappears.
$opts[CURLOPT_SSL_VERIFYPEER] = false;
$opts[CURLOPT_SSL_VERIFYHOST] = 2;
When you connect to a remote server with SSL, their certificate might be invalid, expired, or not signed by a recognized CA. The cURL normally checks it.
CURLOPT_SSL_VERIFYHOST:
1: to check the existence of a common name in the SSL peer certificate.
2: to check the existence of a common name and also verify that it matches the hostname provided.
CURLOPT_SSL_VERIFYPEER: FALSE to stop CURL from verifying the peer's certificate. Alternate certificates to verify against can be specified with the CURLOPT_CAINFO option or a certificate directory can be specified with the CURLOPT_CAPATH option. CURLOPT_SSL_VERIFYHOST may also need to be TRUE or FALSE if CURLOPT_SSL_VERIFYPEER is disabled (it defaults to 2).
How to Enable & Verify Correctly:
To verify correctly, we need to to verify the certificate being presented to us is good for real. We do this by comparing it against a certificate we reasonable* trust.
If the remote resource is protected by a certificate issued by one of the main CA's like Verisign, GeoTrust et al, you can safely compare against Mozilla's CA certificate bundle which you can get from http://curl.haxx.se/docs/caextract.html
Save the file cacert.pem somewhere in your server and set the following options in your script.
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, TRUE);
curl_setopt ($ch, CURLOPT_CAINFO, "pathto/cacert.pem");
If you are connecting to a resource protected by a self-signed certificate, all you need to do is obtain a copy of the certificate in PEM format and append it to the cacert.pem of the above paragraph.
In my case, I could not use curl_setopt, because I could not edit Facebook API classes ( conditions of project I was working in ).
I solved the problem by adding path to cacert.pem downloaded from http://curl.haxx.se/docs/caextract.html to my php.ini
[curl]
curl.cainfo = "c:\wamp\cacert.pem"
I just had the same problem, and disabling peer verification is not acceptable in my case.
I updated the fa_ca_chain_bundle.crt file (from facebook's gitbub) and it works now.
Regards,
Marek