doulu8341 2019-03-14 17:06
浏览 1067
已采纳

SSL证书问题:无法获得颁发者证书

I'm currently testing an API on a website with a certificate by executing a php script that uses curl, in command line on my local windows machine. But the script never manages to reach the server. I have looked up solutions for this apparently frequent error, and tried the following, without success:

  • Made sure the certificate is still valid.
  • Made sure that the openssl php extension is enabled in php.ini, and that the .dll is indeed there.
  • Downloaded the latest certificate bundle from https://curl.haxx.se/docs/caextract.html, as explained in the answer to this question and added it to php.ini. I have also checked that the certification authority for the website I'm trying to contact is indeed in that bundle (in my case, Comodo).
  • Downloaded an older certificate bundle that's closer to the beginning of the website's certificate validity period.
  • Downloaded the certificate directly from the certification authority via this link, and added the .crt to my php.ini file.
  • Converted the .crt file retrieved above to .pem using this tool, then adding it to php.ini (replacing the one above).

Here is the script I'm using for testing (I'm executing it using php in command line only):

$data = 'username=myuser&password=mypassword';
$ch = curl_init('https://my.website.com/auth');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_VERBOSE, true);
//curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
//curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_exec($ch);
curl_close($ch);

If I uncomment the two lines in there to bypass certificate validation entirely, it works perfectly, but I want to avoid that.

In all cases, I have tried path with both slashes and backslashes, I am certain that the correct php.ini is used, and that php does have access to the .pem file location. This is confirmed by the output of the php script (I have replaced the actual url I'm using):

> *   Trying 192.168.200.11...
> * TCP_NODELAY set
> * Connected to my.website.com (192.168.200.11) port 443 (#0)
> * ALPN, offering http/1.1
> * successfully set certificate verify locations:   
> CAfile: C:\Development\examples\COMODORSADomainValidationSecureServerCA.pem  
> CApath: none
> * NPN, negotiated HTTP1.1
> * SSL certificate problem: unable to get issuer certificate
> * stopped the pause stream!
> * Closing connection 0

I'm currently out of ideas for checking what I did wrong and how to fix it.

  • 写回答

2条回答 默认 最新

  • douchun6221 2019-03-15 10:10
    关注

    So, in the end, here is how I finally managed to do it: as the error suggests, and couple of answers also points out to, the Certification Authority's certificate chain is missing from my configuration, and is not in the pack downloaded from https://curl.haxx.se/docs/caextract.html .

    So in the end, I found this question that pointed me in the right direction: I went to the website I was trying to connect to using firefox, and exported the certificate as type "X.509 Certfificate with chain (PEM)", to the file C:/Development/examples/mycert.pem . Then, I changed my php.ini configuration to

    curl.cainfo=C:/Development/examples/my.website.com.pem openssl.cafile=C:/Development/examples/my.website.com.pem

    And that did the trick! I can connect to the website without issue.

    It is also possible to simply copy-paste the content of my.website.com.pem at the end of the file downloaded from https://curl.haxx.se/docs/caextract.html, and it works as well, and is probably more versatile if you need to connect to other websites that are using certificates with php curl.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 wpf通过绑定控件自身的值,来实现背景颜色的切换
  • ¥15 CDH6.3 运行hive -e hive -e "show databases;"报错:hive-env.sh:行24: hbase-common.jar: 权限不够
  • ¥15 SSRS制作的报表打开报错,无法正常显示网页
  • ¥15 乌班图ip地址配置及远程SSH
  • ¥15 怎么让点阵屏显示静态爱心,用keiluVision5写出让点阵屏显示静态爱心的代码,越快越好
  • ¥15 PSPICE制作一个加法器
  • ¥15 javaweb项目无法正常跳转
  • ¥15 VMBox虚拟机无法访问
  • ¥15 skd显示找不到头文件
  • ¥15 机器视觉中图片中长度与真实长度的关系