Error in cURL request: SSL certificate problem: unable to get local issuer certificate error with Socket adapter and CURLOPT_SSL_VERIFYPEER = false

[GeeH]

This issue has been moved from the zendframework repository as part of the bug migration program as outlined here - http://framework.zend.com/blog/2016-04-11-issue-closures.html

---

Original Issue: https://api.github.com/repos/zendframework/zendframework/issues/7698 User: @lucian303 Created On: 2016-04-28T23:38:21Z Updated At: 2016-06-28T12:48:26Z Body Error in cURL request: SSL certificate problem: unable to get local issuer certificate

I'm getting the above error: 1) With the Socket adapter 2) With the CURL adapter and CURLOPT_SSL_VERIFYPEER set to false 3) With both adapters configured with a CA chain certificate file

SSL certificate verification only happens with some SSL hosts, not others, even though they all share the same wildcard SSL certificate (*.unifiedcompliance.com). I just fixed this for the Guzzle client, but there seems to be no way to configure the Zend Http Client correctly. It seems to ignore almost all options I provide it.

My code:

        $host = 'https://apidev2.unifiedcompliance.com';
        $options = [
            'adapter' => Socket::class,
        ];
        $client = new Client($host, $options);

        $request = new Request();
        $request->setUri($host);
        $client->setMethod($request->getMethod());
        $request->getHeaders()->addHeaderLine('Authorization', 'Bearer ACTUAL_TOKEN_HERE');
        $request->getHeaders()->addHeaderLine('Accept', "application/vnd.ucf.v1+json");

        /** @var Response $response */
        $response = $client->dispatch($request);
        $responseArray = Json::decode($response->getBody(), Json::TYPE_ARRAY);

This is what options should be and they should work, but ALL CURL options seem to be ignored by the Http Client:

        $options = [
            'adapter' => Curl::class,
            'curloptions' => [
                CURLOPT_SSL_VERIFYPEER => true,
                CURLOPT_SSL_VERIFYHOST => 2,
                CURLOPT_CAINFO =>  '/etc/ssl/certs/gd_bundle-g2-g1.crt',
            ]
        ];

I've also tried setting curl.cainfo, openssl.capath (or whatever the variables are in php.ini, I've tried setting them all and none have any effect on this). I'm running PHP 7.0.5-3+donate.sury.org~trusty+1 so maybe that has something to do with it because previous versions probably did not try to verify SSL certificates. The certificate is from GoDaddy unfortunately and I don't believe its chain/root CA are in the default Ubuntu 14.04 settings, but I could be wrong about that. CLI curl works with the file specified. Guzzle works through PHP. It's pretty much all working outsize of Zend Http Client.

---

Comment

User: @lucian303 Created On: 2016-04-29T16:44:19Z Updated At: 2016-04-29T16:50:24Z Body I managed to get the Socket adapter to actually work, but trying to specify SSL settings and set it up correctly doesn't work for that also. All options are ignored. I can successfully curl calls from that system using the certificate chain. I just can't get Zend Http Client to do anything w/ SSL.

        $client = new Client(null, [
            'adapter' => Socket::class,
            'ssl' => [
                'verify_peer' => true,
                'allow_self_signed' => false,
                'cafile' => '/etc/ssl/certs/gd_bundle-g2-g1.crt',
            ]
        ]);

leads to:

Unable to enable crypto on TCP connection authdev2.unifiedcompliance.com: make sure the "sslcafile" or "sslcapath" option are properly set for the environment.

Changing 'verify_peer' to false has no effect on this error. I really have no idea what to do at this point. Replacing the Zend Http Client with something else that supports SSL would be weeks of work.

---

[ezimuel]

@lucian303 we just merged #97 that allows the usage of sslcafile and sslcapath as options. This should fix or mitigate the issue. Can you try and let me know? Thanks!

[michalbundyra]

Closing due to lack of feedback.