SSL error while calling Client::getCollabTokens()

[martinbutt]

Calling code:

    $blackfire = new \Blackfire\Client();
    $probe = $blackfire->createProbe();

Result:

Blackfire\Exception\OfflineException An error occurred: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:func(144):reason(134). 
    /home/martin.butt/projects/server/src/vendor/blackfire/php-sdk/src/Blackfire/Client.php:453 Blackfire\{closure}
    [internal] file_get_contents
    /home/martin.butt/projects/server/src/vendor/blackfire/php-sdk/src/Blackfire/Client.php:456 Blackfire\Client::sendHttpRequest
    /home/martin.butt/projects/server/src/vendor/blackfire/php-sdk/src/Blackfire/Client.php:328 Blackfire\Client::getCollabTokens
    /home/martin.butt/projects/server/src/vendor/blackfire/php-sdk/src/Blackfire/Client.php:341 Blackfire\Client::getEnvDetails
    /home/martin.butt/projects/server/src/vendor/blackfire/php-sdk/src/Blackfire/Client.php:369 Blackfire\Client::getRequestDetails
    /home/martin.butt/projects/server/src/vendor/blackfire/php-sdk/src/Blackfire/Client.php:312 Blackfire\Client::doCreateRequest
    /home/martin.butt/projects/server/src/vendor/blackfire/php-sdk/src/Blackfire/Client.php:58 Blackfire\Client::createProbe
    /home/martin.butt/projects/server/src/html/api.php:12 [main]

If I change \Blackfire\Client::sendHttpRequest()

        $sslOpts = array(
            'verify_peer' => 1,
            'verify_host' => 2,
        );

to

        $sslOpts = array(
            'verify_peer' => false,
            'verify_host' => 2,
        );

it works. I have tried updating the ca-certs on that machine, but no joy.

[tgalopin]

Hello @martinbutt,

It seems your problem comes from the fact that your computer does not trust the Blackfire Certificate Authority (http://blaoism.blogspot.fr/2010/05/sslerrorssl-error14090086lib20func144re.html).

I would say this is a problem with your ca-file (or at least the one used by the Blackfire SDK).

To find the problem, could you please do the following:

1. Execute from the machine haivng the issue the command curl -I https://blackfire.io. If this does not work, the global ca-file on this machine is the problem.
2. If the curl worked, try executing the simple PHP file <?php echo file_get_contents('https://blackfire.io');. If this does not work, the ca-file used by PHP is not the right one.
3. If the simple PHP check worked, it may be an issue with the composer/ca-bundle package that load the wrong ca-file: please run <?php echo \Composer\CaBundle\CaBundle::getSystemCaRootBundlePath(); and copy the result here.

Thanks by advance!

Best regards, Titouan

[martinbutt]

Hi @tgalopin,

1 & 2 return a 200 3 returns "/etc/pki/tls/certs/ca-bundle.crt"

I did a "yum update ca-certificates" which updated that file to the latest version, which on CentOS 6.4 is 2015.2.6-65.0.1.el6_7. That didn't help. I also manually added the blackfire.io certificate to the trusted certs, also didn't help. (Obviously I restarted php-fpm).

A curl -v confirms that the certificate it is using is "/etc/pki/tls/certs/ca-bundle.crt", which returns the 200. So the cert must be good. I'm just unsure why PHP is having an issue.

Composer has "composer/ca-bundle": "1.0.3".

Cheers, Martin

[tgalopin]

Hello @martinbutt,

I'm suspecting an issue in the SDK code. In your vendor directory, could you modifiy the following line and test again:

In Client.php, at line 443 (https://github.com/blackfireio/php-sdk/blob/master/src/Blackfire/Client.php#L433), change from:

if (is_dir($caPath)) {
    $sslOpts['ssl']['capath'] = $caPath;
} else {
    $sslOpts['ssl']['cafile'] = $caPath;
}

to

if (is_dir($caPath)) {
    $sslOpts['capath'] = $caPath;
} else {
    $sslOpts['cafile'] = $caPath;
}

[martinbutt]

That worked! Thanks.

PR here: https://github.com/blackfireio/php-sdk/pull/19