SSL: certificate verification failed on OS X 10.11.6

[monyiliev]

Getting an exception:

'MaxMind\Exception\HttpException' with message 'cURL error (51): SSL: certificate verification failed (result: 5)'

This only happens locally on OS X El Capitan (10.11.6) and It might have to do with the SSL version used by php and/or curl (SecureTransport instead of OpenSSL).

php -i | grep "SSL Version"
SSL Version => SecureTransport

While looking for a workaround, I tried specifying another cacert.pem in new Client() and it worked out. The cacert.pem used was the one provided by composer residing in ~/.composer/cacert.pem

[oschwald]

Thanks for reporting. As you mentioned, I suspect the issue has to do with the particular version of OpenSSL with the bundle, which is a recent distribution from curl. It would likely make sense for us to just switch to the new composer/ca-bundle utility package, as that has the advantage of using the system certs when available.

[monyiliev]

@oschwald thanks for the speedy reply. Yes, that would probably make the most sense. Another workaround would be to use a homebrew version of curl and php that uses OpenSSL, but it makes it very system dependent for other developers.

[ChadTaljaardt]

I'm having this issue as well but don't know how to fix it ;/

[oschwald]

Would you both be able to try 2.4.2, which was just released today? It uses composer/ca-bundle to find an appropriate CA bundle.

[oschwald]

Also, are you both using Mac OS X?

[ChadTaljaardt]

Im using 10.11.6 (15G31)

[oschwald]

@ChadTaljaardt, what version of this library do you have installed? You can find it by typing composer info

[ChadTaljaardt]

geoip2/geoip2 v2.4.2 MaxMind GeoIP2 PHP API

I just installed it recently

[oschwald]

@ChadTaljaardt, what is the output of php -r "var_dump(curl_version());"?

[ChadTaljaardt]

@oschwald Hello,

Thanks for the response.

array(9) {
  ["version_number"]=>
  int(469760)
  ["age"]=>
  int(3)
  ["features"]=>
  int(951197)
  ["ssl_version_number"]=>
  int(0)
  ["version"]=>
  string(6) "7.43.0"
  ["host"]=>
  string(23) "x86_64-apple-darwin15.0"
  ["ssl_version"]=>
  string(15) "SecureTransport"
  ["libz_version"]=>
  string(5) "1.2.5"
  ["protocols"]=>
  array(20) {
    [0]=>
    string(4) "dict"
    [1]=>
    string(4) "file"
    [2]=>
    string(3) "ftp"
    [3]=>
    string(4) "ftps"
    [4]=>
    string(6) "gopher"
    [5]=>
    string(4) "http"
    [6]=>
    string(5) "https"
    [7]=>
    string(4) "imap"
    [8]=>
    string(5) "imaps"
    [9]=>
    string(4) "ldap"
    [10]=>
    string(5) "ldaps"
    [11]=>
    string(4) "pop3"
    [12]=>
    string(5) "pop3s"
    [13]=>
    string(4) "rtsp"
    [14]=>
    string(3) "smb"
    [15]=>
    string(4) "smbs"
    [16]=>
    string(4) "smtp"
    [17]=>
    string(5) "smtps"
    [18]=>
    string(6) "telnet"
    [19]=>
    string(4) "tftp"
  }
}

[oschwald]

@ChadTaljaardt, @monyiliev, could you test composer require geoip2/geoip2:dev-greg/osx-securetransport-fix to let me know if that dev version works for you? If so, I'll do a release with the fix.

[ChadTaljaardt]

This works for me 💯

[oschwald]

I did a release of maxmind/web-service-common with the fix. You might want to switch your geoip2/geoip2 version back to ^2.4. A composer update should pull in the latest version of maxmind/web-service-common..

[ChadTaljaardt]

Thanks for all the help :)