Error in cURL request: SSL certificate problem: unable to get local issuer certificate error with Socket adapter and CURLOPT_SSL_VERIFYPEER = false #81
Description
This issue has been moved from the zendframework repository as part of the bug migration program as outlined here - http://framework.zend.com/blog/2016-04-11-issue-closures.html
Original Issue: https://api.github.com/repos/zendframework/zendframework/issues/7698
User: @lucian303
Created On: 2016-04-28T23:38:21Z
Updated At: 2016-06-28T12:48:26Z
Body
Error in cURL request: SSL certificate problem: unable to get local issuer certificate
I'm getting the above error:
- With the Socket adapter
- With the CURL adapter and CURLOPT_SSL_VERIFYPEER set to false
- With both adapters configured with a CA chain certificate file
SSL certificate verification only happens with some SSL hosts, not others, even though they all share the same wildcard SSL certificate (*.unifiedcompliance.com). I just fixed this for the Guzzle client, but there seems to be no way to configure the Zend Http Client correctly. It seems to ignore almost all options I provide it.
My code:
$host = 'https://apidev2.unifiedcompliance.com';
$options = [
'adapter' => Socket::class,
];
$client = new Client($host, $options);
$request = new Request();
$request->setUri($host);
$client->setMethod($request->getMethod());
$request->getHeaders()->addHeaderLine('Authorization', 'Bearer ACTUAL_TOKEN_HERE');
$request->getHeaders()->addHeaderLine('Accept', "application/vnd.ucf.v1+json");
/** @var Response $response */
$response = $client->dispatch($request);
$responseArray = Json::decode($response->getBody(), Json::TYPE_ARRAY);
This is what options should be and they should work, but ALL CURL options seem to be ignored by the Http Client:
$options = [
'adapter' => Curl::class,
'curloptions' => [
CURLOPT_SSL_VERIFYPEER => true,
CURLOPT_SSL_VERIFYHOST => 2,
CURLOPT_CAINFO => '/etc/ssl/certs/gd_bundle-g2-g1.crt',
]
];
I've also tried setting curl.cainfo, openssl.capath (or whatever the variables are in php.ini, I've tried setting them all and none have any effect on this). I'm running PHP 7.0.5-3+donate.sury.org~trusty+1 so maybe that has something to do with it because previous versions probably did not try to verify SSL certificates. The certificate is from GoDaddy unfortunately and I don't believe its chain/root CA are in the default Ubuntu 14.04 settings, but I could be wrong about that. CLI curl works with the file specified. Guzzle works through PHP. It's pretty much all working outsize of Zend Http Client.
Comment
User: @lucian303
Created On: 2016-04-29T16:44:19Z
Updated At: 2016-04-29T16:50:24Z
Body
I managed to get the Socket adapter to actually work, but trying to specify SSL settings and set it up correctly doesn't work for that also. All options are ignored. I can successfully curl calls from that system using the certificate chain. I just can't get Zend Http Client to do anything w/ SSL.
$client = new Client(null, [
'adapter' => Socket::class,
'ssl' => [
'verify_peer' => true,
'allow_self_signed' => false,
'cafile' => '/etc/ssl/certs/gd_bundle-g2-g1.crt',
]
]);
leads to:
Unable to enable crypto on TCP connection authdev2.unifiedcompliance.com: make sure the "sslcafile" or "sslcapath" option are properly set for the environment.
Changing 'verify_peer' to false has no effect on this error. I really have no idea what to do at this point. Replacing the Zend Http Client with something else that supports SSL would be weeks of work.