Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cURL error 60: SSL certificate problem #8

Open
thibodelanghe opened this issue Mar 30, 2023 · 2 comments
Open

cURL error 60: SSL certificate problem #8

thibodelanghe opened this issue Mar 30, 2023 · 2 comments

Comments

@thibodelanghe
Copy link

thibodelanghe commented Mar 30, 2023
edited
Loading

Hey! I've made an executable that does some API calls. When an endpoint is called, an error is thrown.

cURL error 60: SSL certificate problem: unable to get local issuer certificate (see https://curl.haxx.se/libcurl/c/libcurl  
  -errors.html) for .......

I suppose it has something to do with there being no ca-cert in the package. When fetching the ssl cert location for php with openssl_get_cert_locations() it states that the ssl dir is /ssl/certs but that does not exist.

[
  "default_cert_file" => "/ssl/cert.pem"
  "default_cert_file_env" => "SSL_CERT_FILE"
  "default_cert_dir" => "/ssl/certs"
  "default_cert_dir_env" => "SSL_CERT_DIR"
  "default_private_dir" => "/ssl/private"
  "default_default_cert_area" => "/ssl"
  "ini_cafile" => ""
  "ini_capath" => ""
]

Does anybody know how to add a ca cert so the bundle has it?
@dixyes
Copy link
Collaborator

dixyes commented Mar 31, 2023

You may set ini config openssl.capath to an exist ca path, see https://www.php.net/manual/en/openssl.configuration.php

or specify a ca cert used: https://stackoverflow.com/a/15362509/17803469

I think make a bundled ca cert load from memory is more safe and convenience, I will try to implement this when I have time.

@dixyes
Copy link
Collaborator

dixyes commented Jan 26, 2024

You may set ini config openssl.capath to an exist ca path, see https://www.php.net/manual/en/openssl.configuration.php

or specify a ca cert used: https://stackoverflow.com/a/15362509/17803469

I think make a bundled ca cert load from memory is more safe and convenience, I will try to implement this when I have time.

I have not made this yet, but I found that php supports load cafile from PHP stream for PHP stream (not for curl, but can do https request also), this will work for cli or micro:

Here's a demo:

<?php

// let's say you have a ca pem bundle (whatever it's self-signed or trusted) "cert.pem", you may use /etc/ssl/cert.pem for trusted

// makes a phar with the pem (run this with ini config "phar.readonly=0"

$phar = new Phar('test.phar', 0, 'test.phar');

$phar->startBuffering();
$phar->addFile("play.php");
$phar->addFile("cert.pem");
$phar->setStub($phar->createDefaultStub("play.php"));
$phar->stopBuffering();

what's in play.php :

<?php

// for php stream (like file_get_contents, fread things)
$ctx = stream_context_create(['ssl' => [
    // here we load the ca pem from the same dir, whether it's in phar or not
    'cafile' => __DIR__ . '/cert.pem'
]]);

file_get_contents("https://some.tls.site", context:$ctx);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dixyes @thibodelanghe