Sudden OpenSSL Error messages: error:14090086 using file_get_contents

Question

I've searched for issues with this error but I'm baffled on what may have happened between a number of my own servers that have started to display this error:

Warning: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed in /var/www/html/file_get.php on line 7

Line 7 is the file_get_contents command.

These are (Debian) servers under my control so I know nothing has (to my knowledge) happened/changed or updated/upgraded.

I know I can use the solution of including the below, but I'm keen to understand what has happened first (plus I have many, many files I'd need to update). I also really need to understand which server is the one that has the potential issue.

I have 3 servers, all of which access another 4th server with file_get_contents requests. 2 of the servers have suddenly (today a few hours ago) started to fail with the above error, the third one seems to still work fine.

I suspect the issue is with the two servers that display the issue rather than the 4th one they are all trying to access.

If I implement this code, it works, but I'd rather find the root cause:

$arrContextOptions=array(
    "ssl"=>array(
        "verify_peer"=>false,
        "verify_peer_name"=>false,
    ),
);  

and modify the file_get_contents to the following:

file_get_contents($input, false, stream_context_create($arrContextOptions)));

But as mentioned, I have hundreds of files that would need changing.

All servers are Debian and use Lets Encrypt certs 9which are valid).

I have tried adding the following to the php.ini:

openssl.cafile=/etc/letsencrypt/live/myserver.com/cert.pem

But this has not worked (the same error remains).

The openssl version of the server taht still works is OpenSSL 1.1.0f 25 May 2017 (Library: OpenSSL 1.1.0l 10 Sep 2019), the two that display the error are OpenSSL 1.1.0l 10 Sep 2019 not sure if this is relevant.

Any help would be appreciated.

UPDATE

So I have been able to resolve this so far. After a lot of test and trial I'm honestly not quite sure what resolved the problem for sure to get it working again, but I did all of the below:

• apt upgrade
• apt update
• I removed the old certbot-auto
• Installed certbot (newer version)
• Removed mozilla/DST_Root_CA_X3.crt from /etc/ca-certificates.conf
• Ran update-ca-certificates

Again, not sure which of the above (or the combination of the above) resolved the problem, but it's working for me now.

Answer 1

I've got the same issue today, ok in webbrowser, SSL error in postman and some programming language call. My error was due to the root let's encrypt certificate expiration see announce here

using ssllab.com we found that it exists two chains of certifications for my certificate, one going up to ISRG Root X1 which was ok another one going up to DST Root CA X3 Self-signed the expired certificate (on Sept the 30th à 14:00 gmt)

To solved this issue, I update certbot to the last version (1.19) through snapd. the one in the packet manager of my ubuntu 20.04 was not the last one. (ref certbot doc)

Then I renew the certificate using option : --preferred-chain 'ISRG Root X1' note: looking to OP update, this is probably the default in the new release of certbot

and restart the service. since then everything is ok.

too confirm this is your issue, certification chain can be viewed through online tools like ssllabs.com

exemple of failing cert :

Certification Paths
Path #1: Trusted
 
1   Sent by server  asp.xyz.com
Fingerprint SHA256: 30c7865bd2fb4541e819bcfba43456b9fee3310b3faa8be8c86bd26a5cd6b15f
Pin SHA256: Iw4x0j6IktVzCyk1DsHyV5h8BuqXIq98VOhwLR0UWww=
RSA 2048 bits (e 65537) / SHA256withRSA
2   Sent by server  R3
Fingerprint SHA256: 67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd
Pin SHA256: jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=
RSA 2048 bits (e 65537) / SHA256withRSA
3   In trust store  ISRG Root X1   Self-signed
Fingerprint SHA256: 96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6
Pin SHA256: C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=
RSA 4096 bits (e 65537) / SHA256withRSA
Path #2: Not trusted (invalid certificate [Fingerprint SHA256: 0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739])
 
1   Sent by server  asp.xyz.com
Fingerprint SHA256: 30c7865bd2fb4541e819bcfba43456b9fee3310b3faa8be8c86bd26a5cd6b15f
Pin SHA256: Iw4x0j6IktVzCyk1DsHyV5h8BuqXIq98VOhwLR0UWww=
RSA 2048 bits (e 65537) / SHA256withRSA
2   Sent by server  R3
Fingerprint SHA256: 67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd
Pin SHA256: jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=
RSA 2048 bits (e 65537) / SHA256withRSA
3   Sent by server  ISRG Root X1
Fingerprint SHA256: 6d99fb265eb1c5b3744765fcbc648f3cd8e1bffafdc4c2f99b9d47cf7ff1c24f
Pin SHA256: C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=
RSA 4096 bits (e 65537) / SHA256withRSA
4   In trust store  DST Root CA X3   Self-signed
Fingerprint SHA256: 0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739
Pin SHA256: Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys=
RSA 2048 bits (e 65537) / SHA1withRSA
Valid until: Thu, 30 Sep 2021 14:01:15 UTC
EXPIRED
Weak or insecure signature, but no impact on root certificate

Answer 2

Same issue I was faced with CentOS 7.

My solution is:

1. sudo yum update ca-certificates
2. grep DST_Root_CA_x3 /etc/ssl/certs/ca-bundle.crt
3. remove DST_Root_CA_x3 cert if exists
4. restart your service

Answer 3

The similar issue I was face with Ubuntu 16.04.7, In my case I was getting SSL Error: Certificate expired message while try GET / POST using Postman.

Here is the solution:

1. edit the /etc/ca-certificates.conf find the mozilla/DST_Root_CA_x3.crt
2. add ! sing at the start of the line i.e. !mozilla/DST_Root_CA_x3.crt
3. save your changes and then update the certificate sudo update-ca-certificates
4. reboot the server

Before The Solution

After The Solution