SSL error SSL3 GET SERVER CERTIFICATE certificate verify failed

Question

After upgrading to PHP 5 6 I get an error when trying to connect to a server via fsockopen      The certificate on the server  host  is self-signed     PHP Warning   fsockopen    SSL operation failed with code 1  OpenSSL Error messages        error 14090086 SSL routines SSL3 GET SERVER CERTIFICATE certificate verify failed   code  if  fp   fsockopen  host   port   errno   errstr  20         this- gt request    POST   substr  this- gt url  strlen  this- gt host     HTTP 1 1   crlf           Host     this- gt host  crlf           Content-Length     content length  crlf           Connection  Close   crlf  crlf           body      fwrite  fp   this- gt request        while  line   fgets  fp            if  line     false                this- gt response     line                       fclose  fp       Have tried    cd  etc ssl certs    wget http   curl haxx se ca cacert pem   php ini  openssl cafile     etc ssl certs cacert pem    But the script still fails to work  update  This works  echo file get contents   etc ssl certs cacert pem      update 2   contextOptions   array       ssl    gt  array           verify peer    gt  true     You could skip all of the trouble by changing this to false  but it s WAY uncool for security reasons           cafile    gt    etc ssl certs cacert pem              CN match    gt   example com      Change this to your certificates Common Name  or just comment this line out if not needed           ciphers    gt   HIGH  SSLv2  SSLv3            disable compression    gt  true             context   stream context create  contextOptions     fp   stream socket client    host    port     errno   errstr  20  STREAM CLIENT CONNECT   context     error     PHP Warning   stream socket client    SSL operation failed with code 1  OpenSSL Error messages        error 14090086 SSL routines SSL3 GET SERVER CERTIFICATE certificate verify failed

User · Answer

Firstable  make sure that you Antivirus software doesn t block SSL2   Because I could not solve a problem for a long time and only disabling the antivirus helped me

User · Answer

The file that you downloaded  http   curl haxx se ca cacert pem  is a bundle of the root certificates from the major trusted certificate authorities  You said that the remote host has a self-signed SSL certificate  so it didn t use a trusted certificate  The openssl cafile setting needs to point to the CA certificate that was used to sign the SSL certificate on the remote host  PHP 5 6 has been improved over previous versions of PHP to now verify peer certificates and host names by default  http   php net manual en migration56 openssl php   You ll need to locate the CA certificate that was generated on the server that signed the SSL certificate and copy it to this server  The only other option is to disable verifying the peer  but that defeats the SSL security  If you DO want to try disabling verification  try this array with the code from my previous answer    contextOptions   array       ssl    gt  array           verify peer    gt  false           verify peer name    gt  false            Either way  if you re using self-signed certificates  you ll need to add the CA cert that was used to sign the remote host s SSL certificate to the trusted store on the server you re connecting from OR use stream contexts to use that certificate for each individual request  Adding it to the trusted certificates is the simplest solution  Just add the contents of the remote host s CA cert to the end of the cacert pem file you downloaded   Previous   fsockopen doesn t support stream contexts  so use stream socket client instead  It returns a resource that can be used with all the commands that fsockopen resources can    This should be a drop in replacement for the snippet you have in your question    lt  php   contextOptions   array       ssl    gt  array           verify peer    gt  true     You could skip all of the trouble by changing this to false  but it s WAY uncool for security reasons           cafile    gt    etc ssl certs cacert pem            CN match    gt   example com      Change this to your certificates Common Name  or just comment this line out if not needed           ciphers    gt   HIGH  SSLv2  SSLv3            disable compression    gt  true             context   stream context create  contextOptions     fp   stream socket client  tcp     host    port     errno   errstr  20  STREAM CLIENT CONNECT   context    if    fp         echo   errstr    errno   lt br   gt  n     else        this- gt request    POST   substr  this- gt url  strlen  this- gt host     HTTP 1 1   crlf           Host     this- gt host  crlf           Content-Length     content length  crlf           Connection  Close   crlf  crlf           body       fwrite  fp   this- gt request        while   feof  fp              this- gt response    fgets  fp              fclose  fp

User · Answer

I faced a similar issue during work with Ubuntu 16 04 by using Docker  In my case that was a problem with Composer  but error message  and thus the problem  was the same   Because of minimalist Docker-oriented base image I had missing ca-certificates package and simple apt-get install ca-certificates helped me

User · Answer

In my case  I was on CentOS 7 and my php installation was pointing to a certificate that was being generated through update-ca-trust  The symlink was  etc pki tls cert pem pointing to  etc pki ca-trust extracted pem tls-ca-bundle pem  This was just a test server and I wanted my self signed cert to work properly  So in my case       My root ca-trust folder was here  I coped the  crt file to this location   and renamed it to a  pem  etc pki ca-trust source anchors self-signed-cert pem    Then run this command and it will regenerate the certs for you and   include your self signed cert file  update-ca-trust   Then some of my api calls started working as my cert was now trusted  Also if your ca-trust gets updated through yum or something  this will rebuild your root certificates and still include your self signed cert  Run man update-ca-trust for more info on what to do and how to do it

User · Answer

You mention the certificate is self-signed  by you   Then you have two choices    add the certificate to your trust store  fetching cacert pem from cURL website won t do anything  since it s self-signed  don t bother verifying the certificate  you trust yourself  don t you    Here s a list of SSL context options in PHP  https   secure php net manual en context ssl php  Set allow self signed if you import your certificate into your trust store  or set verify peer to false to skip verification   The reason why we trust a specific certificate is because we trust its issuer  Since your certificate is self-signed  no client will trust the certificate as the signer  you  is not trusted  If you created your own CA when signing the certificate  you can add the CA to your trust store  If your certificate doesn t contain any CA  then you can t expect anyone to connect to your server

User · Answer

Add    mail- gt SMTPOptions   array   ssl    gt  array       verify peer    gt  false       verify peer name    gt  false       allow self signed    gt  true       before  mail- gt send     and replace  require  mailer class phpmailer php     with  require  mailer PHPMailerAutoload php

User · Answer

If you are using macOS sierra there is a update in PHP version  you need to have Entrust net Certificate Authority  2048  file added to the PHP code  more info check accepted answer here Push Notification in PHP using PEM file

User · Answer

Have you tried using the stream context set option   method     context   stream context create     result   stream context set option  context   ssl    local cert     etc ssl certs cacert pem     fp   fsockopen  host   port   errno   errstr  20   context     In addition  try file get contents   for the pem file  to make sure you have permissions to access it  and make sure the host name matches the certificate

User · Answer

The problem is in new PHP Version in macOS Sierra  Please add   stream context set option  ctx   ssl    verify peer   false

[php] SSL error SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Examples related to php

Examples related to apache

Examples related to openssl