Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

cURL SSL Certificate error "Bad Certificate"

I'm trying to send an SSL certificate with a soap message to a server and have only just managed to make cURL accept the certificate (.pem file spit out by putting a .pfx file through OpenSSL) and not return "unable to set private key file" (evidently the private key must keep its 'bag attributes'), however it's now returning exciting new errors:

SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I've tried setting the CA certificate with:

curl_setopt($soap_do, CURLOPT_CAINFO, $caFile);

But this yields no results with the root nor the intermediate ca files I have.

Disabling this check with:

curl_setopt($soap_do, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($soap_do, CURLOPT_SSL_VERIFYPEER, 0);

brings me to the new problem:

error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate

This has been a thorn in my side for weeks now and while new error messages mean changes I'm not sure it means progress. Any advice or suggestions as to what is missing/I am doing wrong would be greatly appreiciated.

like image 971
Gavin Avatar asked Jun 19 '13 13:06

Gavin


People also ask

Does curl check SSL certificate?

curl performs peer SSL certificate validation by default. This is done using a certificate store that the SSL library can use to make sure the peer's server certificate is valid.

How do I fix curl error 60 SSL certificate problem certificate has expired?

The only solution to this problem is to get your host to update the root certificate on your server. So, you need to contact your server host and ask them to insert a new cacert. pem file into their servers, and configure it within their php. ini file.


1 Answers

most likely the CA bundle is wrongful. verify the path & access permissions, maybe try setting an absolute path. if this not helps, get a CA bundle and set it alike curl_setopt($soap_do, CURLOPT_CAINFO,'cacert.pem');

like image 114
Martin Zeitler Avatar answered Sep 19 '22 21:09

Martin Zeitler