error loading feed content: cURL error 60: SSL certificate problem: unable to get local issuer certificate

fossar / selfoss

multipurpose rss reader, live stream, mashup, aggregation web application

https://selfoss.aditu.de

GNU General Public License v3.0

2.36k stars 343 forks source link

error loading feed content: cURL error 60: SSL certificate problem: unable to get local issuer certificate #1099

Open K232 opened 5 years ago

K232 commented 5 years ago

There are already some older issues regarding this topic "error loading feed content: cURL error 60: SSL certificate problem: unable to get local issuer certificate" and https://github.com/SSilence/selfoss/pull/505#issuecomment-39122258 was marked as solution, but unfortunately I'm on shared webhosting and therefore I do not have access to php.ini.

Is there anything I could do right within selfoss?

jtojnar commented 5 years ago

Since we switched to Guzzle in development builds, you can set the verify flag to a certificate file in https://github.com/SSilence/selfoss/blob/66b08f81f4271eb50e9fb62c2e1de1db24f6ee3b/helpers/WebClient.php#L40. We could support changing it in config.

The issue still persists with Twitter spout, which doesn't use Guzzle yet.

K232 commented 5 years ago

Hi @jtojnar , thanks for fast reply! I've downloaded latest development build and updated Webclient.php:

            $httpClient = new GuzzleHttp\Client([
                'headers' => [
                    'User-Agent' => self::getUserAgent(),
                ],
                'handler' => $stack,
        'verify' => '/var/www/vhosts/path/to/my/site/cacert.pem',
            ]);

I'm using cacert.pem from https://curl.haxx.se/docs/caextract.html as linked in above 505 comment. Error Message is error loading feed content: cURL error 60: SSL certificate problem: unable to get local issuer certificate (see http://curl.haxx.se/libcurl/c/libcurl-errors.html) Did I add it wrong?

K232 commented 5 years ago

Ah, maybe I just have a wrong path? if I set verify = false (for testing only of course), error message disappears.....

jtojnar commented 5 years ago

You can try \F3::get('BASEDIR') . '/data/ca-bundle.crt' and download the file Guzzle links to https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt. Not sure why cacert.pem does not work.

Edit: hmm, that file is the same as http://curl.haxx.se/ca/cacert.pem

K232 commented 5 years ago

No problem, @jtojnar . The page I tried to add resulted (with verify = false) in error is invalid XML, likely due to invalid characters. XML error: Undeclared entity error at line 39, column 55 so it doesn't work anyway, but that's not the problem of selfoss. Probably it would be nice to have this setting in the config so I don't know whether I should close this issue. Feel free to close! And thanks a lot for your support!! 👍

jtojnar commented 5 years ago

Let’s keep this open until we add the config option.

jtojnar commented 5 years ago

Actually, we might want selfoss to obtain the cacert.pem file. But then the issue becomes how do we verify that the download itself was not MITMed.