I sucessfully run the APNS code in my macbook air, but it turns out that I can not run it in my other computer:
I checked that these are the same:
1. .pem file ( to be specific )
2. Program
The computers can not work are:
Windows 7,XAMPP,OpenSSL supported,No firewall
And
EC2 Linux server with 2195 and 2196 opened
What might be other issues causing that I got this error in my php code?
Unable to connect to 'ssl://gateway.sandbox.push.apple.com:2195'
I know there might be cause by not opening SSL, but I checked the phpInfo(), it should be correct.
openssl
OpenSSL support enabled
OpenSSL Library Version OpenSSL 1.0.1c 10 May 2012
OpenSSL Header Version OpenSSL 0.9.8x
I tried telnet in EC2 server, it gives:
telnet gateway.push.apple.com 2195
Trying 17.149.36.239...
Connected to gateway.push-apple.com.akadns.net.
Escape character is '^]'.
In case of MAC,
(built-in server was working fine using terminal but not through browser, for me, so i installed MAMP.)
1.Go to---> /Library/WebServer/Documents/----copy both php and ckdev.pem file here.
2 go to terminal-->$open /private/etc-->go to--->apache2>originals>httpd.config file-->
**"#LoadModule php5_module libexec/apache2/libphp5.so", remove "#"..(perhaps, you would have to change the permission also..!)
then goto browser and check--> localhost/yourPhpFile.php
In Case of Windows system,
1.Install WAMP,
2.goto php.ini file--->search for this ";extension=php_openssl.dll" line and remove semicolon ";".
3.click WAMP icon from right-bottom goto PHP>PHP Extensions>select php_openssl..
That's it..hope this may help further seekers.
if you are getting an error like this "Unable to find the socket transport “ssl” – did you forget to enable it
when you configured PHP?" then follow the next step
if php has not got ssl enabled then goto php.ini and change this to ";extension=php_openssl.dll"
"extension=php_openssl.dll" (remove the semicolon) and save it and run the program.
Thanks for help, so far I solved the solution.
The problem is that I used the same pem file for both my cert and the root cert.
There is a root cert that is different from my own cert, during connection, both cert is used so I have to get the root cert of apple push notification.
Thanks!
Related
I know this has been asked on SO before but I think my situation is a little bit different:
When I'm trying to use curl inside PHP I receive the following error when trying to interact with apples push notification service (https://api.push.apple.com/3/device/)
Curl failed: NSS: client certificate not found (nickname not specified)
This is due to the fact that on centos, php is build with curl that uses NSS instead OpenSSL.
What I tried so far:
Recompiling curl (worked! Binary is able to perform the call, but php is not)
Recompiling php (didnt work, as it requires curl-devel to be installed, which might link to NSS again)
So my next approach is to fix this NSS problem, but it turns out NSS is a very bad piece of software as just a simple rename of an imported lets-ecnrypt certificate doesnt work.. ..
Could someone please explain me how I could fix this? I already tried importing a lets encrypt certificate into the NSS database stored in /etc/pki/nssdb, that worked - but unfortunately the certificate is not recognized in PHP, even if I provide its nickname in CURLOPT_SSLCERT => 'nickname'.
Maybe this is because it has special characters inside its nickname which i cannot change as NSS fails to rename (lol).
When I directly try to provide certificates in php using
CURLOPT_SSLCERT => $certFile,
CURLOPT_SSLKEY => $keyFile,
CURLOPT_CAINFO => $caCertFile
I get:
Curl failed: Peer's Certificate issuer is not recognized.
I also turned of peer verification by
CURLOPT_SSL_VERIFYPEER => FALSE
ending in
Curl failed: security library failure
Is there anybody out there who could teach me how to fix it or how to build php on centos with builting curl using openssl?
BR,
Finally I got this working, here is what I did:
Recompiled curl with openssl and put the libcurl.so.4 in a new folder /home/mylibs/
Copied all libs from /usr/lib to /home/mylibs/ while not replacing my libcurl.so.4
Located the system's php-cgi binary, renamed it to php-cgi-real
Created a blank file php-cgi
#! /bin/bash
export LD_PRELOAD=/home/mylibs/libcurl.so.4
exec php-cgi-real "$#"
Restarted the service
Done!
I'm working on websocket. I came across this article, and simply downloaded their file and try running it in my localhost.
https://www.sanwebe.com/2013/05/chat-using-websocket-php-socket
What I understand is, they want to sue local server's websocket server.
But I have problem in starting up the server. I'm using windows 10 with wamp 2.2. As I checked webscket is enabled in my php.ini's extention.
I followed this example to cmd the right path to start it but to no avail:
https://www.sanwebe.com/2013/05/chat-using-websocket-php-socket/comment-page-1#comment-5593
It says 'php.exe' is not recognized as an internal or external ...
I then searched online again, thus set the path to my php folder in the system's environment variable. The path is: C:\wamp\bin\php. Then I closed the cmd and relaunched. Nothing worked out. The same error shows up.
This is what I did on cmd:
1) cd C:\wamp\bin\php
2) php.exe -q C:\projects\myfolder\server.php
Please help me to connect to wamp server's websocket to run the example I've downloaded.In the console, the error shown is:
WebSocket connection to 'ws://localhost:9000/demo/server.php' failed: Error in connection establishment: net::ERR_CONNECTION_REFUSED
I found the answer from this site: http://rodrixar.blogspot.my/2011/07/how-to-run-php-sockets-in-wamp.html
I did the following,
1) open cmd
2) cd C:\wamp\bin\php\php5.6.19
3)php.exe -q C:\projects\mysite\server.php
4) Firewall open up and allow access for CLI
5) now connection made already..
I am trying to connect to MS Active Directory using PHP 7 on a Windows 2012 server (running apache 2.4 but that should be irrelevant to the problem I am having).
I should also note that I am able to connect to AD from PHP using non-secure LDAP from the command line and the apache server.
When I execute the following PHP test file, source: http://muzso.hu/2012/04/02/php-ldap-ssl-ldaps-authentication-in-windows-running-apache, from a command line on the web server:
$AD_search_bind_DN = 'CN=someuser,OU=Users,DC=example,DC=com';
$AD_search_bind_PW = 'secret123';
ini_set('display_errors', 1);
error_reporting(E_ALL);
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
$conn = ldap_connect('ldaps://SomeDC.example.com/') or die("Failed to connect to ldap server.");
ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_bind($conn, $AD_search_bind_DN, $AD_search_bind_PW) or die("Failed to bind to ldap server: " + ldap_error($conn));
echo "Successful LDAP bind.";
I get the following output (I highlighted the error):
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying %SYSCONFDIR%\ldap.conf
ldap_init: HOME env is NULL
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
ldap_create
ldap_url_parse_ext(ldaps://SomeDC.example.com/)
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP SomeDC.example.com:636
ldap_new_socket: 244
ldap_prepare_socket: 244
ldap_connect_to_host: Trying {IP Address of SomeDC Removed}:636
ldap_pvt_connect: fd: 244 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 20, subject: /DC=com/DC=example/C
N=Self_Named-SHA256-SubCA, issuer: /CN=ITSS-Ent-SHA256-Root
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS trace: SSL_connect:error in error
TLS: can't connect: error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate).
ldap_err2string
PHP Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server in C:\test_bind.php on line 10
I have both the php_ldap and php_openssl extensions UN-commented in my php.ini file.
I have copies of the AD CA cert in DER and PEM formats but I am not sure where to place these files on my web server. There are lots of posts related to linux OS's that simply say to place "TLS_CACERT C:\openldap\sysconf\cacert.pem" in my ldap.conf file. I am not running openLDAP and I do not have a ldap.conf file.
I have openSSL installed but I am not entirely sure that the configuration is correct:
The openssl.cfg file is unchanged: http://pastebin.com/KxnWThXh
I added an environment variable 'OpenSSL' that points to the openssl.cfg file
When I execute 'openssl version -a' from a cmd line, it shows: OPENSSLDIR: /usr/local/ssl which clearly makes no sense for windows.
Complete output can be seen here: http://pastebin.com/h3ei3Pwp
== EDIT 1: ========================================
Gabriel, thanks for the suggestions / Reference.
I have now also tried these things without success:
Created a ldap.conf and an openldap.conf file (Using many diferent formats based on various article suggestions, see the variations I've tried here: http://pastebin.com/aP94Nh4Y) in C:\ and C:\openldap\sysconf
This article (https://www.reddit.com/r/PHPhelp/comments/3tykpc/php_7_and_ldap/) says to create an environment variable called 'LDAPCONF' that points to the ldap.conf file (C:\openldap\sysconf\ldap.conf). I did. No change.
I noticed this in the output from executing my test php script (line 2 of the output): ldap_init: trying %SYSCONFDIR%\ldap.conf. The SYSCONFDIR environment variable didn't yet exist so I added that one with a value of 'C:\openldap\sysconf\'. -- no change.
Introduced an obvious syntax error into all locations of my ldap.conf/openldap.conf files to see if I could change the test script output to know that it was at least looking at one of those files -- nothing changed.
== EDIT 2: ========================================
Gabriel, thanks for the process monitor tip. I can now at least confirm that PHP 7 is using the 'LDAPCONF' environment value path to locate and read the ldap.conf file that this ENV variable is pointing to.
It also appears that PHP 7 is not handling the 'SYSCONFDIR' environment variable correctly because it first tries to open a file in this literal path: E:\httpd\www\%SYSCONFDIR%\ldap.conf
It's still not working but now I can focus my effort in tweaking just the one file I know it is reading.
If anyone has any other tips for configuration or could share their ldap.conf file from a working windows installation I would appreciate it.
I am now still stuck and don't know what else to do. Please help!
The answer here should help: https://stackoverflow.com/a/6047293/1202807
Under XAMPP on Windows the ldap.conf must be either in the root of the
system (c:\ldap.conf, PHP 5.3.3 if I remember correctly) or in
C:\openldap\sysconf\ depending on the PHP version. It seems the path
is not configurable because hardcoded in the Windows PHP DLLs. See the
comments at http://se2.php.net/manual/en/ref.ldap.php
So create the ldap.conf file in c:\ or C:\openldap\sysconf\ if it doesn't exist already, and put your TLS_CACERT line in it.
I have similar problem, I have spent some time to resolve it. This behaviour was OpenLDAP bug in PHP. I have reported it and it was fixed and will be released soon. See: PHP BUG #73243 (https://bugs.php.net/bug.php?id=73243)
If you need immediate fix, which is a little bit hacking, try this (on your own risk):
use some binary editor (e.g. HexEdit) to edit php_ldap.dll
find the expression "%SYSCONFDIR%\ldap.conf" and
replace it with "c:\ldap_conf\ldap.conf", the new constant has to have the same length as the replaced constant
copy the ldap configuration to new location
Hope, it helps :-)
I have problem with arc install-certificate instruction
Configuration : Linux Mint 16 (Petra)
What I did by now :
I have put my public key to phabricator web (I can now do all git instructions with no problem)
I have downloaded my custom.pem certificate and put it into libphutil/resources/ssl directory.
I have followed instructions in README file (it is in the same dir) and modified this line in php.ini file :
curl.cainfo = /home/ilongin/job/tools/arcanist/libphutil/resources/ssl/custom.pem
But still when I run arc install-certificate inside my project dir I get :
Trying to connect to server...
Usage Exception: Failed to connect to server: [cURL/60] (OUR-PHAB-SERVER-URL) There was an error verifying the SSL Certificate Authority while negotiating the SSL connection. This usually indicates that you are using a self-signed certificate but have not added your CA to the CA bundle. See instructions in "libphutil/resources/ssl/README".
Does anyone knows what is wrong?
I'm getting:
Warning: ldap_start_tls()
[function.ldap-start-tls]: Unable to
start TLS: Connect error in
/var/www/X.php on line Y
/etc/ldap/ldap.conf:
TLS_CACERT /etc/ssl/certs/ca.crt
ca.crt is the CA which signed the LDAP server certificate. The certificate on the LDAP server is expired and I can't change it.
You can ignore the validity in windows by issuing
putenv('LDAPTLS_REQCERT=never');
in your php code. In *nix you need to edit your /etc/ldap.conf to contain
TLS_REQCERT never
Another thing to be aware of is that it requires version 3 (version 2 is php default):
//$hostnameSSL example would be "ldaps://just.example.com:636" , just make sure it has ldaps://
$con = ldap_connect($hostnameSSL);
ldap_set_option($con, LDAP_OPT_PROTOCOL_VERSION, 3);
To get a better idea of what's going on, you can enable debug logging by:
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
This can be done before the ldap_connect takes place.
The specific scenario presented in the question--with an expired certificate that can't be changed--does appear to require disabling certificate validation on the LDAP client.
However, I suspect a lot of people, like me, reach this page for other root causes of receiving opaque LDAP TLS errors, where disabling validation of TLS certificates is not an appropriate answer.
In my case--using the LDAP Authentication extension for Mediawiki on an Ubuntu 18.04 LTS server, and authenticating against Active Directory on a Windows Server 2012 server--authentication stopped working in January/February 2020. The server certificate and the CA certificate were still both valid, and openssl s_client -verify 2 -connect <AD server>:636 from the Mediawiki server passed just fine.
Eventually I noticed that the signature algorithm in the SSL certificate served by AD/LDAP was SHA1, which I remembered recently suffered from the first known chosen-prefix collision exploit. This led me to investigate the changelog for packages that had recently been updated on the system, which turned up "Mark SHA1 as insecure for certificate signing" in the gnutls28 changelog circa January 8th, 2020. (The chain of dependencies from the php-ldap package in Ubuntu 18.04 goes to php7.2-ldap -> libldap-2.4-2 -> libgnutls30, whose source package is gnutls28.)
I followed some instructions to update the Windows CA to use SHA256 and then selectively followed instructions to renew the AD/LDAP cert, installed the new CA cert on my Mediawiki server, and the problem was solved! Briefly, these steps included:
In an Admin PowerShell on the AD server, run certutil -setreg ca\csp\CNGHashAlgorithm SHA256
In the Certification Authority MMC, right click on the CA -> All Tasks -> Renew CA Certificate
In a blank MMC, add snap-in for Certificates; select Local Computer
Under Personal -> Certificates, find the current entry used by LDAPS (Kerberos Authentication template type) -> All Tasks -> Advanced Options -> Renew This Certificate with the Same Key
In the same window, open the new CA certificate -> Details -> Copy to file -> no private key -> base64-encoded X.509
Copy the resulting file to /usr/share/ca-certificates/ on the Mediawiki server, then run sudo dpkg-reconfigure ca-certificates and select the new CA cert for inclusion.
P.S. For SEO purposes, depending on the mode I was using, error messages included:
ldap_start_tls(): Unable to start TLS: Connect error in /var/www/mediawiki/extensions/LdapAuthentication/LdapAuthenticationPlugin.php in the HTTP error log
ldap_start_tls(): Unable to start TLS: Can't contact LDAP server in [...]
Failed to start TLS. in the Mediawiki debug log (when using wgLDAPEncryptionType = ssl, i.e. encrypted LDAP port, 636)
Failed to bind as CN=foobar,CN=Users,DC=myOrgName,DC=local in the Mediwiki debug log (when using wgLDAPEncryptionType = tls, i.e. STARTTLS on the unencrypted LDAP port, 389)
My solution/workaround is to use
/etc/ldap/ldap.conf:
#TLS_CACERT /etc/ssl/certs/ca.crt
TLS_REQCERT never
If you have any better idea, please post another answer.
The path for ldap.conf in Windows is fixed:
c:\openldap\sysconf\ldap.conf
A restart of the web server may be required to apply changes.
In debian based systems:
Install the package: ldap-utils and in the file
/etc/ldap/ldap.conf, edit the line:
TLS_CACERT /etc/ldap/cacerts/cacert.asc
Create the directory /etc/ldap/cacerts and copy the cacert to
/etc/ldap/cacerts/cacert.asc
Restart apache.
In redhat based systems:
Install the package: openldap-clients and in the file
/etc/openldap/ldap.conf edit the line:
TLS_CACERT /etc/openldap/cacerts/cacert.asc
Create the directory /etc/openldap/cacerts and copy the cacert to
/etc/openldap/cacerts/cacert.asc
Restart httpd
I was able to get this working properly with openldap on Amazon Linux (Elastic Beanstalk PHP 7.0) with MacOS Server 5 LDAP, with TLS set to demand.
in /etc/openldap/ldap.conf:
TLS_REQCERT demand
TLS_CACERT /etc/openldap/certs/yourcacert.pem
(note that if you are not using openldap, the path will be /etc/ldap/certs/yourcacert.pem). This setup did not work until I placed the certificate inside the certs folder; it did not work from any other path.
The certificate to be placed in that path is NOT the TLS certificate of the server. It is the CA (Certificate Authority) certificate of the authority whom issued the server/domain specific TLS certificate. Only the CA certificate placed in that path will allow TLS to work before attempting an LDAP bind in php. Get the CA certificate from your server or download it from the authority's site, they are freely available.
To test if LDAP bind is even working without TLS, set TLS_REQCERT never temporarily (may need to comment # out TLS_CACERT). If you get "Can't connect to LDAP" it is not a TLS error; it simply cannot connect to the server and you likely need to open port 389 (not 636 for TLS).
Remember to restart your Apache server every time you make a change to the config file or certificate.
Some additional help for others, the certificate solution here solved my ldapsearch command line issue, but still PHP complained **Can't contact LDAP server**
Turned out to be SELinux on RHEL7 ( CentOS7 ) blocks HTTPD from using LDAP ports 389 and 636 by default, you can unblock with:
setsebool -P httpd_can_network_connect 1
Check your SELinux audit log file for things being blocked.