Robert Saylor
asked on
curl SSL certificate unable to get local issuer certificate
I am on a Linux server and getting the error "unable to get local issuer certificate" from curl. It is a PHP app that is giving the error. Can somebody walk me through updating the SSL for curl?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What happens if you run this command on the shell:
cat /root/ssl/cacert.cer | openssl md5
What's the resulting hash and the file size of /root/ssl/cacert.cer?
cat /root/ssl/cacert.cer | openssl md5
What's the resulting hash and the file size of /root/ssl/cacert.cer?
Oh, and what version of PHP are you using?
ASKER
php 5.6.19
(stdin)= 38cd779c9429ab6e2e5ae3437b 763238
(stdin)= 38cd779c9429ab6e2e5ae3437b
ASKER
The issue might be the app. I placed in a test file and I don't get the error.
<?php
// create curl resource
$ch = curl_init();
// set url
curl_setopt($ch, CURLOPT_URL, "https://www.google.com");
//return the transfer as a string
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
// $output contains the output string
$output = curl_exec($ch);
// close curl resource to free up system resources
curl_close($ch);
print "$output";
?>
ASKER
Would you agree that my test file validates PHP curl is working over SSL ?
Okay, that's the right hash, then, and you're on a version that should accept that path. I'm wondering if it's a permissions issue due to the file's location. Just for testing purposes, try this:
cp /root/ssl/cacert.cer /tmp/cacert.cer
chmod 444 /tmp/cacert.cer
Then update your php.ini file to use /tmp/cacert.cer as your location for curl.cainfo, and run your test again.
cp /root/ssl/cacert.cer /tmp/cacert.cer
chmod 444 /tmp/cacert.cer
Then update your php.ini file to use /tmp/cacert.cer as your location for curl.cainfo, and run your test again.
Very possibly. I'd recommend you also enable verbose output:
curl_setopt($ch, CURLOPT_ VERBOSE, true);
In the request output, you should see where it's pulling the CA info from, so you can see if it's using a different source or the expected one.
curl_setopt($ch, CURLOPT_ VERBOSE, true);
In the request output, you should see where it's pulling the CA info from, so you can see if it's using a different source or the expected one.
ASKER
It went back to the original error with I moved it to tmp
I get the same error in my test file now.
Here in /root/ssl:
root@server [/home/dev2/www]# php curl_test.php
* Rebuilt URL to: https://www.google.com/
* Hostname was NOT found in DNS cache
* Trying 2607:f8b0:4002:c06::69...
* Trying 74.125.21.147...
* Connected to www.google.com (74.125.21.147) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /root/ssl/cacert.cer
CApath: none
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
Here in /tmp:
root@server [/home/dev2/www]# php curl_test.php
* Rebuilt URL to: https://www.google.com/
* Hostname was NOT found in DNS cache
* Trying 2607:f8b0:4002:c06::69...
* Trying 74.125.21.147...
* Connected to www.google.com (74.125.21.147) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /tmp/cacert.cer
CApath: none
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
I get the same error in my test file now.
Here in /root/ssl:
root@server [/home/dev2/www]# php curl_test.php
* Rebuilt URL to: https://www.google.com/
* Hostname was NOT found in DNS cache
* Trying 2607:f8b0:4002:c06::69...
* Trying 74.125.21.147...
* Connected to www.google.com (74.125.21.147) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /root/ssl/cacert.cer
CApath: none
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
Here in /tmp:
root@server [/home/dev2/www]# php curl_test.php
* Rebuilt URL to: https://www.google.com/
* Hostname was NOT found in DNS cache
* Trying 2607:f8b0:4002:c06::69...
* Trying 74.125.21.147...
* Connected to www.google.com (74.125.21.147) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /tmp/cacert.cer
CApath: none
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
ASKER
if I remove the php.ini call and just use what was originally on the server my test works but the other one does not.
root@server [/home/dev2/www]# php curl_test.php
* Rebuilt URL to: https://www.google.com/
* Hostname was NOT found in DNS cache
* Trying 2607:f8b0:4002:c03::69...
* Trying 173.194.219.106...
* Connected to www.google.com (173.194.219.106) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
* subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=www.google.com
* start date: 2017-01-04 10:18:00 GMT
* expire date: 2017-03-29 10:18:00 GMT
* subjectAltName: www.google.com matched
* issuer: C=US; O=Google Inc; CN=Google Internet Authority G2
* SSL certificate verify ok.
> GET / HTTP/1.1
Host: www.google.com
Accept: */*
< HTTP/1.1 200 OK
< Date: Thu, 19 Jan 2017 19:25:05 GMT
< Expires: -1
< Cache-Control: private, max-age=0
< Content-Type: text/html; charset=ISO-8859-1
< P3P: CP="This is not a P3P policy! See https://www.google.com/support/accounts/answer/151657?hl=en for more info."
* Server gws is not blacklisted
< Server: gws
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< Set-Cookie: NID=95=MQ1xy4ZPThNoDe_KXPOevBlv1qay13di_4O0peE_NkgdGHp04KUOkaAvxPDSQeNNe_5bSPrW3zGZe8H-LNZfgiqSZ7CU-lC8iwfw06xuqBKhtwgis0y8RouhAFsN7EdFWAGCVXWjkwSRs_k; expires=Fri, 21-Jul-2017 19:25:05 GMT; path=/; domain=.google.com; HttpOnly
< Alt-Svc: quic=":443"; ma=2592000; v="35,34"
ASKER
I think it is 3rd party issue. Will let you know the outcome.
That's interesting... if I run the same thing on my server with the updated bundle and an HTTPS call to Google, it works out just fine - I have exactly the same bundle on my system.
I'd be interested in hearing what you find out about the possible 3rd party issue.
# cat /tmp/cacert.cer | openssl md5
(stdin)= 38cd779c9429ab6e2e5ae3437b763238
# php curltest.php
* Rebuilt URL to: https://www.google.com/
* Trying 216.58.216.228...
* Connected to www.google.com (216.58.216.228) port 443 (#0)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /tmp/cacert.cer
CApath: none
* NPN, negotiated HTTP1.1
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
* subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=www.google.com
* start date: Jan 11 09:13:00 2017 GMT
* expire date: Apr 5 08:56:00 2017 GMT
* subjectAltName: host "www.google.com" matched cert's "www.google.com"
* issuer: C=US; O=Google Inc; CN=Google Internet Authority G2
* SSL certificate verify ok.
> GET / HTTP/1.1
Host: www.google.com
Accept: */*
< HTTP/1.1 200 OK
< Date: Thu, 19 Jan 2017 20:24:07 GMT
< Expires: -1
< Cache-Control: private, max-age=0
< Content-Type: text/html; charset=ISO-8859-1
< P3P: CP="This is not a P3P policy! See https://www.google.com/support/accounts/answer/151657?hl=en for more info."
< Server: gws
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< Set-Cookie: NID=95=d6BK.............ZKp6iA; expires=Fri, 21-Jul-2017 20:24:07 GMT; path=/; domain=.google.com; HttpOnly
< Alt-Svc: quic=":443"; ma=2592000; v="35,34"
< Accept-Ranges: none
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
<
* Connection #0 to host www.google.com left intact
I'd be interested in hearing what you find out about the possible 3rd party issue.
ASKER
I have a ticket open with cPanel to validate the server and one with the software vendor.
ASKER
Just an update. It does not appear to be a server issue. cPanel checked it out and the server checks out. We have another version of the app on another virtual domain on the same server and does not get a curl issue. The vendor is slow to respond so it is pretty clear it is a vendor issue.
ASKER
php.ini:
curl.cainfo=/root/ssl/cace
I no longer get the original error. I now get this:
error setting certificate verify locations: CAfile: /root/ssl/cacert.cer CApath: none