SSL证书问题:无法获得颁发者证书

I'm currently testing an API on a website with a certificate by executing a php script that uses curl, in command line on my local windows machine. But the script never manages to reach the server. I have looked up solutions for this apparently frequent error, and tried the following, without success:

  • Made sure the certificate is still valid.
  • Made sure that the openssl php extension is enabled in php.ini, and that the .dll is indeed there.
  • Downloaded the latest certificate bundle from https://curl.haxx.se/docs/caextract.html, as explained in the answer to this question and added it to php.ini. I have also checked that the certification authority for the website I'm trying to contact is indeed in that bundle (in my case, Comodo).
  • Downloaded an older certificate bundle that's closer to the beginning of the website's certificate validity period.
  • Downloaded the certificate directly from the certification authority via this link, and added the .crt to my php.ini file.
  • Converted the .crt file retrieved above to .pem using this tool, then adding it to php.ini (replacing the one above).

Here is the script I'm using for testing (I'm executing it using php in command line only):

$data = 'username=myuser&password=mypassword';
$ch = curl_init('https://my.website.com/auth');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_VERBOSE, true);
//curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
//curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_exec($ch);
curl_close($ch);

If I uncomment the two lines in there to bypass certificate validation entirely, it works perfectly, but I want to avoid that.

In all cases, I have tried path with both slashes and backslashes, I am certain that the correct php.ini is used, and that php does have access to the .pem file location. This is confirmed by the output of the php script (I have replaced the actual url I'm using):

> *   Trying 192.168.200.11...
> * TCP_NODELAY set
> * Connected to my.website.com (192.168.200.11) port 443 (#0)
> * ALPN, offering http/1.1
> * successfully set certificate verify locations:   
> CAfile: C:\Development\examples\COMODORSADomainValidationSecureServerCA.pem  
> CApath: none
> * NPN, negotiated HTTP1.1
> * SSL certificate problem: unable to get issuer certificate
> * stopped the pause stream!
> * Closing connection 0

I'm currently out of ideas for checking what I did wrong and how to fix it.

drbouzlxb92333332
drbouzlxb92333332 困难的部分是真正知道如何实际检索curl所需的证书。我现在可以感谢firefox拥有这样做的工具。
一年多之前 回复
douyan8961
douyan8961 “无法获得颁发者证书”始终意味着您从远程端收到一份证书,在本地您无法找到签署证书的证书。您首先需要确切了解您获得的证书以及颁发者。然后,您需要确保在相关的信任库中添加此颁发者证书。
一年多之前 回复

2个回答



所以,最后,我最终设法做到了这一点:正如错误所暗示的那样,几个答案也指出了 to,我的配置中缺少证书颁发机构的证书链,并且不在从 https下载的包中 ://curl.haxx.se/docs/caextract.html 。 </ p>

最后,我找到了这个问题指出了我正确的方向:我去了我试图使用firefox连接的网站,并将证书导出为”X.509 Certfificate with chain(PEM)“类型, 文件C:/Development/examples/mycert.pem。 然后,我将php.ini配置更改为</ p>


curl.cainfo = C:/Development/examples/my.website.com.pem
openssl.cafile = C:/Development/examples/my.website.com.pem </ p>
</ blockquote>

这就是诀窍! 我可以毫无问题地连接到网站。</ p>

也可以在从 https://curl.haxx.se/docs/caextract.html ,它也有效 ,如果您需要连接到使用php curl证书的其他网站,可能会更加通用。</ p>
</ div>

展开原文

原文

So, in the end, here is how I finally managed to do it: as the error suggests, and couple of answers also points out to, the Certification Authority's certificate chain is missing from my configuration, and is not in the pack downloaded from https://curl.haxx.se/docs/caextract.html .

So in the end, I found this question that pointed me in the right direction: I went to the website I was trying to connect to using firefox, and exported the certificate as type "X.509 Certfificate with chain (PEM)", to the file C:/Development/examples/mycert.pem . Then, I changed my php.ini configuration to

curl.cainfo=C:/Development/examples/my.website.com.pem openssl.cafile=C:/Development/examples/my.website.com.pem

And that did the trick! I can connect to the website without issue.

It is also possible to simply copy-paste the content of my.website.com.pem at the end of the file downloaded from https://curl.haxx.se/docs/caextract.html, and it works as well, and is probably more versatile if you need to connect to other websites that are using certificates with php curl.



您是否可以通过curl从命令行连接到服务器?</ p>

  curl -vs https://my.website.com/auth --cacert C:\ Development \ examples \ COMODORSADomainValidationSecureServerCA.pem 
</ code> </ pre>

可能存在不匹配 在服务器证书和您下载的软件包之间,即证书不在软件包中。</ p>

如果您安装了openssl,则可以从服务器中提取CA证书</ p >

  openssl s_client -showcerts -servername server -connect server:443&gt;  cacert.pem 
</ code> </ pre>

可以找到类似问题的描述 here </ p>
</ div>

展开原文

原文

Are you able to connect to the server from the command line with curl?

curl -vs https://my.website.com/auth --cacert C:\Development\examples\COMODORSADomainValidationSecureServerCA.pem 

Probably there is a mismatch between the server certificate and the bundle you've downloaded, i.e. the certificate is not in the bundle.

If you have openssl installed you can extract the CA cert from your server with

openssl s_client -showcerts -servername server -connect server:443 > cacert.pem

The description of a similar problem can be found here

dongyou7292
dongyou7292 不幸的是,我没有linux环境或cygwin来测试这个,但它确实给出了重要的线索,即错误的可能是整个证书链完全或部分缺失,事实确实如此!
一年多之前 回复
Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问