curl.cainfo setting from php.ini is being ignored and thus certs aren't available to cURL

[geoidesic]

What happened?

I have set the curl.cainfo value in /etc/php.d/my-app.ini

curl.cainfo = /var/lib/frankenphp/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/dev.sportch.co.uk/dev.sportch.co.uk.crt
upload_max_filesize = 10M
post_max_size = 10M

You can see this value showing up in the phpinfo below. However, curl is not using this value. It's defaulting to something else.

I've also tried setting it directly:

curl_setopt($ch, CURLOPT_CAINFO, '/var/lib/frankenphp/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/dev.sportch.co.uk/dev.sportch.co.uk.crt');

... but even then it doesn't pick that up.

The cURL error is SSL certificate problem: unable to get local issuer certificate.

I don't have this problem when using Caddy with PHP-FPM.

This script demonstrates the problem:

<?php
// Output PHP configuration for cURL
echo '<pre>';
print_r(ini_get_all('curl'));
echo '</pre>';

// cURL info for debugging
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://invalid-url.example.com/");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_exec($ch);
if (curl_errno($ch)) {
    echo 'cURL Error: ' . curl_error($ch) . "\n";
}

$error = curl_error($ch);
$info = curl_getinfo($ch);

// Output cURL error and info
echo "cURL Error: " . $error . "<br>";
echo "cURL Info:<br>";
echo "<pre>";
print_r($info);
echo "</pre>";

curl_close($ch);

The output from this is:

Array
(
    [curl.cainfo] => Array
        (
            [global_value] => /var/lib/frankenphp/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/dev.sportch.co.uk/dev.sportch.co.uk.crt
            [local_value] => /var/lib/frankenphp/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/dev.sportch.co.uk/dev.sportch.co.uk.crt
            [access] => 4
        )

)
cURL Error: Could not resolve host: invalid-url.example.com cURL Error: Could not resolve host: invalid-url.example.com
cURL Info:
Array
(
    [url] => https://invalid-url.example.com/
    [content_type] => 
    [http_code] => 0
    [header_size] => 0
    [request_size] => 0
    [filetime] => -1
    [ssl_verify_result] => 0
    [redirect_count] => 0
    [total_time] => 0.000134
    [namelookup_time] => 0
    [connect_time] => 0
    [pretransfer_time] => 0
    [size_upload] => 0
    [size_download] => 0
    [speed_download] => 0
    [speed_upload] => 0
    [download_content_length] => -1
    [upload_content_length] => -1
    [starttransfer_time] => 0
    [redirect_time] => 0
    [redirect_url] => 
    [primary_ip] => 
    [certinfo] => Array
        (
        )

    [primary_port] => 0
    [local_ip] => 
    [local_port] => 0
    [http_version] => 0
    [protocol] => 0
    [ssl_verifyresult] => 0
    [scheme] => 
    [appconnect_time_us] => 0
    [connect_time_us] => 0
    [namelookup_time_us] => 0
    [pretransfer_time_us] => 0
    [redirect_time_us] => 0
    [starttransfer_time_us] => 0
    [total_time_us] => 134
    [effective_method] => GET
    [capath] => /etc/ssl/certs
    [cainfo] => /etc/ssl/certs/ca-certificates.crt
)

So you can see from the first Array output from ini_get_all('curl') that the cert location has been set correctly. However, the output of curl_getinfo() shows that curl is not using that value.

On the Caddy PHP-FPM server (where it's working), the curl_getinfo() output is this:

Array
(
    [url] => https://api.push.apple.com/3/device/0246b56ac119bfbffe82145aad8c201464c1358a395abb3fb31c38467e948a0a
    [content_type] => 
    [http_code] => 200
    [header_size] => 62
    [request_size] => 431
    [filetime] => -1
    [ssl_verify_result] => 0
    [redirect_count] => 0
    [total_time] => 0.344313
    [namelookup_time] => 0.005195
    [connect_time] => 0.104873
    [pretransfer_time] => 0.230189
    [size_upload] => 111
    [size_download] => 0
    [speed_download] => 0
    [speed_upload] => 322
    [download_content_length] => -1
    [upload_content_length] => 111
    [starttransfer_time] => 0.230191
    [redirect_time] => 0
    [redirect_url] => 
    [primary_ip] => 17.188.169.93
    [certinfo] => Array
        (
        )

    [primary_port] => 443
    [local_ip] => 212.227.199.44
    [local_port] => 34650
    [http_version] => 3
    [protocol] => 2
    [ssl_verifyresult] => 0
    [scheme] => HTTPS
    [appconnect_time_us] => 230013
    [connect_time_us] => 104873
    [namelookup_time_us] => 5195
    [pretransfer_time_us] => 230189
    [redirect_time_us] => 0
    [starttransfer_time_us] => 230191
    [total_time_us] => 344313
    [effective_method] => POST
)

So here it doesn't even register the cainfo bits... but yet it works. No SSL certificate problem.

Build Type

Official static build

Worker Mode

No

Operating System

GNU/Linux

CPU Architecture

x86_64

PHP configuration

PHP logo
PHP Version 8.3.10

System  Linux dev.sportch.co.uk 5.14.0-427.28.1.el9_4.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Aug 2 03:44:10 EDT 2024 x86_64
Build Date  Aug 7 2024 00:38:33
Build System    Linux buildkitsandbox 6.5.0-1025-azure #26~22.04.1-Ubuntu SMP Thu Jul 11 22:33:04 UTC 2024 x86_64 Linux
Configure Command   './configure' '--prefix=' '--with-valgrind=no' '--enable-shared=no' '--enable-static=yes' '--disable-all' '--disable-cgi' '--disable-phpdbg' '--disable-cli' '--disable-fpm' '--enable-embed=static' '--disable-micro' '--disable-opcache-jit' '--enable-zts' '--disable-zend-signals' '--enable-zend-max-execution-timers' '--enable-apcu' '--enable-bcmath' '--with-bz2=/go/src/app/dist/static-php-cli/buildroot' '--enable-calendar' '--enable-ctype' '--with-curl' '--enable-dba' '--enable-dom' '--enable-exif' '--enable-fileinfo' '--enable-filter' '--enable-ftp' '--with-zlib' '--with-zlib-dir=/go/src/app/dist/static-php-cli/buildroot' '--enable-gd' '--with-freetype' '--with-jpeg' '--with-webp' '--with-avif' '--with-gmp=/go/src/app/dist/static-php-cli/buildroot' '--with-gettext=/go/src/app/dist/static-php-cli/buildroot' '--with-iconv=/go/src/app/dist/static-php-cli/buildroot' '--enable-igbinary' '--with-imagick=/go/src/app/dist/static-php-cli/buildroot' '--enable-intl' '--with-openssl-dir=/go/src/app/dist/static-php-cli/buildroot' '--with-ldap=/go/src/app/dist/static-php-cli/buildroot' '--enable-mbstring' '--enable-mbregex' '--enable-mysqlnd' '--with-mysqli' '--enable-opcache' '--enable-pcntl' '--enable-pdo' '--with-pdo-mysql' '--with-pgsql=/go/src/app/dist/static-php-cli/buildroot' '--with-pdo-pgsql=/go/src/app/dist/static-php-cli/buildroot' '--with-sqlite3=/go/src/app/dist/static-php-cli/buildroot' '--with-pdo-sqlite' '--enable-phar' '--enable-posix' '--enable-protobuf' '--with-readline=/go/src/app/dist/static-php-cli/buildroot' '--enable-session' '--enable-redis' '--enable-redis-session' '--enable-redis-igbinary' '--enable-redis-zstd' '--enable-redis-lz4' '--with-liblz4=/go/src/app/dist/static-php-cli/buildroot' '--enable-shmop' '--enable-simplexml' '--enable-soap' '--enable-sockets' '--with-sodium' '--with-ssh2=/go/src/app/dist/static-php-cli/buildroot' '--enable-sysvmsg' '--enable-sysvsem' '--enable-sysvshm' '--with-tidy=/go/src/app/dist/static-php-cli/buildroot' '--enable-tokenizer' '--with-zip=/go/src/app/dist/static-php-cli/buildroot' '--with-xlswriter' '--enable-reader' '--with-openssl=/go/src/app/dist/static-php-cli/buildroot' '--enable-xml' '--enable-xmlreader' '--enable-xmlwriter' '--with-libxml=/go/src/app/dist/static-php-cli/buildroot' '--with-yaml=/go/src/app/dist/static-php-cli/buildroot' '--enable-zstd' '--with-libzstd=/go/src/app/dist/static-php-cli/buildroot' 'CFLAGS=' 'PKG_CONFIG=/go/src/app/dist/static-php-cli/buildroot/bin/pkg-config' 'PKG_CONFIG_PATH=/go/src/app/dist/static-php-cli/buildroot/lib/pkgconfig'
Server API  FrankenPHP
Virtual Directory Support   enabled
Configuration File (php.ini) Path   /lib
Loaded Configuration File   (none)
Scan this dir for additional .ini files /etc/php.d/
Additional .ini files parsed    /etc/php.d/20-bcmath.ini, /etc/php.d/20-bz2.ini, /etc/php.d/20-calendar.ini, /etc/php.d/20-ctype.ini, /etc/php.d/20-curl.ini, /etc/php.d/20-dom.ini, /etc/php.d/20-exif.ini, /etc/php.d/20-fileinfo.ini, /etc/php.d/20-ftp.ini, /etc/php.d/20-gd.ini, /etc/php.d/20-gettext.ini, /etc/php.d/20-iconv.ini, /etc/php.d/20-intl.ini, /etc/php.d/20-mbstring.ini, /etc/php.d/20-mysqlnd.ini, /etc/php.d/20-pdo.ini, /etc/php.d/20-phar.ini, /etc/php.d/20-posix.ini, /etc/php.d/20-shmop.ini, /etc/php.d/20-simplexml.ini, /etc/php.d/20-sqlite3.ini, /etc/php.d/20-sysvmsg.ini, /etc/php.d/20-sysvsem.ini, /etc/php.d/20-sysvshm.ini, /etc/php.d/20-tokenizer.ini, /etc/php.d/20-xml.ini, /etc/php.d/20-xmlwriter.ini, /etc/php.d/20-xsl.ini, /etc/php.d/30-mcrypt.ini, /etc/php.d/30-mysqli.ini, /etc/php.d/30-pdo_mysql.ini, /etc/php.d/30-pdo_sqlite.ini, /etc/php.d/30-xmlreader.ini, /etc/php.d/30-zip.ini, /etc/php.d/40-grpc.ini, /etc/php.d/50-sodium.ini, /etc/php.d/99-sportch.ini
PHP API 20230831
PHP Extension   20230831
Zend Extension  420230831
Zend Extension Build    API420230831,TS
PHP Extension Build API20230831,TS
Debug Build no
Thread Safety   enabled
Thread API  POSIX Threads
Zend Signal Handling    disabled
Zend Memory Manager enabled
Zend Multibyte Support  provided by mbstring
Zend Max Execution Timers   enabled
IPv6 Support    enabled
DTrace Support  disabled
Registered PHP Streams  https, ftps, compress.zlib, compress.bzip2, php, file, glob, data, http, ftp, phar, ssh2.shell, ssh2.exec, ssh2.tunnel, ssh2.scp, ssh2.sftp, zip, compress.zstd
Registered Stream Socket Transports tcp, udp, unix, udg, ssl, tls, tlsv1.0, tlsv1.1, tlsv1.2, tlsv1.3
Registered Stream Filters   zlib.*, bzip2.*, convert.iconv.*, string.rot13, string.toupper, string.tolower, convert.*, consumed, dechunk
Zend logo This program makes use of the Zend Scripting Language Engine:
Zend Engine v4.3.10, Copyright (c) Zend Technologies with Zend OPcache v8.3.10, Copyright (c), by Zend Technologies
Configuration

apcu

APCu Support    Enabled
Version 5.1.23
APCu Debugging  Disabled
MMAP Support    Enabled
MMAP File Mask  no value
Serialization Support   php, igbinary, zstd
Build Date  Aug 7 2024 00:36:28
Directive   Local Value Master Value
apc.coredump_unmap  Off Off
apc.enable_cli  Off Off
apc.enabled On  On
apc.entries_hint    4096    4096
apc.gc_ttl  3600    3600
apc.mmap_file_mask  no value    no value
apc.preload_path    no value    no value
apc.serializer  php php
apc.shm_segments    1   1
apc.shm_size    32M 32M
apc.slam_defense    Off Off
apc.smart   0   0
apc.ttl 0   0
apc.use_request_time    Off Off
bcmath

BCMath support  enabled
Directive   Local Value Master Value
bcmath.scale    0   0
bz2

BZip2 Support   Enabled
Stream Wrapper support  compress.bzip2://
Stream Filter support   bzip2.decompress, bzip2.compress
BZip2 Version   1.0.8, 13-Jul-2019
calendar

Calendar support    enabled
Core

PHP Version 8.3.10
Directive   Local Value Master Value
allow_url_fopen On  On
allow_url_include   Off Off
arg_separator.input &   &
arg_separator.output    &   &
auto_append_file    no value    no value
auto_globals_jit    On  On
auto_prepend_file   no value    no value
browscap    no value    no value
default_charset UTF-8   UTF-8
default_mimetype    text/html   text/html
disable_classes no value    no value
disable_functions   no value    no value
display_errors  On  On
display_startup_errors  On  On
doc_root    no value    no value
docref_ext  no value    no value
docref_root no value    no value
enable_dl   On  On
enable_post_data_reading    On  On
error_append_string no value    no value
error_log   no value    no value
error_log_mode  0644    0644
error_prepend_string    no value    no value
error_reporting 1   no value
expose_php  On  On
extension_dir   /lib/php/extensions/no-debug-zts-20230831   /lib/php/extensions/no-debug-zts-20230831
fiber.stack_size    no value    no value
file_uploads    On  On
hard_timeout    2   2
highlight.comment   #FF8000 #FF8000
highlight.default   #0000BB #0000BB
highlight.html  #000000 #000000
highlight.keyword   #007700 #007700
highlight.string    #DD0000 #DD0000
html_errors On  On
ignore_repeated_errors  Off Off
ignore_repeated_source  Off Off
ignore_user_abort   Off Off
implicit_flush  Off Off
include_path    .::./var/includes   .:
input_encoding  no value    no value
internal_encoding   no value    no value
log_errors  Off Off
mail.add_x_header   Off Off
mail.force_extra_parameters no value    no value
mail.log    no value    no value
mail.mixed_lf_and_crlf  Off Off
max_execution_time  30  30
max_file_uploads    20  20
max_input_nesting_level 64  64
max_input_time  -1  -1
max_input_vars  1000    1000
max_multipart_body_parts    -1  -1
memory_limit    128M    128M
open_basedir    no value    no value
output_buffering    0   0
output_encoding no value    no value
output_handler  no value    no value
post_max_size   10M 10M
precision   14  14
realpath_cache_size 4096K   4096K
realpath_cache_ttl  120 120
register_argc_argv  On  On
report_memleaks On  On
report_zend_debug   Off Off
request_order   no value    no value
sendmail_from   no value    no value
sendmail_path   /usr/sbin/sendmail -t -i    /usr/sbin/sendmail -t -i
serialize_precision -1  -1
short_open_tag  On  On
SMTP    localhost   localhost
smtp_port   25  25
static-php-cli.version  2.3.2   2.3.2
sys_temp_dir    no value    no value
syslog.facility LOG_USER    LOG_USER
syslog.filter   no-ctrl no-ctrl
syslog.ident    php php
unserialize_callback_func   no value    no value
upload_max_filesize 10M 10M
upload_tmp_dir  no value    no value
user_dir    no value    no value
user_ini.cache_ttl  300 300
user_ini.filename   .user.ini   .user.ini
variables_order EGPCS   EGPCS
xmlrpc_error_number 0   0
xmlrpc_errors   Off Off
zend.assertions 1   1
zend.detect_unicode On  On
zend.enable_gc  On  On
zend.exception_ignore_args  Off Off
zend.exception_string_param_max_len 15  15
zend.max_allowed_stack_size 0   0
zend.multibyte  Off Off
zend.reserved_stack_size    0   0
zend.script_encoding    no value    no value
ctype

ctype functions enabled
curl

cURL support    enabled
cURL Information    8.9.1
Age 11
Features
AsynchDNS   Yes
CharConv    No
Debug   No
GSS-Negotiate   No
IDN No
IPv6    Yes
krb4    No
Largefile   Yes
libz    Yes
NTLM    Yes
NTLMWB  No
SPNEGO  No
SSL Yes
SSPI    No
TLS-SRP Yes
HTTP2   No
GSSAPI  No
KERBEROS5   No
UNIX_SOCKETS    Yes
PSL No
HTTPS_PROXY Yes
MULTI_SSL   No
BROTLI  Yes
ALTSVC  Yes
HTTP3   No
UNICODE No
ZSTD    Yes
HSTS    Yes
GSASL   No
Protocols   dict, file, ftp, ftps, gopher, gophers, http, https, imap, imaps, mqtt, pop3, pop3s, rtsp, scp, sftp, smb, smbs, smtp, smtps, telnet, tftp
Host    Linux
SSL Version OpenSSL/3.3.1
ZLib Version    1.3.1
libSSH Version  libssh2/1.11.0
Directive   Local Value Master Value
curl.cainfo /var/lib/frankenphp/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/dev.sportch.co.uk/dev.sportch.co.uk.crt  /var/lib/frankenphp/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/dev.sportch.co.uk/dev.sportch.co.uk.crt
date

date/time support   enabled
timelib version 2022.10
"Olson" Timezone Database Version   2024.1
Timezone Database   internal
Default timezone    UTC
Directive   Local Value Master Value
date.default_latitude   31.7667 31.7667
date.default_longitude  35.2333 35.2333
date.sunrise_zenith 90.833333   90.833333
date.sunset_zenith  90.833333   90.833333
date.timezone   UTC UTC
dba

DBA support enabled
Supported handlers  cdb cdb_make inifile flatfile
Directive   Local Value Master Value
dba.default_handler flatfile    flatfile
dom

DOM/XML enabled
DOM/XML API Version 20031129
libxml Version  2.12.5
HTML Support    enabled
XPath Support   enabled
XPointer Support    enabled
Schema Support  enabled
RelaxNG Support enabled
exif

EXIF Support    enabled
Supported EXIF Version  0220
Supported filetypes JPEG, TIFF
Multibyte decoding support using mbstring   enabled
Extended EXIF tag formats   Canon, Casio, Fujifilm, Nikon, Olympus, Samsung, Panasonic, DJI, Sony, Pentax, Minolta, Sigma, Foveon, Kyocera, Ricoh, AGFA, Epson
Directive   Local Value Master Value
exif.decode_jis_intel   JIS JIS
exif.decode_jis_motorola    JIS JIS
exif.decode_unicode_intel   UCS-2LE UCS-2LE
exif.decode_unicode_motorola    UCS-2BE UCS-2BE
exif.encode_jis no value    no value
exif.encode_unicode ISO-8859-15 ISO-8859-15
fileinfo

fileinfo support    enabled
libmagic    543
filter

Input Validation and Filtering  enabled
Directive   Local Value Master Value
filter.default  unsafe_raw  unsafe_raw
filter.default_flags    no value    no value
frankenphp

Version v1.2.3
ftp

FTP support enabled
FTPS support    enabled
gd

GD Support  enabled
GD Version  bundled (2.1.0 compatible)
FreeType Support    enabled
FreeType Linkage    with freetype
FreeType Version    2.13.2
GIF Read Support    enabled
GIF Create Support  enabled
JPEG Support    enabled
libJPEG Version 6b
PNG Support enabled
libPNG Version  1.6.44.git
WBMP Support    enabled
XBM Support enabled
WebP Support    enabled
BMP Support enabled
AVIF Support    enabled
TGA Read Support    enabled
Directive   Local Value Master Value
gd.jpeg_ignore_warning  On  On
gettext

GetText Support enabled
gmp

gmp support enabled
GMP version 6.3.0
hash

hash support    enabled
Hashing Engines md2 md4 md5 sha1 sha224 sha256 sha384 sha512/224 sha512/256 sha512 sha3-224 sha3-256 sha3-384 sha3-512 ripemd128 ripemd160 ripemd256 ripemd320 whirlpool tiger128,3 tiger160,3 tiger192,3 tiger128,4 tiger160,4 tiger192,4 snefru snefru256 gost gost-crypto adler32 crc32 crc32b crc32c fnv132 fnv1a32 fnv164 fnv1a64 joaat murmur3a murmur3c murmur3f xxh32 xxh64 xxh3 xxh128 haval128,3 haval160,3 haval192,3 haval224,3 haval256,3 haval128,4 haval160,4 haval192,4 haval224,4 haval256,4 haval128,5 haval160,5 haval192,5 haval224,5 haval256,5
iconv

iconv support   enabled
iconv implementation    libiconv
iconv library version   1.17
Directive   Local Value Master Value
iconv.input_encoding    no value    no value
iconv.internal_encoding no value    no value
iconv.output_encoding   no value    no value
igbinary

igbinary support    enabled
igbinary version    3.2.15
igbinary APCu serializer ABI    0
igbinary session support    yes
Directive   Local Value Master Value
igbinary.compact_strings    On  On
imagick

imagick module  enabled
imagick module version  3.7.0
imagick classes Imagick, ImagickDraw, ImagickPixel, ImagickPixelIterator, ImagickKernel
Imagick compiled with ImageMagick version   ImageMagick 7.1.1-36 Q16-HDRI x86_64 58ddb87ca:20240726 https://imagemagick.org
Imagick using ImageMagick library version   ImageMagick 7.1.1-36 Q16-HDRI x86_64 58ddb87ca:20240726 https://imagemagick.org
ImageMagick copyright   (C) 1999 ImageMagick Studio LLC
ImageMagick release date    2024-07-26
ImageMagick number of supported formats:    259
ImageMagick supported formats   3FR, 3G2, 3GP, A, AAI, AI, APNG, ART, ARW, ASHLAR, AVI, AVS, B, BAYER, BAYERA, BGR, BGRA, BGRO, BMP, BMP2, BMP3, BRF, C, CAL, CALS, CANVAS, CAPTION, CIN, CIP, CLIP, CMYK, CMYKA, CR2, CR3, CRW, CUBE, CUR, CUT, DATA, DCM, DCR, DCRAW, DCX, DDS, DFONT, DNG, DPX, DXT1, DXT5, EPDF, EPI, EPS, EPS2, EPS3, EPSF, EPSI, EPT, EPT2, EPT3, ERF, FARBFELD, FAX, FF, FFF, FILE, FITS, FL32, FLV, FRACTAL, FTP, FTS, FTXT, G, G3, G4, GIF, GIF87, GRADIENT, GRAY, GRAYA, GROUP4, HALD, HDR, HISTOGRAM, HRZ, HTM, HTML, HTTP, HTTPS, ICB, ICO, ICON, IIQ, INFO, INLINE, IPL, ISOBRL, ISOBRL6, JNG, JNX, JPE, JPEG, JPG, JPS, JSON, K, K25, KDC, LABEL, M, M2V, M4V, MAC, MAP, MASK, MAT, MATTE, MDC, MEF, MIFF, MKV, MNG, MONO, MOS, MOV, MP4, MPC, MPEG, MPG, MPO, MRW, MSL, MSVG, MTV, MVG, NEF, NRW, NULL, O, ORA, ORF, OTB, OTF, PAL, PALM, PAM, PANGO, PATTERN, PBM, PCD, PCDS, PCL, PCT, PCX, PDB, PDF, PDFA, PEF, PES, PFA, PFB, PFM, PGM, PGX, PHM, PICON, PICT, PIX, PJPEG, PLASMA, PNG, PNG00, PNG24, PNG32, PNG48, PNG64, PNG8, PNM, POCKETMOD, PPM, PS, PS2, PS3, PSB, PSD, PTIF, PWP, QOI, R, RADIAL-GRADIENT, RAF, RAS, RAW, RGB, RGB565, RGBA, RGBO, RGF, RLA, RLE, RMF, RW2, RWL, SCR, SCREENSHOT, SCT, SFW, SGI, SHTML, SIX, SIXEL, SPARSE-COLOR, SR2, SRF, SRW, STEGANO, STI, STRIMG, SUN, SVG, SVGZ, TEXT, TGA, THUMBNAIL, TIFF, TIFF64, TILE, TIM, TM2, TTC, TTF, TXT, UBRL, UBRL6, UIL, UYVY, VDA, VICAR, VID, VIFF, VIPS, VST, WBMP, WEBM, WEBP, WMV, WPG, X3F, XBM, XC, XCF, XPM, XPS, XV, Y, YAML, YCBCR, YCBCRA, YUV
Directive   Local Value Master Value
imagick.allow_zero_dimension_images 0   0
imagick.locale_fix  0   0
imagick.progress_monitor    0   0
imagick.set_single_thread   1   1
imagick.shutdown_sleep_count    10  10
imagick.skip_version_check  0   0
intl

Internationalization support    enabled
ICU version 75.1
ICU Data version    75.1
ICU TZData version  2024a
ICU Unicode version 15.1
Directive   Local Value Master Value
intl.default_locale no value    no value
intl.error_level    0   0
intl.use_exceptions Off Off
json

json support    enabled
ldap

LDAP Support    enabled
Total Links 0/unlimited
API Version 3001
Vendor Name OpenLDAP
Vendor Version  20608
Directive   Local Value Master Value
ldap.max_links  Unlimited   Unlimited
libxml

libXML support  active
libXML Compiled Version 2.12.5
libXML Loaded Version   21205
libXML streams  enabled
mbstring

Multibyte Support   enabled
Multibyte string engine libmbfl
HTTP input encoding translation disabled
libmbfl version 1.3.2
mbstring extension makes use of "streamable kanji code filter and converter", which is distributed under the GNU Lesser General Public License version 2.1.
Multibyte (japanese) regex support  enabled
Multibyte regex (oniguruma) version 6.9.9
Directive   Local Value Master Value
mbstring.detect_order   no value    no value
mbstring.encoding_translation   Off Off
mbstring.http_input no value    no value
mbstring.http_output    no value    no value
mbstring.http_output_conv_mimetypes ^(text/|application/xhtml\+xml) ^(text/|application/xhtml\+xml)
mbstring.internal_encoding  no value    no value
mbstring.language   neutral neutral
mbstring.regex_retry_limit  1000000 1000000
mbstring.regex_stack_limit  100000  100000
mbstring.strict_detection   Off Off
mbstring.substitute_character   no value    no value
mysqli

MysqlI Support  enabled
Client API library version  mysqlnd 8.3.10
Active Persistent Links 0
Inactive Persistent Links   0
Active Links    1
Directive   Local Value Master Value
mysqli.allow_local_infile   Off Off
mysqli.allow_persistent On  On
mysqli.default_host no value    no value
mysqli.default_port 3306    3306
mysqli.default_pw   no value    no value
mysqli.default_socket   no value    no value
mysqli.default_user no value    no value
mysqli.local_infile_directory   no value    no value
mysqli.max_links    Unlimited   Unlimited
mysqli.max_persistent   Unlimited   Unlimited
mysqli.rollback_on_cached_plink Off Off
mysqlnd

mysqlnd enabled
Version mysqlnd 8.3.10
Compression supported
core SSL    supported
extended SSL    supported
Command buffer size 4096
Read buffer size    32768
Read timeout    86400
Collecting statistics   Yes
Collecting memory statistics    No
Tracing n/a
Loaded plugins  mysqlnd,debug_trace,auth_plugin_mysql_native_password,auth_plugin_mysql_clear_password,auth_plugin_caching_sha2_password,auth_plugin_sha256_password
API Extensions  mysqli,pdo_mysql
openssl

OpenSSL support enabled
OpenSSL Library Version OpenSSL 3.3.1 4 Jun 2024
OpenSSL Header Version  OpenSSL 3.3.1 4 Jun 2024
Openssl default config  /ssl/openssl.cnf
Directive   Local Value Master Value
openssl.cafile  no value    no value
openssl.capath  no value    no value
pcntl

pcntl support   enabled
pcre

PCRE (Perl Compatible Regular Expressions) Support  enabled
PCRE Library Version    10.42 2022-12-12
PCRE Unicode Version    14.0.0
PCRE JIT Support    enabled
PCRE JIT Target x86 64bit (little endian + unaligned)
Directive   Local Value Master Value
pcre.backtrack_limit    1000000 1000000
pcre.jit    On  On
pcre.recursion_limit    100000  100000
PDO

PDO support enabled
PDO drivers mysql, pgsql, sqlite
pdo_mysql

PDO Driver for MySQL    enabled
Client API version  mysqlnd 8.3.10
Directive   Local Value Master Value
pdo_mysql.default_socket    /tmp/mysql.sock /tmp/mysql.sock
pdo_pgsql

PDO Driver for PostgreSQL   enabled
PostgreSQL(libpq) Version   16.2
pdo_sqlite

PDO Driver for SQLite 3.x   enabled
SQLite Library  3.43.2
pgsql

PostgreSQL Support  enabled
PostgreSQL (libpq) Version  16.2
Multibyte character support enabled
Active Persistent Links 0
Active Links    0
Directive   Local Value Master Value
pgsql.allow_persistent  On  On
pgsql.auto_reset_persistent Off Off
pgsql.ignore_notice Off Off
pgsql.log_notice    Off Off
pgsql.max_links Unlimited   Unlimited
pgsql.max_persistent    Unlimited   Unlimited
Phar

Phar: PHP Archive support   enabled
Phar API version    1.1.1
Phar-based phar archives    enabled
Tar-based phar archives enabled
ZIP-based phar archives enabled
gzip compression    enabled
bzip2 compression   enabled
OpenSSL support enabled
Phar based on pear/PHP_Archive, original concept by Davey Shafik.
Phar fully realized by Gregory Beaver and Marcus Boerger.
Portions of tar implementation Copyright (c) 2003-2009 Tim Kientzle.
Directive   Local Value Master Value
phar.cache_list no value    no value
phar.readonly   On  On
phar.require_hash   On  On
posix

POSIX support   enabled
protobuf

Version 4.27.3
Directive   Local Value Master Value
protobuf.keep_descriptor_pool_after_request 0   0
random

Version 8.3.10
readline

Readline Support    enabled
Readline library    8.2
Directive   Local Value Master Value
cli.pager   no value    no value
cli.prompt  \b \>   \b \>
redis

Redis Support   enabled
Redis Version   5.3.7
Redis Sentinel Version  0.1
Available serializers   php, json, igbinary
Available compression   zstd, lz4
Directive   Local Value Master Value
redis.arrays.algorithm  no value    no value
redis.arrays.auth   no value    no value
redis.arrays.autorehash 0   0
redis.arrays.connecttimeout 0   0
redis.arrays.consistent 0   0
redis.arrays.distributor    no value    no value
redis.arrays.functions  no value    no value
redis.arrays.hosts  no value    no value
redis.arrays.index  0   0
redis.arrays.lazyconnect    0   0
redis.arrays.names  no value    no value
redis.arrays.pconnect   0   0
redis.arrays.previous   no value    no value
redis.arrays.readtimeout    0   0
redis.arrays.retryinterval  0   0
redis.clusters.auth no value    no value
redis.clusters.cache_slots  0   0
redis.clusters.persistent   0   0
redis.clusters.read_timeout 0   0
redis.clusters.seeds    no value    no value
redis.clusters.timeout  0   0
redis.pconnect.connection_limit 0   0
redis.pconnect.echo_check_liveness  1   1
redis.pconnect.pool_detect_dirty    0   0
redis.pconnect.pool_pattern no value    no value
redis.pconnect.pool_poll_timeout    0   0
redis.pconnect.pooling_enabled  1   1
redis.session.lock_expire   0   0
redis.session.lock_retries  10  10
redis.session.lock_wait_time    2000    2000
redis.session.locking_enabled   0   0
Reflection

Reflection  enabled
session

Session Support enabled
Registered save handlers    files user redis rediscluster
Registered serializer handlers  php_serialize php php_binary igbinary
Directive   Local Value Master Value
session.auto_start  Off Off
session.cache_expire    180 180
session.cache_limiter   nocache nocache
session.cookie_domain   no value    no value
session.cookie_httponly Off Off
session.cookie_lifetime 0   0
session.cookie_path /   /
session.cookie_samesite no value    no value
session.cookie_secure   Off Off
session.gc_divisor  100 100
session.gc_maxlifetime  1440    1440
session.gc_probability  1   1
session.lazy_write  On  On
session.name    PHPSESSID   PHPSESSID
session.referer_check   no value    no value
session.save_handler    files   files
session.save_path   no value    no value
session.serialize_handler   php php
session.sid_bits_per_character  4   4
session.sid_length  32  32
session.upload_progress.cleanup On  On
session.upload_progress.enabled On  On
session.upload_progress.freq    1%  1%
session.upload_progress.min_freq    1   1
session.upload_progress.name    PHP_SESSION_UPLOAD_PROGRESS PHP_SESSION_UPLOAD_PROGRESS
session.upload_progress.prefix  upload_progress_    upload_progress_
session.use_cookies On  On
session.use_only_cookies    On  On
session.use_strict_mode Off Off
session.use_trans_sid   Off Off
shmop

shmop support   enabled
SimpleXML

SimpleXML support   enabled
Schema support  enabled
soap

Soap Client enabled
Soap Server enabled
Directive   Local Value Master Value
soap.wsdl_cache 1   1
soap.wsdl_cache_dir /tmp    /tmp
soap.wsdl_cache_enabled On  On
soap.wsdl_cache_limit   5   5
soap.wsdl_cache_ttl 86400   86400
sockets

Sockets Support enabled
sodium

sodium support  enabled
libsodium headers version   1.0.20
libsodium library version   1.0.20
SPL

SPL support enabled
Interfaces  OuterIterator, RecursiveIterator, SeekableIterator, SplObserver, SplSubject
Classes AppendIterator, ArrayIterator, ArrayObject, BadFunctionCallException, BadMethodCallException, CachingIterator, CallbackFilterIterator, DirectoryIterator, DomainException, EmptyIterator, FilesystemIterator, FilterIterator, GlobIterator, InfiniteIterator, InvalidArgumentException, IteratorIterator, LengthException, LimitIterator, LogicException, MultipleIterator, NoRewindIterator, OutOfBoundsException, OutOfRangeException, OverflowException, ParentIterator, RangeException, RecursiveArrayIterator, RecursiveCachingIterator, RecursiveCallbackFilterIterator, RecursiveDirectoryIterator, RecursiveFilterIterator, RecursiveIteratorIterator, RecursiveRegexIterator, RecursiveTreeIterator, RegexIterator, RuntimeException, SplDoublyLinkedList, SplFileInfo, SplFileObject, SplFixedArray, SplHeap, SplMinHeap, SplMaxHeap, SplObjectStorage, SplPriorityQueue, SplQueue, SplStack, SplTempFileObject, UnderflowException, UnexpectedValueException
sqlite3

SQLite3 support enabled
SQLite Library  3.43.2
Directive   Local Value Master Value
sqlite3.defensive   On  On
sqlite3.extension_dir   no value    no value
ssh2

SSH2 support    enabled
extension version   1.4.1
libssh2 version 1.11.0
banner  SSH-2.0-libssh2_1.11.0
standard

Dynamic Library Support enabled
Path to sendmail    /usr/sbin/sendmail -t -i
Directive   Local Value Master Value
assert.active   On  On
assert.bail Off Off
assert.callback no value    no value
assert.exception    On  On
assert.warning  On  On
auto_detect_line_endings    Off Off
default_socket_timeout  60  60
from    no value    no value
session.trans_sid_hosts no value    no value
session.trans_sid_tags  a=href,area=href,frame=src,form=    a=href,area=href,frame=src,form=
unserialize_max_depth   4096    4096
url_rewriter.hosts  no value    no value
url_rewriter.tags   form=   form=
user_agent  no value    no value
sysvmsg

sysvmsg support enabled
sysvsem

sysvsem support enabled
sysvshm

sysvshm support enabled
tidy

Tidy support    enabled
libTidy Version 5.8.0
libTidy Release 2021/07/10
Directive   Local Value Master Value
tidy.clean_output   Off Off
tidy.default_config no value    no value
tokenizer

Tokenizer Support   enabled
xlswriter

xlswriter support   enabled
Version 1.5.5
bundled libxlsxwriter version   1.1.3
bundled libxlsxio version   0.2.27
xml

XML Support active
XML Namespace Support   active
libxml2 Version 2.12.5
xmlreader

XMLReader   enabled
xmlwriter

XMLWriter   enabled
yaml

LibYAML Support enabled
Module Version  2.2.3
LibYAML Version 0.2.5
Directive   Local Value Master Value
yaml.decode_binary  0   0
yaml.decode_php 0   0
yaml.decode_timestamp   0   0
yaml.output_canonical   0   0
yaml.output_indent  2   2
yaml.output_width   80  80
Zend OPcache

Opcode Caching  Up and Running
Optimization    Enabled
SHM Cache   Enabled
File Cache  Disabled
JIT Not Available
Startup OK
Shared memory model mmap
Cache hits  43110
Cache misses    438
Used memory 16124632
Free memory 118082648
Wasted memory   10448
Interned Strings Used memory    4590784
Interned Strings Free memory    3797824
Cached scripts  433
Cached keys 658
Max keys    16229
OOM restarts    0
Hash keys restarts  0
Manual restarts 0
Start time  2024-08-19T16:33:57+0000
Last restart time   none
Last force restart time none
Directive   Local Value Master Value
opcache.blacklist_filename  no value    no value
opcache.dups_fix    Off Off
opcache.enable  On  On
opcache.enable_cli  Off Off
opcache.enable_file_override    Off Off
opcache.error_log   no value    no value
opcache.file_cache  no value    no value
opcache.file_cache_consistency_checks   On  On
opcache.file_cache_only Off Off
opcache.file_update_protection  2   2
opcache.force_restart_timeout   180 180
opcache.huge_code_pages Off Off
opcache.interned_strings_buffer 8   8
opcache.lockfile_path   /tmp    /tmp
opcache.log_verbosity_level 1   1
opcache.max_accelerated_files   10000   10000
opcache.max_file_size   0   0
opcache.max_wasted_percentage   5   5
opcache.memory_consumption  128 128
opcache.opt_debug_level 0   0
opcache.optimization_level  0x7FFEBFFF  0x7FFEBFFF
opcache.preferred_memory_model  no value    no value
opcache.preload no value    no value
opcache.preload_user    no value    no value
opcache.protect_memory  Off Off
opcache.record_warnings Off Off
opcache.restrict_api    no value    no value
opcache.revalidate_freq 2   2
opcache.revalidate_path Off Off
opcache.save_comments   On  On
opcache.use_cwd On  On
opcache.validate_permission Off Off
opcache.validate_root   Off Off
opcache.validate_timestamps On  On
zip

Zip enabled
Zip version 1.22.3
Libzip version  1.10.1
BZIP2 compression   Yes
XZ compression  No
ZSTD compression    No
AES-128 encryption  Yes
AES-192 encryption  Yes
AES-256 encryption  Yes
zlib

ZLib Support    enabled
Stream Wrapper  compress.zlib://
Stream Filter   zlib.inflate, zlib.deflate
Compiled Version    1.3.1
Linked Version  1.3.1
Directive   Local Value Master Value
zlib.output_compression Off Off
zlib.output_compression_level   -1  -1
zlib.output_handler no value    no value
zstd

Zstd support    enabled
Extension Version   0.13.3
Interface Version   1.5.6
APCu serializer ABI 0
Additional Modules

Relevant log output

N/A

[dunglas]

Hi,

What's in the .crt file?

[geoidesic]

Hi,

What's in the .crt file?

Which one? The one I'm trying to point it to is autogenerated by frankenphp. The one it's pointing to I have no idea, presumably it's the default installed by Alma Linux 9, or php-curl – it's the same default on both servers.

[dunglas]

With the static binary, you must download a CA bundle from https://curl.se/docs/caextract.html, and curl.cainfo must point to this file. AFAIK doesn't include a CA bundle by default. Pointing to the generated local certificate will not work (it's not the same thing).

[geoidesic]

Should I overwrite the existing ones?

lrwxrwxrwx. 1 root root   49 Sep 12  2023 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root   55 Sep 12  2023 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

[geoidesic]

I tried the curl command suggested on that page you linked:

[root@dev tmp]#   curl --etag-compare etag.txt --etag-save etag.txt --remote-name https://curl.se/ca/cacert.pem
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (77) error setting certificate file: /etc/pki/tls/certs/ca-bundle.crt

But it yields an error. I don't know what I'm doing here.

[dunglas]

If you already have a CA bundle provided by your distribution, set curl.cainfo = /etc/pki/tls/certs/ca-bundle.crt, that should should do the trick.

[geoidesic]

I was confused. I thought you said I must download a CA bundle? The bundles I mentioned above were for some reason empty. When I downloaded the cert from frankenphp it also was empty. 🤷 I tried again and then it wasn't empty. Once I symlinked that:

lrwxrwxrwx  1 root root   32 Aug 20 00:02 ca-bundle.crt -> frankenphp/cacert-2024-07-02.pem

and then set that in CURLOPT:

curl_setopt($ch, CURLOPT_CAINFO, '/etc/ssl/certs/ca-bundle.crt');

I got a different error:

Error: Received HTTP/0.9 when not allowed

Then I had to add this to get it to work:

curl_setopt($ch, CURLOPT_HTTP09_ALLOWED, true);

... but it seems to be working now.

Tx for the help!

[geoidesic]

Although having said that... this is all in aid of trying to get APNS (apple push notifications) working... and they aren't working. I can get them to work with Caddy PHP-fpm but not with frankenphp.

[geoidesic]

The response contains an error:

@@uÿÿÿUnexpected HTTP/1.x request: POST /3/device/7ee43e5089a1c9b24cbdf87c671f187eb78d9eb29b1a62fbb744e88a3e306e09

[geoidesic]

I think maybe the problem is that cURL is configured without http2 support. This is from phpinfo:

HTTP2 | No

So then the question becomes, how do I get a version of frankenphp with HTTP2 enabled for cURL?

Although I also don't understand why it was necessary to enable CURLOPT_HTTP09_ALLOWED because APNS should not be sending back an HTTP v0.9 response. (Maybe it's because HTTP2 isn't available and it's some kind of fallback).

[geoidesic]

Do I need to Compile from source with a dynamic PHP library? I.e. https://frankenphp.dev/docs/compile/

I was hoping to avoid that because it sounds complicated and the documentation seems sketchy at best, with English grammar errors that make it even more confusing.

[dunglas]

Feel free to open a PR to improve the docs (there is an "edit" button at the bottom of the page), or to provide a minimal reproducer if you think there is a bug.

Regarding curl options, we use Static PHP CLI under the hood. It may have less compilation options enabled. You may also try to use the Docker images we provide, which comes with HTTPS working out of the box and can be compiled with more curl features.

[dunglas]

I fixed some grammar issues in #646, and #988 should add HTTP/2 support to ext-curl.

[geoidesic]

Ok thanks for that quick response. How do I get to use the change that you've made in #988? Is there a static build of frankenphp that I can download or is it some other way?

[geoidesic]

P.S. I feel like frankenphp would benefit from a Discord channel. Good way to build a community.

[geoidesic]

You may also try to use the Docker images we provide, which comes with HTTPS working out of the box and can be compiled with more curl features.

I'm deploying to a VPS so Docker isn't an option for me.

[dunglas]

If your VPS runs on Linux, Docker will have basically no overhead.

[geoidesic]

If your VPS runs on Linux, Docker will have basically no overhead.

Sounds nice but I don't know how to administer that as a sys admin. So that's a whole other can of worms to go opening.

Is there a way for me to get your update from #988 without going down the docker rabbit hole?

[dunglas]

You can test with this binary: https://github.com/dunglas/frankenphp/actions/runs/10469568629/artifacts/1832668003

[geoidesic]

That did the trick! APN's are sending! Tx @dunglas