3

I had a problem. When you send a POST request with the CURL library to HTTPS get the error: SSL certificate problem, verify that the CA cert is OK. Details: error: 14090086: SSL routines: SSL3_GET_SERVER_CERTIFICATE: certificate verify failed. using current certificate. I tried various certificates FROM http://www.startssl.com/certs/ and FROM http://curl.haxx.se/docs/caextract.html Tell me what could be the cause of the error? Here's the code POST request:

        curl_setopt($process, CURLOPT_USERAGENT, $this->user_agent);
    curl_setopt($process, CURLOPT_COOKIEFILE, $this->cookie_file);
    curl_setopt($process, CURLOPT_COOKIEJAR, $this->cookie_file);
    curl_setopt($process, CURLOPT_ENCODING , '');
    curl_setopt($process, CURLOPT_CONNECTTIMEOUT, 120); 
    curl_setopt($process, CURLOPT_TIMEOUT, 120);
    curl_setopt($process, CURLOPT_PROXY,$this->proxy);
    curl_setopt($process, CURLOPT_POSTFIELDS, $data);
    curl_setopt($process, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($process, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($process, CURLOPT_POST, 1);
    curl_setopt($process,CURLOPT_VERBOSE,1);

    if($ssl){
        curl_setopt ($process, CURLOPT_SSL_VERIFYPEER, false);
        curl_setopt ($process, CURLOPT_SSL_VERIFYHOST, false);
        curl_setopt($process ,CURLOPT_CAINFO, YiiBase::getPathOfAlias('webroot').'/files/GTECyberTrustGlobalRoot.crt');
    }
    curl_setopt ($process, CURLOPT_HTTPHEADER, array('Expect:'));
    $return = curl_exec($process);

    $this->error_code = curl_getinfo($process,  CURLINFO_HTTP_CODE);
Alex Alexandrov
  • 31
  • 1
  • 1
  • 2
  • did you try with a self-signed certificate ? – MatRt Mar 04 '13 at 12:42
  • According to this article : http://unitstep.net/blog/2009/05/05/using-curl-in-php-to-access-https-ssltls-protected-sites/ you are doing too much action when SSL is enable. If you set the `CURLOPT_SSL_VERIFYPEER` to false, there is no need to set the `CURLOPT_CAINFO` and the `CURLOPT_SSL_VERIFYHOST` – MatRt Mar 04 '13 at 12:47
  • yes, went to the site through a browser, where I tried to send requests through the browser store the certificate and used it when making a request, the same result – Alex Alexandrov Mar 04 '13 at 12:47
  • Moreover, `CURLOPT_SSL_VERIFYHOST` seems to take an integer (0, 1, 2) and not a boolean. – MatRt Mar 04 '13 at 12:49
  • curl_setopt ($process, CURLOPT_SSL_VERIFYPEER, 1); curl_setopt ($process, CURLOPT_SSL_VERIFYHOST, 2); still not working – Alex Alexandrov Mar 04 '13 at 12:50
  • `CURLOPT_SSL_VERIFYPEER` is taking a `BOOLEAN` and `CURLOPT_SSL_VERIFYHOST` is taking an `INTEGER`. when SSL, just try with `curl_setopt ($process, CURLOPT_SSL_VERIFYPEER, false);` (skip verification of certificate). And what is the purpose of `curl_setopt ($process, CURLOPT_HTTPHEADER, array('Expect:'));` ? – MatRt Mar 04 '13 at 12:52
  • I cut curl_setopt ($process, CURLOPT_HTTPHEADER, array('Expect:')); and with (CURLOPT_SSL_VERIFYPEER, false) still old error - " SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed". – Alex Alexandrov Mar 04 '13 at 12:58
  • did you comment also the 2 other lines ? (about `CURLOPT_SSL_VERIFYHOST` and `CURLOPT_CAINFO`) ? – MatRt Mar 04 '13 at 13:07
  • Yesterday after work without problems, but today is the fault. curl_setopt ($process, CURLOPT_SSL_VERIFYPEER, false); curl_setopt ($process, CURLOPT_SSL_VERIFYHOST, false); curl_setopt($process ,CURLOPT_CAINFO, YiiBase::getPathOfAlias('webroot').'/files/GTECyberTrustGlobalRoot.crt'); – Alex Alexandrov Mar 04 '13 at 13:16
  • I made a response, and give a working example – MatRt Mar 04 '13 at 13:22
  • If you're after security, [**do not disable verifypeer or verifyhost**](http://stackoverflow.com/a/13742121/372643). – Bruno Mar 04 '13 at 13:30

1 Answers1

6

Here is a working example. You should take a look a your options (reduce the number of option for test) and just set the CURLOPT_SSL_VERIFYPEER to false in order to disable the CA check.

// connect via SSL, but don't check cert
$handle=curl_init('https://www.google.com');
curl_setopt($handle, CURLOPT_VERBOSE, true);
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
curl_setopt($handle, CURLOPT_SSL_VERIFYPEER, false);
$content = curl_exec($handle);

echo $content; // show target page

check HERE

MatRt
  • 3,494
  • 1
  • 19
  • 14
  • thanks for your suggestions and advice, I'll admit negligence and because of this was a mistake. – Alex Alexandrov Mar 04 '13 at 13:47
  • @Bruno I completely understand but in the interest of resolving the question please find/post the cURL feedback – Eric Kigathi Jul 15 '17 at 09:41
  • Very bad advice; see [The most dangerous code in the world: validating SSL certificates in non-browser software](http://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html). Instead of disabling the certificate verification, you should explain how to make the connection work with *`GTECyberTrustGlobalRoot.crt`* as the OP is trying to do. – jww Feb 27 '18 at 17:49