First of all, it is not a problem about certification or dev/distribution.
I used distribution certification, and server url -> gateway.push.apple.com:2195
I tested in my local server(apache2), and it work!
However, in my real server(IIS/Window server) I used same php code, same certification file(.pem), and same iphone application... etc, it printed "Connected to APNS Message successfully delivered", but my phone didn't receive message.
One suspect is, I tested my certification file(.pem) by cmd command line 'openssl s_client -connect gateway.push.apple.com:2195 -cert xxxx.pem', It returned "Verify return code: 20 (unabled to get local issuer certificate). So I found solution that downloaded entrust certification(.cer) and did "openssl s_client -connect gateway.push.apple.com:2195 -cert xxxx.pem -CAfile entrust_2048_ca.cer", and it returned 'Verify return code :0'. So I added my php code 'stream_context_set_option($ctx, 'ssl', 'CAfile', 'entrust_2048_ca.cer');', but it didn't work same problem.
Related
I have a bunch of PHP scripts that use curl to communicate with various services. Currently, one of those services' SSL certificate got updated and my curl started crying about it when I try to get it from my server's CLI:
~$ curl https://example.com
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
Currently, I hardcoded verify => false to all of my requests in order to keep my scripts operating but that's not something I would like to have laying around.
I got the latest cacert file from mozilla, put it in /etc/ssl/certs/ca-certificates.crt and then ran sudo update-ca-certificates which ran successfully (I suppose..)
~$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
But then again curl is not too happy about it, still can't get my resource without passing the -k flag.
You can use the openssl s_client command to further debug the issue, in order to find out what exactly seems to be the problem with the certificate.
openssl s_client -showcerts -servername myservice.com -connect myservice.com:443
I'm new about SSL subject.
I'm trying to send emails though my website (built with Laravel 4.2) and it gives me this error:
stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
If I run this command in the server with root user:
openssl s_client -connect mail.mywebsite.com -starttls smtp
It shows me the correct certificate and gives me this answer at the end:
Verify return code: 0 (ok)
But if I run this command with another user:
su myuser
openssl s_client -connect mail.mywebsite.com -starttls smtp
It shows a different certificate and it gives me this answer at the end:
Verify return code: 18 (self signed certificate)
If I run top -c I see my php processes run with myuser and php-cgi, and since myuser has the wrong certificate, emails are not send.
Can anybody help me?
While I was checking Steffen Ullrich response about openssl path, I found out that I needed to install through WHM the SSL certificate for my non-privileged user, and that was it.
Thanks.
I'm new to creating telegram bots and I really don't know where to start.
Only thing I know about is PHP.
Making it simple I have a VPS with Windows Server 2008 R2 installed on it and I've made a self-signed certificate using
openssl req -newkey rsa:2048 -sha256 -nodes -keyout server.key -x509 -days 365 -out server.pem -subj "/C=US/ST=New York/L=Brooklyn/O=Example Brooklyn Company/CN=YOURDOMAIN.EXAMPLE"
Then I converted PEM to CER using
openssl x509 -inform PEM -in server.pem -outform DER -out server.cer
I'v had WAMP server installed and set it to work with server.cer & server.key as certificate and key then I'v tested the HTTPS(443) and it worked.
Then I installed a REST client on the chrome and sent URL of the bot.php and PEM file as multipart form data as the official documentation said.
Now I get this error:
{
ok: false,
error_code: 400,
description: "Error: Bad webhook: Posix Error: Success: getaddrinfo: Name or service not known"
}
and ... I'm here now ! :| asking you for help
What is the problem and how should I solve this
Thanks in advance :)
NOTE: I don't have a domain I'm using my VPS's IP
Telegram requires valid ssl certificate for your domain.
I will tell how I solved this.
You can use NGROK that can expose local ip to the internet with temporary domain and https enabled.
Link to install - https://ngrok.com/
After you install it, just run in your console:
ngrok http 127.0.0.1:8003
(ofc use ip and port of from your WAMP configuration)
and you will get a free temporary domain (it will look like https://f9eb2f08.ngrok.io) with https enabled.
Then set url with your new domain as a telegram webhook_url and bot's requests will go to your local server as long as NGROK is running.
I've been working through Ray Wenderlich's tutorials on push notifications using a PHP Script.
Reference: http://www.raywenderlich.com/32960/apple-push-notification-services-in-ios-6-tutorial-part-1
http://www.raywenderlich.com/32963/apple-push-notification-services-in-ios-6-tutorial-part-2
I have done a ton of research but I have ran into an issue on part 2 where you run the push.php file using the ck.pem file.
/Applications/XAMPP/bin/php push.php development
My only difference is that I'm using XAMPP and not MAMP.
I have confirmed that all the extensions are installed.
I am able to test out my certificate in the terminal by doing this:
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert PushChatCert.pem -key PushChatKey.pem
It asks me to enter my passphrase and I do. Everything works successfully in the terminal.
However, when I run the push.php file, I get these errors:
PHP Warning: stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
PHP Warning: stream_socket_client(): Failed to enable crypto in
PHP Warning: stream_socket_client(): unable to connect to ssl://gateway.sandbox.push.apple.com:2195 (Unknown error) in on line 140
Line 140 in the php file is:
$this->fp = stream_socket_client('ssl://' . $this->server, $err, $errstr, 60, STREAM_CLIENT_CONNECT|STREAM_CLIENT_PERSISTENT, $ctx);
I found these:
iOS push notification does not work when using crontab scheduler
https://devforums.apple.com/message/1054840#1054840
Push notification in PHP
I have literally retried everything. I know my passphrase is correct. I've re-created my certificates, pem files, and keys. Nothing works. Same error every time I do this.
I'm beyond confused.
Does anyone have any suggestions or know what's going on?
Thank you!
UPDATE 1:
I have also tried setting the full path to the ck.pem file that does not fix the error either.
Okay, I finally figured this out! After 2 days of working with this.
So, for anyone else who runs into this issue:
Download the entrust_2048_ca.cer certificate from:
https://www.entrust.com/get-support/ssl-certificate-support/root-certificate-downloads/
Scroll down and get the Entrust.net Certificate Authority (2048)
Then, in the push.php file, after you set the context for the passphrase, add this line:
stream_context_set_option($ctx, 'ssl', 'cafile', 'entrust_2048_ca.cer');
Updated to macOS Sierra 10.12.4
The problem is in new PHP Version in macOS Sierra.
They changed the way it works with certificates.
I would suggest a small changes in the accepted answer to make things explicit.
You have to setup path to entrust_2048_ca.cer and other parameters during creation of the stream context like
$streamContext = stream_context_create([
'ssl' => [
'verify_peer' => true,
'verify_peer_name' => true,
'cafile' => '/path/to/bundle/entrust_2048_ca.cer',
]
]);
The full explanation and links are here
Update to macOS sierra 10.12.5
please add
stream_context_set_option($ctx, 'ssl', 'verify_peer', false);
The problem is in new PHP Version in macOS Sierra
add
stream_context_set_option($ctx, 'ssl', 'verify_peer', false);
which defeats the server validation.
Credits #One In a Million Apps in a comment above.
I'm having some problems connecting to a SOAP Service at https://test.salesforce.com. I use the Toolkit-for-PHP v20.0 (https://github.com/developerforce/Force.com-Toolkit-for-PHP) which is based on PHP's native SoapClient.
Software:
MacOS 10.8
Macports 2.1.2
PHP 5.3.15
OpenSSL 1.0.1_c
The only error message I receive after 30 seconds (timeout?) is:
[SoapFault]
Could not connect to host
Strangely, connecting to http://test.salesforce.com (without SSL) or connecting to https://login.salesforce.com (with SSL) works as expected.
I even managed to log into https://test.salesforce.com using soapUI.
So my guess is there has to be some certification/handshake problem but i can't figure out how to get a more detailed error message or how to change anything about the toolkit setup.
I searched google, stackoverflow and the SalesForce discussion boards but nobody seems to have this specific sandbox+SSL problem.
Does anyone have a clue how to debug this problem?
OK, i think it's an issue with macports' openssl binary. Apparently the handshake fails because my client is attempting a SSLv2/SSLv3 handshake which the server does not understand.
openssl s_client -connect test.salesforce.com:443 -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
[...end...]
Same command with forced SSLv3:
openssl s_client -ssl3 -connect test.salesforce.com:443 -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 O = VeriSign Trust Network, OU = "VeriSign, Inc.", OU = VeriSign International Server CA - Class 3, OU = www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
verify error:num=20:unable to get local issuer certificate
verify return:0
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
[...and so forth...]
Not really sure what to make out of this... the SalesForce toolkit-for-php uses PHP's native SoapClient and I don't know how to force it to use SSLv3.
This is a known bug of the latest versions of macports' port of openssl 1.0.1:
http://trac.macports.org/ticket/33715
Possible solution: install an older openssl version, in this case openssl 1.0.0h:
cd /opt/local/src
sudo svn checkout -r 90715 http://svn.macports.org/repository/macports/trunk/dports/devel/openssl
cd openssl
sudo port install
Taken from:
https://trac.macports.org/wiki/howto/InstallingOlderPort
http://trac.macports.org/ticket/33715#comment:30