Results 1 to 6 of 6

Thread: SSL certificate verification on PHP 5.6

  1. #1
    Join Date
    Dec 2006
    Posts
    115

    SSL certificate verification on PHP 5.6

    After upgrade to php 5.6 on freebsd 9.3 I ran into SSL certificate verification trouble.

    I got this error message(s):
    - fsockopen(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    - fsockopen(): Failed to enable crypto
    - fsockopen(): unable to connect to ssl://xx.xx.xx:443 (Unknown error)

    I followed these steps to get things sorted out, posting here to help others who run into same trouble.

    Logged in via ssh
    - # locate cert.pem
    - on my server it was found in /usr/local/etc/ssl/cert.pem
    - added following to php.ini: openssl.cafile=/usr/local/etc/ssl/cert.pem
    - restart httpd service

    Problem solved, good luck!
    I got rid of Back Pain and Sciatica

  2. #2
    Join Date
    Nov 2010
    Posts
    349
    Thank you for sharing this information. Maybe this should be used in the knowledgebase and changed in the custom build script.

  3. #3
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,404
    Hello,

    Faced the same issue on CentOS 7 with PHP 5.6 and OpenSSL 1.0.2
    If you miss a cert then you can download a cUrl cert bundle.

    CentOS (FreeBSD might have another default location for default cert file):

    Code:
    wget http://curl.haxx.se/ca/cacert.pem -O /usr/ssl/cert.pem
    You can find where the cert should be placed by default with this command:

    PHP 5.6:

    Code:
    php -r 'print_r(openssl_get_cert_locations());' | grep '\[default_cert_file\]' | awk '{print $3}'
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  4. #4
    Join Date
    May 2005
    Location
    Montreal, QC, Canada
    Posts
    110
    Quote Originally Posted by zEitEr View Post
    Hello,

    Faced the same issue on CentOS 7 with PHP 5.6 and OpenSSL 1.0.2
    If you miss a cert then you can download a cUrl cert bundle.

    CentOS (FreeBSD might have another default location for default cert file):

    Code:
    wget http://curl.haxx.se/ca/cacert.pem -O /usr/ssl/cert.pem
    You can find where the cert should be placed by default with this command:

    PHP 5.6:

    Code:
    php -r 'print_r(openssl_get_cert_locations());' | grep '\[default_cert_file\]' | awk '{print $3}'
    Better way is to install security/ca_root_nss and let it handle the root certs for you.

    Code:
    pkg install security/ca_root_nss
    FreeBSD <3

  5. #5
    Just a followup while fixing this issue on a fastcgi box.
    I believe the correct variable for the cacert is not the "default_cert_file", but instead the "ini_cafile" value, eg:
    Code:
    php -r 'print_r(openssl_get_cert_locations());' | grep '\[ini_cafile\]' | awk '{print $3}'
    /etc/ssl/certs/cert.pem
    or "openssl.cafile" in the phpinfo() output.
    And for this case, the solution was to add the cacert of the remote server to the local certs/cert.pem file. It just happened to have a local copy too because it was a wildcard, so I simply ran:
    Code:
    cat /etc/httpd/conf/ssl.crt/server.ca >> /etc/ssl/certs/cert.pem
    The local server.ca matched the remote server.ca, hence this worked for me. If your remote server's ca bundle only exists remotely, then just grab it, and dump it to the end of the /etc/ssl/certs/cert.pem file, so the local box recognizes the remote cert when it's connected to.

    Hope this helps someone else!

    I had to edit the httpsocket.php class and remove the @ charcter in front of the @fsockopen call in order to see the above errors, which directed me here.
    More googling mentioned copying the remote ca to the local certs.

    John

  6. #6
    Join Date
    Nov 2005
    Location
    USA
    Posts
    225
    Thank you for sharing this information.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •