Https and Ssl3_Get_Server_Certificate:Certificate Verify Failed, Ca Is Ok

  • Home
  • Languages
  • PHP
  • Https and Ssl3_Get_Server_Certificate:Certificate Verify Failed, Ca Is Ok

HTTPS and SSL3_GET_SERVER_CERTIFICATE:certificate verify failed, CA is OK

curl used to include a list of accepted certificate authorities (CAs) but no longer bundles ANY CA certs since 7.18.1 and onwards. So by default it'll reject all TLS/SSL certificates as unverifiable.

You'll have to get your CA's root certificate and point curl at it. More details at curl's details on TLS/SSL certificates verification.

SSL error SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

The file that you downloaded (http://curl.haxx.se/ca/cacert.pem) is a bundle of the root certificates from the major trusted certificate authorities. You said that the remote host has a self-signed SSL certificate, so it didn't use a trusted certificate. The openssl.cafile setting needs to point to the CA certificate that was used to sign the SSL certificate on the remote host. PHP 5.6 has been improved over previous versions of PHP to now verify peer certificates and host names by default (http://php.net/manual/en/migration56.openssl.php)

You'll need to locate the CA certificate that was generated on the server that signed the SSL certificate and copy it to this server. If you're using self-signed certificates, you'll need to add the CA cert that was used to sign the remote host's SSL certificate to the trusted store on the server you're connecting from OR use stream contexts to use that certificate for each individual request. Adding it to the trusted certificates is the simplest solution. Just add the contents of the remote host's CA cert to the end of the cacert.pem file you downloaded.

Previous:

fsockopen doesn't support stream contexts, so use stream_socket_client instead. It returns a resource that can be used with all the commands that fsockopen resources can.

This should be a drop in replacement for the snippet you have in your question:

<?php

$contextOptions = array(
    'ssl' => array(
        'verify_peer' => true, // You could skip all of the trouble by changing this to false, but it's WAY uncool for security reasons.
        'cafile' => '/etc/ssl/certs/cacert.pem',
        'CN_match' => 'example.com', // Change this to your certificates Common Name (or just comment this line out if not needed)
        'ciphers' => 'HIGH:!SSLv2:!SSLv3',
        'disable_compression' => true,
    )
);

$context = stream_context_create($contextOptions);

$fp = stream_socket_client("tcp://{$host}:{$port}", $errno, $errstr, 20, STREAM_CLIENT_CONNECT, $context);

if (!$fp) {

    echo "$errstr ({$errno})<br />\n";

}else{
    
    $this->request = 'POST '.substr($this->url, strlen($this->host)).' HTTP/1.1'.$crlf
        .'Host: '.$this->host.$crlf
        .'Content-Length: '.$content_length.$crlf
        .'Connection: Close'.$crlf.$crlf
        .$body;

    fwrite($fp, $this->request);

    while (!feof($fp)) {
        $this->response .= fgets($fp);
    }

    fclose($fp);

}

PHPMailer - SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

PHP 5.6 introduces SSL certificate verification, so if your config is broken, it will fail with this error. You should fix your SSL, but you can revert to the old behaviour by setting the SMTPOptions property to not verify certificates:

$mail->SMTPOptions = array(
    'ssl' => array(
        'verify_peer' => false,
        'verify_peer_name' => false,
        'allow_self_signed' => true
    )
);

Editing the library defeats the entire point of libraries - and if you do as Kaf's answer suggests, your code will break when you upgrade. Really, don't do that.

Editor's note: disabling SSL verification has security implications. Without verification of the authenticity of SSL/HTTPS connections, a malicious attacker can impersonate a trusted endpoint (such as GitHub or some other remote Git host), and you'll be vulnerable to a Man-in-the-Middle Attack. Be sure you fully understand the security issues before using this as a solution.

Cloudify with Openstack:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Using Openstack services with insecure SSL certificates is not possible in Cloudify 3.1. However, in Cloudify 3.2 it's possible to pass the --insecure (or ca_cert) flags directly to be used by the Openstack clients.

You can read the documentation for this feature here:
http://getcloudify.org/guide/3.2/plugin-openstack.html#openstack-configuration

So, for example, to use Nova service with insecure certificate, your Openstack configuration could look something like this:

openstack_config:
  ...
  custom_configuration:
    nova_client:
      insecure: true

Hope this helps.


Related Topics

Reading Json Post Using PHP

How to Read a Large File Line by Line

Apache Is Downloading PHP Files Instead of Displaying Them

Best Xml Parser For PHP

How to Extract Img Src, Title and Alt from HTML Using PHP

File_Get_Contents(): Ssl Operation Failed With Code 1, Failed to Enable Crypto

How to Get Parameters from a Url String

PHP Syntax For Dereferencing Function Result

How to Access This Object Property With an Illegal Name

PHP Function to Generate V4 Uuid

How to Use PHP Serialize() and Unserialize()

A Simple Program to Crud Node and Node Values of Xml File

MySQL Query to Get Column Names

MySQL VS MySQLi When Using PHP

Filter/Remove Rows Where Column Value Is Found More Than Once in a Multidimensional Array

Create Subdomains on the Fly With .Htaccess (PHP)

How to Use Multiple Databases in Laravel

How to Repair a Serialized String Which Has Been Corrupted by an Incorrect Byte Count Length


Leave a reply



Submit