Quick question : I have a PHP script which query Pinnacle Cart API through a cURL query. While testing this on my laptop, no problem. I get the XML response and all. But once it's on the remote server... I get no result. I checked beforehand to be sure cURL was installed on the remote server, and it sure is. I don't have the same version as the remote server (libcurl/7.15.5 vs libcurl/7.19.5) but I kind of doubt it's the issue here. Any idea what might throw off my script?
EDIT : Here is what I get when I output the errors to a file with CURLOPT_STDERR :
Locally :
successfully set certificate verify locations:
CAfile: none
CApath: /etc/ssl/certs
SSL connection using DHE-RSA-AES256-SHA
Server-side :
successfully set certificate verify locations:
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
SSL certificate problem, verify that the CA cert is OK. Details:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
1 minutes of googling later... I found out that with this parameter :
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
My script works on the server... But it's kind of butched, isn't it?
See your PHP error log or turn the PHP's error reporiting functionality on so that it gives you the exact error message. Most probably PHP's safe_mode is open on your server and prevents some functionality (eg. CURLOPT_FOLLOWLOCATION) of curl library.
Related
When trying to access one particular API through curl in PHP, I get the curl error code 60 - unable to get local issuer certificate. The strange thing is that I only get this error for this particular domain, and only when using curl in php.
When accessing the API with command line curl, the issue does not occur. When trying to access any other SSL domain via curl in php, the issue does not occur. In fact, I have found another website that uses the same intermediate certificate (i.e. RapidSSL Global TLS RSA4096 SHA256 2022 CA1), and I can access that website.
I have of course tried setting cacert.pem manually, for both curl and openssl, through both the php.ini and through curl_setopt in code, but to no avail. I have also verified that the root certificate that is used by the problematic api (i.e. Digicert Global Root CA) is present in both the downloaded and default CA stores.
At this point, I would appreciate any guesses as to what could possibly be causing this behaviour.
Here is the output of Curl in verbose mode when trying to access the problematic website:
* Trying <IP>:443...
* Connected to <Domain> (<IP>) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* CAfile: /usr/local/etc/openssl#1.1/cert.pem
* CApath: none
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
Update: after running testssl.sh, it seems that chain of trust is not entirely complete. This does not explain why only curl with php has this issue, and I would still appreciate it if anybody could point me to a way to accept this particular flaw without disabling SSL verification entirely.
I have an Ubuntu LAMP server on Digital Ocean and have setup an SSL certificate (which works perfectly fine). The website runs via https (http requests are redirected to https). In one of my PHP scripts, I have to send a cURL request to the local server. I am basically sending a POST request with JSON data that will be used for templating a document at the other end. In short, both ends are hosted at the same site:
https://example.com/form.php
https://example.com/templates/document.php
The cURL error I get when sending data from form.php to templates/document.php is:
SSL certificate problem: unable to get local issuer certificate
I have read at least 20 articles telling me to add these lines to php.ini at their original line positions:
curl.cainfo="/etc/ssl/certs/cacert.pem"
openssl.cafile="/etc/ssl/certs/cacert.pem"
The CA certificate is located as described above, but the cURL error persists.
I am able to bypass this error by forcing CURLOPT_SSL_VERIFYPEER to false in the cURL request itself. However, I know this is not an option for a website in production mode.
Is it not possible to do such SSL cURL request to its own host? Or is it so that I can actually disable CURLOPT_SSL_VERIFYPEER for this very specific request since it's just a local request anyway?
Thank you in advance!
EDIT:
Adding a verbose option to the cURL request shows the following information:
Trying 123.456.789.01...
Connected to example.com (123.456.789.01) port 443 (#0)
ALPN, offering http/1.1
Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:#STRENGTH
successfully set certificate verify locations:
CAfile: /etc/ssl/certs/cacert.pem CApath: /etc/ssl/certs
SSL certificate problem: unable to get local issuer certificate
Closing connection 0
It doesn't seem to be of any help though.
I'm trying to test our Mandrill API from my localhost (on Windows). It seems like I need to configure a "local issuer certificate". So, I downloaded http://curl.haxx.se/ca/cacert.pem and saved it in my document root (c:\wamp\www). Then, in my php.ini file, I configured this: curl.cainfo = "/cacert.pem".
When I run the sample code for Mandrill, I get the following error:
A mandrill error occurred: Mandrill_HttpError - API call to
messages/send failed: error setting certificate verify locations:
CAfile: cacert.pem CApath: none
Any idea what's wrong?
I've seen others post about this with WampServer; though I cannot offer the reason or a real solution, if you're just testing on your localhost have you considered just turning off cURL's SSL verification?
curl_setopt($this->ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($this->ch, CURLOPT_SSL_VERIFYPEER, 0);
To extend the #LeonardChallis answer if you're struggling with Google APIs on this one then adding the following to vendor\guzzlehttp\guzzle\src\Handler\CurlFactory.php and the create function will also fix it:
$conf[CURLOPT_SSL_VERIFYHOST] = 0;
$conf[CURLOPT_SSL_VERIFYPEER] = 0;
I am running a local XAMPP server on a windows machine.
From this server I am trying to connect to an SSL encrypted page via CURL.
I did run into the following error:
SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I realize that I could simply disable SSL verification by using...
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
..but I really don´t want to do this, that´s the point of using SSL.
I´ve seen several answers here that point to to set the CURL Option "CURLOPT_CAINFO" to a .pem file that can be acquired here: http://curl.haxx.se/ca/cacert.pem
curl_setopt($ch, CURLOPT_CAINFO, 'C:\xampp\cacert.pem' );
I did put the file in the given folder, and run the above command before running curl_exec. But I still get the same error as before.
I also tried to download the certificate from the site that I am trying to connect with, but the error message is still the same.
PHP can access the .pem file, with file_get_contents for example, so it does not appear to be a file access / permission problem.
What could be the cause for this problem to persist?
I am running:
PHP Version: 5.2.9
cURL Information: libcurl/7.16.0 OpenSSL/0.9.8i zlib/1.2.3
Tardy response but I had same problem and the way I fixed it was to upgrade to php 5.3. I have seen nothing that explicit that says "5.2 does not do proper certificate validation" but you have everything right by using CURLOPT_CAINFO. Upgrade to 5.3 and it will work.
For a web application which is able to mount users directories I want to provide a option for the user to upload his root certificate to use curl over ssl.
I tried to set the capath to the upload directory (CURLOPT_CAPATH => $capath) but I still get this error message:
[CURL] Error while making request: SSL certificate problem, verify that the CA cert is OK
If I try to set the cert additionally to the path (but I would prefer to set up curl in a way to accept all certificates signed by a bunch of root certificates provided by the user).
Anyway, if I set for test purpose:
CURLOPT_CAPATH => $capath
CURLOPT_CAINFO => $capath."/myrootcert.der"
I get this error message:
[CURL] Error while making request: error setting certificate verifylocations:\n CAfile: /foo/bar/cacertroot.der\n CApath: /foo/bar/\n (error code: 77)
Any hints what I'm doing wrong? Thanks!