For a web application which is able to mount users directories I want to provide a option for the user to upload his root certificate to use curl over ssl.
I tried to set the capath to the upload directory (CURLOPT_CAPATH => $capath) but I still get this error message:
[CURL] Error while making request: SSL certificate problem, verify that the CA cert is OK
If I try to set the cert additionally to the path (but I would prefer to set up curl in a way to accept all certificates signed by a bunch of root certificates provided by the user).
Anyway, if I set for test purpose:
CURLOPT_CAPATH => $capath
CURLOPT_CAINFO => $capath."/myrootcert.der"
I get this error message:
[CURL] Error while making request: error setting certificate verifylocations:\n CAfile: /foo/bar/cacertroot.der\n CApath: /foo/bar/\n (error code: 77)
Any hints what I'm doing wrong? Thanks!
Related
When trying to access one particular API through curl in PHP, I get the curl error code 60 - unable to get local issuer certificate. The strange thing is that I only get this error for this particular domain, and only when using curl in php.
When accessing the API with command line curl, the issue does not occur. When trying to access any other SSL domain via curl in php, the issue does not occur. In fact, I have found another website that uses the same intermediate certificate (i.e. RapidSSL Global TLS RSA4096 SHA256 2022 CA1), and I can access that website.
I have of course tried setting cacert.pem manually, for both curl and openssl, through both the php.ini and through curl_setopt in code, but to no avail. I have also verified that the root certificate that is used by the problematic api (i.e. Digicert Global Root CA) is present in both the downloaded and default CA stores.
At this point, I would appreciate any guesses as to what could possibly be causing this behaviour.
Here is the output of Curl in verbose mode when trying to access the problematic website:
* Trying <IP>:443...
* Connected to <Domain> (<IP>) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* CAfile: /usr/local/etc/openssl#1.1/cert.pem
* CApath: none
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
Update: after running testssl.sh, it seems that chain of trust is not entirely complete. This does not explain why only curl with php has this issue, and I would still appreciate it if anybody could point me to a way to accept this particular flaw without disabling SSL verification entirely.
I have an Ubuntu LAMP server on Digital Ocean and have setup an SSL certificate (which works perfectly fine). The website runs via https (http requests are redirected to https). In one of my PHP scripts, I have to send a cURL request to the local server. I am basically sending a POST request with JSON data that will be used for templating a document at the other end. In short, both ends are hosted at the same site:
https://example.com/form.php
https://example.com/templates/document.php
The cURL error I get when sending data from form.php to templates/document.php is:
SSL certificate problem: unable to get local issuer certificate
I have read at least 20 articles telling me to add these lines to php.ini at their original line positions:
curl.cainfo="/etc/ssl/certs/cacert.pem"
openssl.cafile="/etc/ssl/certs/cacert.pem"
The CA certificate is located as described above, but the cURL error persists.
I am able to bypass this error by forcing CURLOPT_SSL_VERIFYPEER to false in the cURL request itself. However, I know this is not an option for a website in production mode.
Is it not possible to do such SSL cURL request to its own host? Or is it so that I can actually disable CURLOPT_SSL_VERIFYPEER for this very specific request since it's just a local request anyway?
Thank you in advance!
EDIT:
Adding a verbose option to the cURL request shows the following information:
Trying 123.456.789.01...
Connected to example.com (123.456.789.01) port 443 (#0)
ALPN, offering http/1.1
Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:#STRENGTH
successfully set certificate verify locations:
CAfile: /etc/ssl/certs/cacert.pem CApath: /etc/ssl/certs
SSL certificate problem: unable to get local issuer certificate
Closing connection 0
It doesn't seem to be of any help though.
When I enable CURLOPT_SSL_VERIFYPEER i get this error from curl:
SSL certificate problem: unable to get local issuer certificate.
I read that i should include something to the php.ini file but i do not have access to that file because it's not a self hosted site. I alredy purchased ssl certification for my site and the host said that they will set everything.
Where could be the problem at my site or at the host?
You might have to talk about this issue with the technical support from your host. The installation/configuration of the ssl certificate might not be completed yet.
I'm trying to install Vaprobash via CURL but I get this message everytime I try to download something through CURL. I'm using a Mac.
curl -L http://bit.ly/vaprobash > Vagrantfile
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Append option in curl call:
-k/--insecure
The curl will be not trying to verify SSL cert.
The link is redirecting to a secure HTTP (SSL) server, and curl doesn't have access to the proper chain of trusted certificates to confirm that the site says it is who it is.
If you're sure the site is legitimate, and this is a once-off effort, you can use the --insecure option (it will ignore any certificate errors). Opening the link in a browser directs to GitHub with no issues, and curl fetches it fine on my Ubuntu 12.04 box.
It's likely a missing certificate in your SSL installation. Run with the -v option to get a detailed output if you need to confirm this.
The error that alot of people get with Facebook authentication is:
CurlException: 60: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
And the only information I can find about it suggest to add the following lines of code to curl:
$opts[CURLOPT_SSL_VERIFYPEER] = false;
$opts[CURLOPT_SSL_VERIFYHOST] = 2;
I know this works, but what is going on here?
Isn't there any server settings/configuraton that can be changed instead of hacking up facebook.php.
What It Does & Meaning:
The following code tells the cURL to NOT verify that security certificates are correct. Hence, the error disappears.
$opts[CURLOPT_SSL_VERIFYPEER] = false;
$opts[CURLOPT_SSL_VERIFYHOST] = 2;
When you connect to a remote server with SSL, their certificate might be invalid, expired, or not signed by a recognized CA. The cURL normally checks it.
CURLOPT_SSL_VERIFYHOST:
1: to check the existence of a common name in the SSL peer certificate.
2: to check the existence of a common name and also verify that it matches the hostname provided.
CURLOPT_SSL_VERIFYPEER: FALSE to stop CURL from verifying the peer's certificate. Alternate certificates to verify against can be specified with the CURLOPT_CAINFO option or a certificate directory can be specified with the CURLOPT_CAPATH option. CURLOPT_SSL_VERIFYHOST may also need to be TRUE or FALSE if CURLOPT_SSL_VERIFYPEER is disabled (it defaults to 2).
How to Enable & Verify Correctly:
To verify correctly, we need to to verify the certificate being presented to us is good for real. We do this by comparing it against a certificate we reasonable* trust.
If the remote resource is protected by a certificate issued by one of the main CA's like Verisign, GeoTrust et al, you can safely compare against Mozilla's CA certificate bundle which you can get from http://curl.haxx.se/docs/caextract.html
Save the file cacert.pem somewhere in your server and set the following options in your script.
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, TRUE);
curl_setopt ($ch, CURLOPT_CAINFO, "pathto/cacert.pem");
If you are connecting to a resource protected by a self-signed certificate, all you need to do is obtain a copy of the certificate in PEM format and append it to the cacert.pem of the above paragraph.
In my case, I could not use curl_setopt, because I could not edit Facebook API classes ( conditions of project I was working in ).
I solved the problem by adding path to cacert.pem downloaded from http://curl.haxx.se/docs/caextract.html to my php.ini
[curl]
curl.cainfo = "c:\wamp\cacert.pem"
I just had the same problem, and disabling peer verification is not acceptable in my case.
I updated the fa_ca_chain_bundle.crt file (from facebook's gitbub) and it works now.
Regards,
Marek