Menu
I'm trying to write a PHP script using cURL that can authorize a user through a page that uses an SSL certificate, in addition to username and password, and I can't seem to get past the SSL cert stage.
In this case, curl_setopt($handle, CURLOPT_VERIFYPEER, 0) unfortunately isn't an option. The certificate is a required part of authentication, otherwise I get the error mentioned in this other similar SO post.
I've tried a few command-line runs with cURL:
> curl --url https://website
This returns the (60) SLL certificate problem error. If I adjust the command to include the --cacert option:
> curl --url https://website --cacert /path/to/servercert.cer
It works just fine; the auth website is returned.
However, I've tried the following PHP code:
$handle = curl_init(); $options = array( CURLOPT_RETURNTRANSFER => false, CURLOPT_HEADER => true, CURLOPT_FOLLOWLOCATION => false, CURLOPT_SSL_VERIFYHOST => '0', CURLOPT_SSL_VERIFYPEER => '1', CURLOPT_CAINFO => '/path/to/servercert.cer', CURLOPT_USERAGENT => 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)', CURLOPT_VERBOSE => true, CURLOPT_URL => 'https://website' ); curl_setopt_array($handle, $options); curl_exec($handle); if (curl_errno($handle)) { echo 'Error: ' . curl_error($handle); } curl_close($handle); I would have thought the code was essentially analogous to the shell commands, but instead I'm greeted with the following error message:
Error: error setting certificate verify locations: CAfile: /path/to/servercert.cer CApath: none
I've read all the literature I can find (particularly on php.net and curl.haxx) and can't seem to find anything that fixes this problem. Any suggestions?
I have tried chmod 777 servercert.cer with no success. However, in executing the PHP script with the above code from the command line instead of the browser via php test.php, it works perfectly. Any explanation for why it doesn't work in the browser?
971
php $xml = file_get_contents("myxml. xml"); $ch = curl_init(); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); curl_setopt ($ch, CURLOPT_CAINFO, dirname(__FILE__). '\mypem.
libcurl performs peer SSL certificate verification by default. This is done by using a CA certificate store that the SSL library can use to make sure the peer's server certificate is valid.
The only solution to this problem is to get your host to update the root certificate on your server. So, you need to contact your server host and ask them to insert a new cacert.
To ignore invalid and self-signed certificate checks on Curl, use the -k or --insecure command-line option. This option allows Curl to perform "insecure" SSL connections and skip SSL certificate checks while you still have SSL encrypted communications.
Because things work via the command line but not via php using curl then I would pursue curl being the problem.
According to this URL, http://curl.haxx.se/docs/sslcerts.html, which was reference in an SO post you cited above ( reading SSL page with CURL (php) )...
"Until 7.18.0, curl bundled a severely outdated ca bundle file that was installed by default. These days, the curl archives include no ca certs at all. You need to get them elsewhere. See below for example.
If the remote server uses a self-signed certificate, if you don't install a CA cert bundle, if the server uses a certificate signed by a CA that isn't included in the bundle you use or if the remote host is an impostor impersonating your favorite site, and you want to transfer files from this server, do one of the following:"
It then goes on to list a number of steps that you can try.
Since your 7.16.3 version of curl is prior to 7.18.0, if you haven't already, I would recommend updating your curl and openssl components and then working through the list referenced above.
79
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
