How to solve the error "could not load PEM client certificate, OpenSSL error:02001003:system library:fopen:No such process"?

Question

Excuse me if the question is silly, but I'm a novice in this area. I need to connect to a service via SSL from a Drupal 7 site. I have a file with a ".p12" extension and a password for it. Also, I use PHP 7.1 1 and Windows 7 64x. I converted .p12-file into .pem-file using the following command.

openssl pkcs12 -in myfile.p12 -out myfile.pem 

Before I installed Openssl into my computer and added paths into Windows. After it I'm trying to use the following code for connecting to the server using CURL functions.

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, 'my_addr');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSLCERT, 'myfile.pem');
curl_setopt($ch, CURLOPT_SSLCERTPASSWD, 'mypsw');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$result = curl_exec($ch);

if ($result === FALSE){
  $curl_error = curl_error($ch);
}
curl_close($ch);

Unfortunately, curl_exec returns FALSE and curl_error returns the following:

could not load PEM client certificate, OpenSSL error error:02001003:system library:fopen:No such process, (no key found, wrong pass phrase, or wrong file format?)

I decide to execute this code on the client's site which is on a Linux shared hosting, whereas my localhost works on Windows 7 64x. The code is executed without any errors, but curl_exec returns a void string.

I want to clarify, what am I doing wrong and why PEM client certificate doesn't want to load? What should I do on my localhost to solve this problem? I can't give up using Windows 7 and start using Linux instead it.

Answer 1

i bet the error will be easier to understand if you change it to

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'my_addr');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
$pem=realpath("myfile.pem");
if(!$pem || !is_readable($pem)){
    die("error: myfile.pem is not readable! realpath: \"{$pem}\" - working dir: \"".getcwd()."\" effective user: ".print_r(posix_getpwuid(posix_geteuid()),true));
}
curl_setopt($ch, CURLOPT_SSLCERT, $pem);

.. most likely the pem file is not readable by the account that php is running under (eg if you created the file as root and the owner is root:root and the permissions is a-r and php is running under the account www-data), another explanation is that the file plain out doesn't exist - yet another explanation is that you run chdir() prior to running curl_exec(), and since you're using a relative filepath, the relative path is no longer valid when running curl_exec() (but using realpath(), as i did above, solves this last issue)

Answer 2

For a SSL verification you need a cert in pem format, it's associated private key (in openssl format) and the root certificate of the certification authoritity that signed your certificate in pem format.

Check this full sample :

PHP:path of CURLOPT_SSLCERT

The error message is not really clear if your are not informed but it say it :

could not load PEM client certificate, OpenSSL error error:02001003:system library:fopen:No such process, (no key found, wrong pass phrase, or wrong file format?)

Regards,