1

I'm having a problem locally (Fedora) that I'm not seeing on my server (RedHat). When using php's curl functions in a script that runs under apache, I can't connect to HTTPS servers. When I run the exact same script from the CLI, it has no trouble connecting. I have no trouble connecting to HTTP servers, only to HTTPS. When I run the exact same script on my RedHat server, it works fine under apache and from the CLI.

Here's the script:

<?php

$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => "https://www.google.com/",
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_VERBOSE => true,
]);

$result = curl_exec($ch);
$headers = curl_getinfo($ch);

echo "Result:\n";
var_export($result);
echo "\n\nHeaders:\n";
var_export($headers);

?>

When I run it under apache, I get this output:

Result:
false

Headers:
array (
  'url' => 'https://www.google.com/',
  'content_type' => NULL,
  'http_code' => 0,
  'header_size' => 0,
  'request_size' => 0,
  'filetime' => -1,
  'ssl_verify_result' => 0,
  'redirect_count' => 0,
  'total_time' => 0.028444000000000001,
  'namelookup_time' => 0.028337000000000001,
  'connect_time' => 0.040409,
  'pretransfer_time' => 0,
  'size_upload' => 0,
  'size_download' => 0,
  'speed_download' => 0,
  'speed_upload' => 0,
  'download_content_length' => -1,
  'upload_content_length' => -1,
  'starttransfer_time' => 0,
  'redirect_time' => 0,
  'redirect_url' => '',
  'primary_ip' => '74.125.226.146',
  'certinfo' => 
  array (
  ),
  'primary_port' => 443,
  'local_ip' => '192.168.5.197',
  'local_port' => 39900,
)

.. and this in the error log:

* Adding handle: conn: 0x7fdaff4ba4b0
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 1 (0x7fdaff4ba4b0) send_pipe: 1, recv_pipe: 0
* About to connect() to www.google.com port 443 (#1)
*   Trying 74.125.226.146...
* Connected to www.google.com (74.125.226.146) port 443 (#1)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* Unable to initialize NSS database
* Initializing NSS with certpath: none
* Unable to initialize NSS
* Closing connection 1

When run in the CLI, I get this output:

* Adding handle: conn: 0x7fb9c7c6b670
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7fb9c7c6b670) send_pipe: 1, recv_pipe: 0
* About to connect() to www.google.com port 443 (#0)
*   Trying 74.125.226.148...
* Connected to www.google.com (74.125.226.148) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using SSL_RSA_WITH_RC4_128_SHA
* Server certificate:
*       subject: CN=www.google.com,O=Google Inc,L=Mountain View,ST=California,C=US
*       start date: Dec 11 12:02:58 2013 GMT
*       expire date: Apr 10 00:00:00 2014 GMT
*       common name: www.google.com
*       issuer: CN=Google Internet Authority G2,O=Google Inc,C=US
> GET / HTTP/1.1
Host: www.google.com
Accept: */*

< HTTP/1.1 302 Found
< Cache-Control: private
< Content-Type: text/html; charset=UTF-8
< Location: https://www.google.ca/?gfe_rd=cr&ei=DQLgUsKrCoWN8Qeo9oAo
< Content-Length: 257
< Date: Wed, 22 Jan 2014 17:38:21 GMT
* Server GFE/2.0 is not blacklisted
< Server: GFE/2.0
< Alternate-Protocol: 443:quic
< 
* Connection #0 to host www.google.com left intact
Result:
'<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="https://www.google.ca/?gfe_rd=cr&amp;ei=DQLgUsKrCoWN8Qeo9oAo">here</A>.
</BODY></HTML>
'

Headers:
array (
  'url' => 'https://www.google.com/',
  'content_type' => 'text/html; charset=UTF-8',
  'http_code' => 302,
  'header_size' => 259,
  'request_size' => 53,
  'filetime' => -1,
  'ssl_verify_result' => 0,
  'redirect_count' => 0,
  'total_time' => 0.210087,
  'namelookup_time' => 0.028376999999999999,
  'connect_time' => 0.041487000000000003,
  'pretransfer_time' => 0.19747600000000001,
  'size_upload' => 0,
  'size_download' => 257,
  'speed_download' => 1223,
  'speed_upload' => 0,
  'download_content_length' => 257,
  'upload_content_length' => 0,
  'starttransfer_time' => 0.210032,
  'redirect_time' => 0,
  'redirect_url' => 'https://www.google.ca/?gfe_rd=cr&ei=DQLgUsKrCoWN8Qeo9oAo',
  'primary_ip' => '74.125.226.148',
  'certinfo' => 
  array (
  ),
  'primary_port' => 443,
  'local_ip' => '192.168.5.197',
  'local_port' => 50454,
)

Any ideas? Thanks. This is PHP 5.5.7.

Greg
  • 12,119
  • 5
  • 32
  • 34
  • I should mention that /bin/curl also works, and that I've tried setting CURLOPT_CAINFO, but that results were the same. – Greg Jan 22 '14 at 17:48

3 Answers3

5

I restarted Apache and the problem went away. I checked my system package install log (/var/log/yum.log) and found that an update to NSS was installed. I guess you're supposed to restart Apache after upgrading.

Greg
  • 12,119
  • 5
  • 32
  • 34
  • I disabled the suexec module at almost the same time that I updated system packages, and then all of a sudden I couldn't curl to https. I jumped to the conclusion that it was the config change and reverted it and restarted httpd, but now I know the restart was the only thing required. – byoungb Dec 08 '14 at 20:35
  • I would add you have to do a full restart and not graceful from what I saw. – MrTippet Sep 03 '15 at 17:44
  • same issues but after restarting the apache still not working. Should I do a full restart on our server? – reggie May 22 '17 at 04:16
  • Same issue here. Verified in /var/log/yum.log that some updates were run: openssl, nss, and a few other things. Running "apachectl restart" didn't help, but running "apachectl stop" and then "apachectl start" fixed it. – joecullin Nov 04 '18 at 13:01
0

Maybe you should try the insecure setting in your PHP code as suggested here.

Also you can try curl from the command line to see if your curl installation works as designed by running the following command in a terminal

curl --insecure <your-url>
Community
  • 1
  • 1
m4r10k
  • 1,087
  • 8
  • 8
  • I'm using it to connect to PayPal, so CURLOPT_SSL_VERIFYHOST=false isn't an option. Everything at the CLI, including /bin/curl, works even without the --insecure option. – Greg Jan 22 '14 at 18:12
  • Thats true, but does it work with CURLOPT_SSL_VERIFYHOST=false, just for a test? Maybe if this works, the Apache PHP combination could not access the public certificates of the hosts you would like to connect to. – m4r10k Jan 22 '14 at 18:19
  • Hm. It didn't even work with CURLOPT_SSL_VERIFYHOST=false. Same output. – Greg Jan 22 '14 at 20:25
0

Was your php compiled with --with-open-ssl=/usr/local/ssl ?
Check that with <?php phpinfo(); ?>
Look for a box with header, "OpenSSL." If you see it there, then your PHP installation now has SSL support enabled.

More Info

Pedro Lobito
  • 94,083
  • 31
  • 258
  • 268
  • I checked both phpinfo(); under apache and php -i. Same results. I don't see --with-open-ssl in either, but I do see: under OpenSSL: OpenSSL support => enabled under 'curl': SSL Version => NSS/3.15.2 – Greg Jan 23 '14 at 14:13