All of a sudden, my PHP cURL implementation that access sites over SSL stopped working. After some digging around in the cURL response headers I discovered that the issue was a result of cURL not liking the sites SSL cert, giving the error:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Now I didn't test it with other sites and I know there are solutions to add Mozilla's certs to cURL. But to get stuff to work I simply added a new cURL option to disable SSL validity checks (CURLOPT_SSL_VERIFYHOS).
But I am still confused as to how this would stop working in just one day. It worked yesterday. The cert on the site didn't change and it is still a valid, unexpired, Verisign-issued cert.
Had this happen to me last month as well, and the only reason was that the SSL certificate in question was expired. So I just renewed it and the curl ssl link worked again. If you happen to deal with self-signed certificates it's the same deal btw, you either import it or switch of the verification.
That's the only thing I can think off but you state you already verified that...weird. Any chance to take a peek at the site's certificate or is it private? If you haven't changed anything it's almost certainly that something happened to the SSL certificate.
Try These two options in curl
CURLOPT_SSL_VERIFYPEER, FALSE
CURLOPT_SSL_VERIFYHOST, 2
Related
i'm using mandrill and setting up webhooks is failing. i moved my domain to a new server and set up ssl again.
now when i look at the web hooks admin page i see this error:
- Error: POST to https://my.website.com/hooks/mandrill.php failed: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
when i try to change the url for this webhook, all i get is
- We can't verify that the URL exists. More info
when i contacted mandrill support they suggested that it may be missing intermediate CA for my SSL cert. That browsers wouldn't care but the server did care and would fail.
this url helped me figure out that indeed my intermediate CA was not installed
- https://www.sslshopper.com/ssl-checker.html
ends up i didn't have the intermediate CA enabled in /etc/httpd/conf.d/ssl.conf. the lines were commented out. i removed the comments and restarted apache and all is working well now.
i could save the changed webhook and when i clicked send test it sent them. however there still was a stale error on the webhook about the ssl issue. but it was no longer preventing me from editting or sending webhooks
hope this saves someone else some time
I am running a local XAMPP server on a windows machine.
From this server I am trying to connect to an SSL encrypted page via CURL.
I did run into the following error:
SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I realize that I could simply disable SSL verification by using...
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
..but I really don´t want to do this, that´s the point of using SSL.
I´ve seen several answers here that point to to set the CURL Option "CURLOPT_CAINFO" to a .pem file that can be acquired here: http://curl.haxx.se/ca/cacert.pem
curl_setopt($ch, CURLOPT_CAINFO, 'C:\xampp\cacert.pem' );
I did put the file in the given folder, and run the above command before running curl_exec. But I still get the same error as before.
I also tried to download the certificate from the site that I am trying to connect with, but the error message is still the same.
PHP can access the .pem file, with file_get_contents for example, so it does not appear to be a file access / permission problem.
What could be the cause for this problem to persist?
I am running:
PHP Version: 5.2.9
cURL Information: libcurl/7.16.0 OpenSSL/0.9.8i zlib/1.2.3
Tardy response but I had same problem and the way I fixed it was to upgrade to php 5.3. I have seen nothing that explicit that says "5.2 does not do proper certificate validation" but you have everything right by using CURLOPT_CAINFO. Upgrade to 5.3 and it will work.
I'm debugging an issue that someone is having in accessing a payment gateway using a PHP plugin. The only way he has been able to avoid a 404 error after clicking the Checkout button is by setting CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST to 0. I know this is bad, but does anyone know why this might be? It seems to be distrusting of the SSL certificate of the payment website...could this just be an issue with his server not trusting certain SSL certificates? The response he is getting from the curl_exec() function is just false when the checks are turned on.
EDIT: So I've seen multiple solutions that say to add something similar to this to my curlopt lines after getting the certificate file:
curl_setopt($ch, CURLOPT_CAINFO, getcwd() . "/CAcerts/certificate.cert");
But what if I'm dealing with a bunch of separate customers that are having this issue? That path won't work for everyone. What can I put instead that will apply to each person?
If I can't put a general line, then where would I tell the person to put their certificate file? This would have to be done by their web hosting service, right?
here is a good answer to your problem:
Security consequences of disabling CURLOPT_SSL_VERIFYHOST (libcurl/openssl)
i suggest to analyze the certificate issued by the payment website..
the url used by the php plugin is exactly the same specified in the common name field of the certificate?
If you are sure the certificate provided it's ok, and trusted, You could set the CURLOPT_CAINFO option to trust this certificate and avoid the error:
curl_setopt($ch, CURLOPT_CAINFO, 'C:\path\to\curl-ca-bundle.crt');
Chech your SSL Certificate here : http://www.digicert.com/help/
I had a similar issue because certificates hadn't been good chained.
I should have paid more attention to my classes that covered security. I'm quite confused about something. To start, here's the background of what I'm trying to accomplish.
I have a web service that I need to access. The web service is set up as HTTPS. The traffic between client and server is encrypted (this doesn't have to do with authentication).
I'm interacting with the web service via cURL and PHP. I've gotten an example to work locally over HTTP and I'm fairly confident I'm on the right track with regards to cURL/PHP side of things.
When using the HTTP version of the code to access a web service over HTTPS, I am getting an error code 60 "SSL certificate problem, verify that the CA cert is OK" (error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed)
From my reading, it seems that I need a PEM file and I need to set additional cURL options such as the following:
CURLOPT_CAINFO
CURLOPT_SSLCERT
CURLOPT_SSLKEYPASSWD
My question is how do I know where to get the PEM file or whether I can simply make it? This is probably going to be an obvious answer as I'm sure I'm missing something but I figure I just need to ask and get the background I'm missing.
Amendment: The web service is using a certificate signed by VeriSign. So it's not a self signed certificate. Also, the web service is owned and operated by an external organization.
Thanks.
Despite googling around prior to asking this, it seems I've stumbled upon the answer after a bit of back-n-fourth with 'thatidiotguy' (his user name, not my name for him. ;-) ).
cURL, out of the box, does not trust any CA (VeriSign or otherwise). This needs to be setup on your server. To "solve" the problem, you have two options. You can bypass the verification with the following command:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
Note that this is not optimal with regards to security. Any certificate, signed by a CA or not, will be accepted as trusted.
The proper fix involves getting the original certificate (in my case this means the web service) and "exporting" the certificate as a X.509 Certificate (PEM). The certificate then needs to appropriately moved to the server and the following configurations set:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); //Check that the common name exists and that it matches the host name of the server
curl_setopt($ch, CURLOPT_CAINFO, getcwd() . "/path/to/cert/my-exported.crt"); //PEM file
Source: http://unitstep.net/blog/2009/05/05/using-curl-in-php-to-access-https-ssltls-protected-sites/
The answer is very simple. You need to download a certificate bundle, one that also ships with regular browsers.
Luckily that work is already done for you here:
http://curl.haxx.se/docs/caextract.html
Once downloaded you specify the path to this file with CURLOPT_CAINFO.
I am using the latest Janrain openid library example and the discovery process seems to work well with Yahoo, myopenid.com and others...
But I am stuck with Google endpoint (https semicolon //www.google.com/accounts/o8/id). Consumer.php just returns a 406 apache error, before I am redirected to google's page.
All my installation is available here :
http://www.coplango.com/vendor/openid/examples/
Click on consumer to try the consumer example, but discovery.php fails the same way,proving it happens during discovery...
You can also check detect.php to check my installation - The HTTP fetching test fails with a 503 because it tries to reach an address which returns a 503. Rest is fine.
I supposed it was down to php-yadis specifying Accept: application/xrds+xml header but I checked the code and other types are also accepted such text/html and application/xhtml+xml.
Anyone came accross this?
Any clue?
Thank you very much!
Ok,
I have investigated further and it seems to be down to my provider, who returns a 406 error if any string containing the death word "/id" is passed as GET parameter. Took me days to figure out it was not down to openid !!
For info I am using PlanetHoster, if anyone else ever comes accross this. I have sent them a ticket request and waiting for their answer.
running the consumer example at my machine, i get the following error:
Got no response code when fetching https://www.google.com/accounts/o8/id
CURL error (60): SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
this means curl fails verifying google's https server certificate. you can workaround this by either providing curl with CA certificates to verify google's certificate via CURLOPT_CAINFO/CURLOPT_CAPATH, or - easier - stop validating the cert via CURLOPT_SSL_VERIFYPEER. the following change in Auth/Yadis/ParanoidHTTPFetcher.php accomplishes latter for me:
--- ParanoidHTTPFetcher.php.orig 2009-04-22 02:31:20.000000000 +0800
+++ ParanoidHTTPFetcher.php 2009-09-30 22:35:24.093750000 +0800
## -127,6 +127,9 ##
Auth_OpenID_USER_AGENT.' '.$curl_user_agent);
curl_setopt($c, CURLOPT_TIMEOUT, $off);
curl_setopt($c, CURLOPT_URL, $url);
+
+ // don't verify server cert
+ curl_setopt($c, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_exec($c);
of course, your curl installation must also support ssl - check your phpinfo(). also, if CURLOPT_SSL_VERIFYPEER is disabled, CURLOPT_SSL_VERIFYHOST may also need to be TRUE or FALSE.
see also http://www.openrest.eu/docs/openid-not-completely-enabled-for-google.php (via the Related Why doesn't Google OpenID provider work with PHP-OpenId on my server?).
SOLUTION:
In the .htaccess file put
SecFilterEngine Off