PHPmailer - Ssl3_Get_Server_Certificate:Certificate Verify Failed

PHPMailer - SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

PHP 5.6 introduces SSL certificate verification, so if your config is broken, it will fail with this error. You should fix your SSL, but you can revert to the old behaviour by setting the SMTPOptions property to not verify certificates:

$mail->SMTPOptions = array(
    'ssl' => array(
        'verify_peer' => false,
        'verify_peer_name' => false,
        'allow_self_signed' => true
    )
);

Editing the library defeats the entire point of libraries - and if you do as Kaf's answer suggests, your code will break when you upgrade. Really, don't do that.

Editor's note: disabling SSL verification has security implications. Without verification of the authenticity of SSL/HTTPS connections, a malicious attacker can impersonate a trusted endpoint (such as GitHub or some other remote Git host), and you'll be vulnerable to a Man-in-the-Middle Attack. Be sure you fully understand the security issues before using this as a solution.

Cannot connect to GMail SMTP (PHPMailer) - Certificate Verify Failed

FIXED ISSUE FOR ME
I fixed this issue in my windows php environment by downloading an updated root certificates file and pointing my php.ini file to it.
It seems the problem was not with gmail's cert but rather with an outdated root certificate file due to windows server 2012 no longer updating this file automatically. Download cacert.pem from here: https://curl.haxx.se/docs/caextract.html. Then in php.ini use following line to point to it (assuming you have openssl.dll installed).

openssl.cafile={Path to the file on your server}\cacert.pem.

That fixed it and I no longer needed to bypass SSL/TLS verification like suggested. Ultimately I need to get windows to update root certs automatically using GPO or WSUS. see https://serverfault.com/questions/541922/where-to-get-root-ca-certificates-for-windows-server-now-that-microsoft-no-longe

SSL3_GET_SERVER_CERTIFICATE certificate verify failed on Windows 10 Pro with IIS

To paraphrase the guide, download the CA bundle from curl and store it somewhere on your file system. Take the path you saved it to and add a line to your php.ini file saying:

openssl.cafile = $path

Where $path is where you saved the CA certs to. Then restart your web server to pick up the ini change.

If that worked, you should see that setting in the output from phpinfo(), and it should also give PHP what it needs to validate the certificate when PHPMailer uses it. Be aware that if the server is presenting a truly invalid or expired certificate, this won’t help, but given that this a well-known problem and solution, I expect it to work.

PHPMailer 5.2 OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

PHPMailer's github page mentions this type of error:

This is covered in the troubleshooting docs. PHP 5.6 verifies SSL certificates by default, and if your cert doesn't match, it will fail with this error. The correct solution is to fix your SSL config - it's not PHP's fault!

I see that you've gone through the trouble of making the PHPMailer settings insecure as is not recommended in the troubleshooting docs. Did you notice that requires PHPMailer 5.2.10?

The correct fix for this is to replace the invalid, misconfigured or self-signed certificate with a good one. Failing that, you can allow insecure connections via the SMTPOptions property introduced in PHPMailer 5.2.10 (it's possible to do this by subclassing the SMTP class in earlier versions), though this is not recommended

There's also suggestions for enabling debug output:

$mail->SMTPDebug = 4;

If you look at the debug output, you may glean more helpful info.

EDIT: this also is not about your website's cert, it's about the cert (if any) being hosted by your SMTP mail server endpoint.

Domain Verification in PHP 5.6 issue with PHPMailer for sending mails via TLS

Your server is not providing the letsencrypt X3 intermediate certificate in its response, only the leaf cert. This isn't enough because most CA stores don't contain the letsencrypt CA certs, only the root certs they are signed with, so you need the intermediate to bridge the two. Get the intermediate certificate from here and append it to your certificate file.

Here's how you can see it working from the client end:

$ wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt
$ openssl s_client -CAfile lets-encrypt-x3-cross-signed.pem.txt -connect example.com:465
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = example.com
verify return:1
---
Certificate chain
 0 s:/CN=example.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
...
Verify return code: 0 (ok)

If you bundle that cert at the server end, it should work in all up to date clients without a local intermediate cert.

PHPMailer - OpenSSL Error

This is because you're running PHP 5.6 and it's verifying your certs, but your server is presenting invalid certs so it's failing. Both PHPMailer and PHP are correct in what they are doing - the code is not at fault. You can either fix your mail server, or do what it suggests in the troubleshooting guide, which is:

$mail->SMTPOptions = array(
    'ssl' => array(
        'verify_peer' => false,
        'verify_peer_name' => false,
        'allow_self_signed' => true
    )
);

And as the guide says, you should not do this unless you have to - it's compromising your security.

---

Related Topics