Closed pgnd closed 3 years ago
Hello,
the options curl.cainfo and openssl.cafile cannot be set using ini_set
. You can set these options from your HTTP server configuration.
For example, with apache, I tried the following successfully with a self-signed cert:
<Directory "/var/www/roundcube">
# ... other settings ...
php_value openssl.cafile /etc/radicale/cert.pem
</Directory>
the options curl.cainfo and openssl.cafile cannot be set using ini_set
pebkac. i assumed -- i should've checked the list :-/
with nginx, adding to RC config
...
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass phpfpm;
fastcgi_index index.php;
include fastcgi.conf;
+ fastcgi_param PHP_VALUE openssl.cafile="/srv/ssl/my_ca_chain.crt.pem";
}
works as intended -- local to RC config/instance. able to successfully add/use CardDAV stores.
perfect, thx @mstilkerich !
alternative, if willing to add cert to systemwide stores (e.g., on Fedora),
/bin/cp -af \
/srv/ssl/my_ca_chain.crt.pem \
/etc/pki/ca-trust/source/anchors/
update-ca-trust extract
works as well.
in the 'local' case, i do need to still check whether that openssl.cafile spec'n causes any limitations elsewhere in RC. iiuc, only the carddav plugin (so far) is using guzzle<libcurl ...
i've carddav plugin + roundcube installed.
i'm connecting to a radicale3 server.
i've configued the radicale portal to require own-CA/self-signed ssl cert with verification.
as long as I can provide it -- e.g. adding a valid local cert in Thunderbird CardDAV client, or Dav5X on Android -- all's good. I can connect to & interact with CardDAV server backennd without error.
in this config, carddav plugin fails to connect,
iiuc, there's no php ssl stream context init'd here, which would allow easy config of own CA/crt/key.
instead, it appears that carddav is using guzzle, which needs ca cert in system paths @
/usr/local/src/roundcubemail/vendor/guzzlehttp/guzzle/src/Utils.php
i'd prefer not to add/maintain own certs in system-wide paths
which appears to leave specifying one of
i tried 1st to set the param locally resident to carddav plugin's config.inc.php
but that appears to have no effect; the error returned in the same, as above.
either my usage is wrong, or passing my self-signed cert + ca file paths to carddav needs another approach.
how do I get carddav<guzzle<libcurl using my certs?