I simply can't find a solution to this. I migrated a Wordpress site with a woocommerce shop and payment gateway "Payunity" to a new EC2 machine with a bitnami wordpress stack.
I generated a Let's Encrypt SSL certificate and the entire site works as expected.
Only problem I have is that for some reason on the woocommerce checkout page I suddenly get this error message:
SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate
verify failed
I googled extensively and tried figuring this out but no chance.
Any idea what I have to set on the server to have this go away? I tried modifying the php.ini with the capath and cafile like some threads pointed out but no luck.
Any ideas?
Update: I now moved to Cloudflare as DNS Manager and have the "Full (strict) setting so that the Cloudflare SSL is the one in use. However still the same error, so I figure this has nothing todo with the original Let's Encrypt or now Cloudflare SSL Certificate.
I believe this error message is caused by CURL. According to the CURL FAQ (https://github.com/curl/curl/blob/master/docs/FAQ) section 4.12 (where exactly this error message is mentioned), "it means that curl couldn't verify that the server's certificate was good. Curl verifies the certificate using the CA cert bundle that comes with the curl installation." (vsince CURL 7.10).
As your CURL version is quite old (released on Oct 7, 2015), I would assume that one of the CA/root certificates it is using is too old. I would recommend updating CURL separately (e.g. using this guide: http://pavelpolyakov.com/2014/11/17/updating-php-curl-on-ubuntu/, depending on your OS).
Furthermore, you can check the openssl.cafile option in php.ini that should point to an absolute path containing a more or less recent CA bundle (e.g. "C:\xampp7.3\apache\bin\curl-ca-bundle.crt" for my XAMPP installation). You can try to extract the bundle from the XAMPP .zip (https://www.apachefriends.org/download.html) and replace the path in your php.ini and then restart the server.
In addition, you can check your php.ini if extension=php_openssl.* (extension e.g. dll for Windows) is uncommented, i.e. activated.
Maybe (and this is why I asked what should be shown normally at this place) a script inside the Payunity plugin is trying to fetch something from an URL with a broken certificate or something similar.
EDIT: As pointed out by Sebastian B., you can check the error.log (in case of Apache) for failed file_get_contents() (or similar) calls because the actual URL of the "file" the site PHP tried to fetch is mentioned there.
EDIT: CURL Perl script to create a fresh ca-bundle.crt file based on Mozilla's chain: https://github.com/curl/curl/blob/master/lib/mk-ca-bundle.pl You can try this (or extract one from a fresh CURL installation) and set this as a path in php.ini. Or you can use this from the Nextcloud project (https://github.com/nextcloud/server/blob/master/resources/config/ca-bundle.crt) or another one (just for testing purposes, of course).
EDIT
I’m on the move at the moment, and only have SO on the Stack Exchange app on my iPhone, so there’s some weird formatting with the quotes in the code below - Apologies! I have real ones in the real code :)
I’ve been trying to figure this out for two days with some other questions on SO, but here goes...
Just trying to use file_get_contents() to capture the webpage of another file located on the same server and same domain, and include that. I’m using MAMP with a self signed cert for production (so that I can have the server force SSL etc) so there’s that, and I also have that certificate as “Always Trusted” locally on my Mac as it’s self-signed obviously.
So now I have the issue where I want one page to capture the contents of another.. I initially tried using cURL and it was failing without giving me any exceptions, and no information using curl_error() so I switched over to file_get_contents() where I get the exception SSL operation failed with code 1... ssl3_get_server_certificate:certificate verify failed
I assume this is in issue with OpenSSL not trusting the self-signed (but I thought it used the trusted CA’s of the underlying OS?) and I can’t get it to work using the following stream context:
stream_context_create([
"ssl" => [
"allow_self_signed" => true
]
]);
And if I set verify_peer and verify_peer_name to false, the request is made but HTTPS cookies aren’t sent which breaks the whole thing.
I’ve tried adding the actual text of the cert to the cacert.pem file under the OpenSSL directory in MAMP, and set that file in the openssl.cafile option in the php.ini file as stated in another answer, but alas no luck...
Any ideas? Your help would be much appreciated! Thank you! ☺️💛
EDIT 2
So I tried it again using cURL, and this time got cURL to give me some verbose output to a file, and this is what it gives me (note the line third from the bottom):
* Trying ::1...
* TCP_NODELAY set
* Connected to admin.voyagerisc (::1) port 8890 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:#STRENGTH
* successfully set certificate verify locations:
* CAfile: /Applications/MAMP/Library/OpenSSL/certs/cacert.pem CApath: none
* SSL certificate problem: unable to get local issuer certificate
* Curl_http_done: called premature == 1
* Closing connection 0
...and this is the file where I have added the raw certificate to the top.. ugh, STUCK!
TLDR; You need to become your own (mini) CA so you have a Root Cert that can be trusted
So after a few painstaking days, I have finally figured this out and I hope below will help those few MAMP / PHP users who will undoubtedly run into this issue!!
Basically, file_get_contents() and cURL operate above OpenSSL, and (as I have now learnt, I was an SSL noob!) OpenSSL, like every device basically has big list of all the main Certificate Authority's root certificates. So if any certificate has been signed by one of those root certificates in can be trusted in the eyes of OpenSSL.
Now you can go into that file that OpenSSL uses that has all the big root certs, and I thought it would be as easy as placing the raw self-signed certificate of the development site at the top of the list and everything would fall into place. However, for some reason OpenSSL wouldn't trust it if it's not a ROOT CERTIFICATE.
So long story short, here's the steps:
Follow this guide to becoming your own CA in literally under 5 minutes. (As a side note, this now means that you can trust just the newly created root certificate, and for every development site you want with SSL, self-sign with that root certificate and you won't need to re-trust etc)
Once you've trusted the root certificate as per the article, and pointed MAMP to the key and certificate for the specific site, in your IDE open up the .pem file for the ROOT CERTIFICATE that you created, NOT the specific one for your development site
For MAMP, the file OpenSSL uses as the core list of trusted Certificate Authorities is located in /Applications/MAMP/Library/OpenSSL/certs/ - Open the cacert.pem in your IDE as well
Now, under the comments and before the first real CA, copy and paste in the raw data of your Root Certificate. You can also add in before that long piece of data (and BEFORE the -----BEGIN CERTIFICATE----- line) the name you set for your Certificate Authority earlier in Step 1, and format it with the ='s as is with the other Certificate Authorities.
The usual: Save & restart MAMP
Now, if you're running a local development server with MAMP and have self-signed SSL enabled, you should now be able to make the SSL calls back to the server itself, and have the server trust.... itself? I guess? Weird when you think about it!
As a final note, if you had visited any other similar questions here on SO, you would've seen many answers prompt you to create either a stream context with get_file_contents() or set some options with your cURL resource that suggested turning "verify_peer" => false & "verify_peer_name" => false in a stream context, or the equivalent options for cURL. I cannot stress enough that the approach completely defeats the purpose of SSL and shouldn't even be used for local development, due to the possibility of you forgetting to turn it back on or some other obscure event that causes trust to remain off within production.
The method I described above is more tedious, yes, but it will get you through development until you have a real SSL cert in production signed by a true CA, at which point this won't even be an issue anymore.
Feel free to comment if this explanation is not clear / precise enough, I'm only still getting my head around it! Cheers :)
As Mike mentioned (see comments), in the current version of MAMP (6.4) there's an invalid certificate file added to /Applications/MAMP/Library/OpenSSL/certs/cacert.pem. Just open this file and access the link shown in the 301 redirect (https://curl.se/ca/cacert.pem), download it and replace the file.
Mark MAMP_PRO_Root_CA as trusted in Keychain Access
After a ton of hassle and problems related to this, and the situation getting even worse over time as Chrome updated, breaking my automated testing as well, I finally found the solution, as described in the MAMP docs on SSL.
We simply have to add the root certificate that MAMP uses to sign it's custom SSL certs to Keychain Access and set it to always trust:
Open Keychain Access on your Mac
Search for MAMP_PRO_Root_CA
Double click it and expand the Trust section
Set When using this certificate to Always Trust
Close the little window and enter your system password to save the change
After that, any SSL certs you create through the MAMP interface will work automatically, as far as I can tell! If you've been creating your own self-signed certs through the terminal, you might have to go back and update them, but it's easy and reliable, so I don't see why you wouldn't want to if you're already committed to the hot mess which is the MAMP Pro lifestyle 😅
Here's the UI where you create SSL certs in MAMP Pro:
Honestly, I can't tell if this solution was staring me in the face the whole time, or if it was recently enabled in the new versions of MAMP or Chrome. In the end it doesn't matter. Our long national nightmare is finally over 🙏🏻
I have a LAMP application that uses LDAP binds (to Active Directory) to validate user credentials. This works on the production server running RHEL 6.2. I'm trying to set up my own test environment in a VM using CentOS 6.2 and similar versions of packages.
On my VM, calls to ldap_start_tls fail for the application when run inside Apache. I get:
PHP Warning: ldap_start_tls(): Unable to start TLS: Can't contact LDAP server in...
But on the same system, I installed phpsh. If I use phpsh to execute the PHP code file, it works.
The code is a basic sequence of ldap_connect, ldap_set_option (to set LDAPv3), ldap_start_tls, and ldap_bind.
The LDAP server is using an internal Active Directory-generated certificate authority, so it isn't automatically trusted. In /etc/openldap/ldap.conf, I have:
TLS_REQCERT allow
The setting seems to be working. If I change the value to always, ldap_start_tls fails in phpsh too. This is the same setting as in the production environment.
I tried installing what should be the AD root CA certificates by saving a .pem file (with 2 certificates) and adding this line to /etc/openldap/ldap.conf:
TLS_CACERT /etc/openldap/certs/ad_roots.pem
I didn't see any change, but perhaps I needed to do more. And I'm not 100% sure those were the right certificates.
I think using phpsh is a valid test for the PHP setup, but it is running as a different user (root) so the environment is different. SELinux is on (enforcing), but I do not see any messages about access denials for Apache in audit.log.
Why doesn't this work for Apache?
The ApacheDS generates a certificate (X.509v1) upon authentication. (As far as I understand)
How would I handle this with a PHP ldap_connect?
Do I need to install the ApacheDS certificate somewhere?
Using an app like LDAPAdmin authenticates fine, however there is a certificate prompt.
I have no idea how to handle this in PHP.
I tried to use Apache Directory Studio to see if I could download a certificate somewhere to no avail. (To somehow setup Apache with it: $dir/newcerts -> openssl.cnf)
I also tried connecting to the url directly with the correct port, it downloads a file containing the message: PROTOCOL_ERROR: The server will disconnect
I needed to create the following directory: C:\OpenLDAP\sysconf adding a file named ldap.conf containing the text TLS_REQCERT never
I am running PHP (on Apache/Windows) and I am trying to connect to a LDAP server to authenticate users. PHP's LDAP plugin is just OpenLDAP.
While I've been successful in connecting to the LDAP server without SSL, I can't do it WITH SSL. I know I got everything right, except OpenLDAP won't connect to the server without the CA certificate. The connection fails and it gives me this error:
"error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"
Now, I know I can suppress this behavior by setting TLS_REQCERT to "never" in the ldap.conf file. But the plugin on windows is just a dll file; and I have no idea on where to put the .conf file. Does anyone know?
Thanks in advance.
Apparently you need to place the ldap.conf file in the following directory:
C:\openldap\sysconf\
Since it's hardcoded into the DLL file. PHP.net Manual: LDAP Functions - Comment #47427