Closed DrizzlyOwl closed 4 years ago
Dunno. You seen https://github.com/rackspace/php-opencloud/issues/727?
I'm not presented with the same curl error number. My factory looks like this
$this->client = new Rackspace(
Rackspace::UK_IDENTITY_ENDPOINT,
[
'username' => $user,
'apiKey' => $pass
],
[
Rackspace::CURL_OPTIONS => [
CURLOPT_SSL_VERIFYPEER => true,
CURLOPT_SSL_VERIFYHOST => 2,
],
Rackspace::REQUEST_OPTIONS => [
'debug' => true,
]
]
);
and I mitigated the certificate authority issue by updating guzzle's CA store
curl --remote-name --time-cond cacert.pem https://curl.haxx.se/ca/cacert.pem,
cp cacert.pem ./vendor/guzzle/guzzle/src/Guzzle/Http/Resources/cacert.pem
The debug option from guzzle reports:
Connected to lon.servers.api.rackspacecloud.com (37.188.100.146) port 443 (#1)"
ALPN, offering http/1.1"
successfully set certificate verify locations:"
CAfile: /usr/src/app/vendor/guzzle/guzzle/src/Guzzle/Http/Resources/cacert.pem"
CApath: /etc/ssl/certs"
error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type"
Closing connection 1"
and I get
[curl] 35: [url] https://lon.servers.api.rackspacecloud.com/v2/10018373/extensions
back from the Guzzle exception
Hrm... you're right. I don't use PHP for talking to the servers endpoint. Other endpoints and regions look OK. Sounds like one for Rackspace support.
OK so after a good head scratch I found out that it was the PHP OpenSSL configuration. I use Docker so I simply shipped my own copy of the default openssl.conf but with a minor amendment.
[system_default_sect]
MinProtocol = TLSv1.2
#CipherString = DEFAULT@SECLEVEL=2 <-- Comment out this line to lower the default security level
Whilst this is not the most glamorous solution, it works for my use case.
I'm unable to connect to https://lon.servers.api.rackspacecloud.com/ using guzzle anymore as the SSL certificate in use is no longer trusted.
Mozilla Firefox reports that Certificates issued by GeoTrust, RapidSSL, Symantec, Thawte, and VeriSign are no longer considered safe because these certificate authorities failed to follow security practices in the past.
I believe this is likely related to https://knowledge.digicert.com/alerts/ALERT2562.html.
https://blog.qualys.com/ssllabs/2017/09/26/google-and-mozilla-deprecating-existing-symantec-certificates https://www.ssllabs.com/ssltest/analyze.html?d=lon.servers.api.rackspacecloud.com