SSL certificate verification on PHP 5.6

DA-Rff

Verified User
Joined
Dec 4, 2006
Messages
116
After upgrade to php 5.6 on freebsd 9.3 I ran into SSL certificate verification trouble.

I got this error message(s):
- fsockopen(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
- fsockopen(): Failed to enable crypto
- fsockopen(): unable to connect to ssl://xx.xx.xx:443 (Unknown error)

I followed these steps to get things sorted out, posting here to help others who run into same trouble.

Logged in via ssh
- # locate cert.pem
- on my server it was found in /usr/local/etc/ssl/cert.pem
- added following to php.ini: openssl.cafile=/usr/local/etc/ssl/cert.pem
- restart httpd service

Problem solved, good luck!
 

Petertjuh360

Verified User
Joined
Nov 7, 2010
Messages
350
Thank you for sharing this information. Maybe this should be used in the knowledgebase and changed in the custom build script.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,889
Location
GMT +7.00
Hello,

Faced the same issue on CentOS 7 with PHP 5.6 and OpenSSL 1.0.2
If you miss a cert then you can download a cUrl cert bundle.

CentOS (FreeBSD might have another default location for default cert file):

Code:
wget http://curl.haxx.se/ca/cacert.pem -O /usr/ssl/cert.pem
You can find where the cert should be placed by default with this command:

PHP 5.6:

Code:
php -r 'print_r(openssl_get_cert_locations());' | grep '\[default_cert_file\]' | awk '{print $3}'
 

mmx

Verified User
Joined
May 8, 2005
Messages
112
Location
Montreal, QC, Canada
Hello,

Faced the same issue on CentOS 7 with PHP 5.6 and OpenSSL 1.0.2
If you miss a cert then you can download a cUrl cert bundle.

CentOS (FreeBSD might have another default location for default cert file):

Code:
wget http://curl.haxx.se/ca/cacert.pem -O /usr/ssl/cert.pem
You can find where the cert should be placed by default with this command:

PHP 5.6:

Code:
php -r 'print_r(openssl_get_cert_locations());' | grep '\[default_cert_file\]' | awk '{print $3}'
Better way is to install security/ca_root_nss and let it handle the root certs for you. :)

Code:
pkg install security/ca_root_nss
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
8,923
Just a followup while fixing this issue on a fastcgi box.
I believe the correct variable for the cacert is not the "default_cert_file", but instead the "ini_cafile" value, eg:
Code:
php -r 'print_r(openssl_get_cert_locations());' | grep '\[ini_cafile\]' | awk '{print $3}'
/etc/ssl/certs/cert.pem
or "openssl.cafile" in the phpinfo() output.
And for this case, the solution was to add the cacert of the remote server to the local certs/cert.pem file. It just happened to have a local copy too because it was a wildcard, so I simply ran:
Code:
cat /etc/httpd/conf/ssl.crt/server.ca >> /etc/ssl/certs/cert.pem
The local server.ca matched the remote server.ca, hence this worked for me. If your remote server's ca bundle only exists remotely, then just grab it, and dump it to the end of the /etc/ssl/certs/cert.pem file, so the local box recognizes the remote cert when it's connected to.

Hope this helps someone else!

I had to edit the httpsocket.php class and remove the @ charcter in front of the @fsockopen call in order to see the above errors, which directed me here.
More googling mentioned copying the remote ca to the local certs.

John
 
Top