search

ably / ably-php

PHP client library SDK for Ably realtime messaging service
https://ably.com/download
Apache License 2.0
49 stars 10 forks source link

SSL certificate error for PHP CURL #136

Closed sacOO7 closed 2 years ago

sacOO7 commented 2 years ago

~- Disabled SSL certificate while sending a request to Ably Sandbox.~ ~- Fixed error [SSL certificate error: unable to get local issuer certificate]~

sacOO7 commented 2 years ago

Code looks fine but I'm not sure I'm comfortable with us making this change. The TestApp API should have a valid certificate so if there's a problem with validating it then we should try and understand exactly what that problem is. I see that we got an SSL error in CI here but the issue didn't occur again when I re-ran the tests so I'd guess that was a temporary issue with GitHub runners. If you're consistently seeing the same error locally then I'd guess there's an issue with your local openssl installation?

The error says [SSL certificate error: unable to get local issuer certificate]. So, the issue is surely from the local certificate. I am currently using the windows machine. I have done a fresh installation of PHP. I am using PHP 8.1.4. Since we are using test env. anyways, I don't think it is a big issue disabling the SSL verification (We are still verifying the correct host). I think we need to confirm this issue doesn't occur on github again. It can, depending on the machine available at the time of test run.

lmars commented 2 years ago

The Ably sandbox cluster uses a public TLS certificate issued by AWS, and it uses the same issuance system as our production TLS certificates.

If you're getting TLS related errors, we should investigate the root cause and fix the underlying issue rather than disabling verification, as this may well affect other clients connecting to production.

sacOO7 commented 2 years ago

@lmars it seems we have multiple tests using the internal HTTP class. Since we can't disable SSL for a non-test environment, I will only keep the code that reports errors with the server. I will also update the doc on how to resolve the error for windows environments. PS - I have found a good article on the error - https://aboutssl.org/fix-ssl-certificate-problem-unable-to-get-local-issuer-certificate/

lmars commented 2 years ago

@sacOO7 so do you know what the root cause of the verification issue is?

sacOO7 commented 2 years ago

@sacOO7 so do you know what the root cause of the verification issue is?

Yeah, downloading and updating SSL certificate as per https://aboutssl.org/fix-ssl-certificate-problem-unable-to-get-local-issuer-certificate/ fixed my issue. I think issue might be common for windows machines since the entry for the local/client SSL certificate was empty in php.ini.

QuintinWillison commented 2 years ago

Interesting. I notice we only run integration tests in CI on Ubuntu runners at the moment. Perhaps we should add Windows to that mix.