SSL peer certificate or SSH remote key was not OK

Question

I'm testing an API that uses curl_exec php function and a CA certificate but something is going wrong and I'm a little lost.

I have configured SSL on my apache VirtualHost and looks ok ( opening https:://[myVHost]... works ).

However the API curl call give me back this message:

• SSL peer certificate or SSH remote key was not OK

I'm not very experienced with SSL so I have few ideas about the cause of that.

UPDATE:

This is the code I'm using in my cURL request, I have commented 2 lines and changes their value (look at 'TODO' line ) and in this way it is working, however this is just a work arround ...

$opts[CURLOPT_URL] = $url;     $opts[CURLOPT_RETURNTRANSFER] = true;     $opts[CURLOPT_CONNECTTIMEOUT] = 50;     $opts[CURLOPT_TIMEOUT] = 100;     $headers = array(         'Accept: application/json',         "User-Agent: APIXXX-PHP-Client");     $opts[CURLOPT_HTTPHEADER] = $headers;     $opts[CURLOPT_USERPWD] = $env->getApiKey() . ':';     if (certificatePresent()) {          //  $opts[CURLOPT_SSL_VERIFYPEER] = true;         //  $opts[CURLOPT_SSL_VERIFYHOST] = 2;          // TODO: SET IT BACK         $opts[CURLOPT_SSL_VERIFYPEER] = 0;         $opts[CURLOPT_SSL_VERIFYHOST] = 0;          $opts[CURLOPT_CAINFO] = $path        }      curl_setopt_array($curl, $opts);      $response = curl_exec($curl); 

Answer 1

You are probably using self-signed SSL certifiacate, which will not pass when the CURLOPT_SSL_VERIFYPEER options is set.

There are two solutions:

1. Buy valid SSL certificate.
2. Disable SSL verification in Curl. (add --insecure option)

If you disable verification, you can't be sure if you are really communicating with your host. So it depends on level of security you need.

Answer 2

Beside CURLOPT_SSL_VERIFYPEER there are two other settings which might be changed to false/0:

CURLOPT_SSL_VERIFYHOST CURLOPT_SSL_VERIFYSTATUS 

Beware that you should fix your SSL certificates & settings instead of disable security!