Ssl Error Ssl3_Get_Server_Certificate:Certificate Verify Failed

SSL error SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

The file that you downloaded (http://curl.haxx.se/ca/cacert.pem) is a bundle of the root certificates from the major trusted certificate authorities. You said that the remote host has a self-signed SSL certificate, so it didn't use a trusted certificate. The openssl.cafile setting needs to point to the CA certificate that was used to sign the SSL certificate on the remote host. PHP 5.6 has been improved over previous versions of PHP to now verify peer certificates and host names by default (http://php.net/manual/en/migration56.openssl.php)

You'll need to locate the CA certificate that was generated on the server that signed the SSL certificate and copy it to this server. If you're using self-signed certificates, you'll need to add the CA cert that was used to sign the remote host's SSL certificate to the trusted store on the server you're connecting from OR use stream contexts to use that certificate for each individual request. Adding it to the trusted certificates is the simplest solution. Just add the contents of the remote host's CA cert to the end of the cacert.pem file you downloaded.

Previous:

fsockopen doesn't support stream contexts, so use stream_socket_client instead. It returns a resource that can be used with all the commands that fsockopen resources can.

This should be a drop in replacement for the snippet you have in your question:

<?php

$contextOptions = array(
    'ssl' => array(
        'verify_peer' => true, // You could skip all of the trouble by changing this to false, but it's WAY uncool for security reasons.
        'cafile' => '/etc/ssl/certs/cacert.pem',
        'CN_match' => 'example.com', // Change this to your certificates Common Name (or just comment this line out if not needed)
        'ciphers' => 'HIGH:!SSLv2:!SSLv3',
        'disable_compression' => true,
    )
);

$context = stream_context_create($contextOptions);

$fp = stream_socket_client("tcp://{$host}:{$port}", $errno, $errstr, 20, STREAM_CLIENT_CONNECT, $context);

if (!$fp) {

    echo "$errstr ({$errno})<br />\n";

}else{
    
    $this->request = 'POST '.substr($this->url, strlen($this->host)).' HTTP/1.1'.$crlf
        .'Host: '.$this->host.$crlf
        .'Content-Length: '.$content_length.$crlf
        .'Connection: Close'.$crlf.$crlf
        .$body;

    fwrite($fp, $this->request);

    while (!feof($fp)) {
        $this->response .= fgets($fp);
    }

    fclose($fp);

}

SSL3_GET_SERVER_CERTIFICATE certificate verify failed on Python when requesting (only) *.google.com

I found a solution. There seems to be a major issue in the version of certifi that was running. I found this out from this (very long) GitHub issue: https://github.com/certifi/python-certifi/issues/26

TL;DR

pip uninstall -y certifi && pip install certifi==2015.04.28

OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Failed to enable crypto

Note: I am running OS X Yosemite. I believe this works with Mavericks too.

After looking a several answers and combining them mixing and matching etc. Here is a rough explanation on what I did.

1. Open the command line and run:

locate cacert.pem

This will list all the locations where your certificates are.

My result:

/Applications/Adobe Dreamweaver CS6/Configuration/Certs/cacert.pem
/Applications/MAMP/Library/lib/python2.7/test/pycacert.pem
/Library/Frameworks/Python.framework/Versions/3.4/lib/python3.4/site-packages/pip/_vendor/requests/cacert.pem
/Library/Frameworks/Python.framework/Versions/3.4/lib/python3.4/test/pycacert.pem
/Library/Frameworks/Python.framework/Versions/3.4/lib/python3.4/test/test_asyncio/pycacert.pem
/Users/robert/.composer/cacert.pem
/opt/vagrant/embedded/cacert.pem
/usr/ssl/certs/cacert.pem

2. I downloaded the most recent one from curl

http://curl.haxx.se/docs/caextract.html

3. I made a directory in /usr/ssl/certs/

and put the downloaded cert there /usr/ssl/certs/cacert.pem

4. I opened up my php.ini file and placed this line at the top of the file:
   openssl.cafile=/usr/ssl/certs/cacert.pem

5. Restart apache (stop apache and start it again)

Everything worked out for me.

Now one thing that I do believe needs to be done is you need to tell the command line which PHP you are referring to. I am running PHP under XAMPP and not natively on my OS X. So the command line will think that you are referring to the native PHP on OS X and not the one running on XAMPP. This needs to be changed I believe for this to work. If not then it should be good.

As mentioned this solution worked for me.

SSL3_GET_SERVER_CERTIFICATE certificate verify failed on Windows 10 Pro with IIS

To paraphrase the guide, download the CA bundle from curl and store it somewhere on your file system. Take the path you saved it to and add a line to your php.ini file saying:

openssl.cafile = $path

Where $path is where you saved the CA certs to. Then restart your web server to pick up the ini change.

If that worked, you should see that setting in the output from phpinfo(), and it should also give PHP what it needs to validate the certificate when PHPMailer uses it. Be aware that if the server is presenting a truly invalid or expired certificate, this won’t help, but given that this a well-known problem and solution, I expect it to work.

Error message: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

Well, i find something, the option, i add on my config.yml wasn't loaded at the initialision on the swiftmailer module. i added it directly on the swiftmailer code and that's work. I will open an issue on swiftmailer. Thanks for the help

Net::SSLeay gets :SSL3_GET_SERVER_CERTIFICATE:certificate verify failed failure when accessing pop.gmail.com, as seen by so many others

First, notice that the software you are using are in parts quite old. The versions of IO::Socket::SSL and Net::SSleay are 7 years old and a lot of improvements where made in these years. Interestingly though your versions of OpenSSL seems to be much newer and you are also running Windows 10 which suggests a strange mix of recent and terribly old software.

The version 1.84 of IO::Socket::SSL which you've used on one machine does not validate certificates by default, so it will work even if something is wrong with the certificates. The version 1.962 used on the other machine insists on validating the certificate by default instead. This means that both machines could actually have the same problem related to certificates but you'll notice it only on one machine.

Unfortunately Mail::POP3Client (which is unsupported since 7 years) does not have any way to set which trust store gets used but relies on a properly setup trust store on the system. Only such setup is typically not the case with OpenSSL (used by Perl) on Windows. Newer versions of IO::Socket::SSL will automatically pickup the trust store Mozilla::CA if it is installed but not the old versions you are using.

I suggest that you move away from this old software stack. Use newer versions of IO::Socket::SSL and Net::SSLeay and also install Mozilla::CA as trust store. I recommend to also use Net::POP3 instead of Mail::POP3Client, since the latter is long out of support and the first gives you also more control over certificate validation. I'm not sure about the ActivePerl you are using but the free Strawberry Perl usually comes with a fairly recent software stack.

---

Related Topics