8

After installing Homebrew PHP 5.5 on Mac OS Yosemite following this answers steps, I found that I could connect to the external SSL hosts which prompted me a 'Error Number:56 Error String:SSLRead() return error -9806' before. This problem has been fixed.

But now, at my day job I run into another SSL issue with another HOST: Canvas API.

Running the following Curl on terminal (using OSX native curl)

curl -v -H "Accept: application/json" -H "Content-type: application/json" -X GET \
  -d '{"userid": "mohit", "password":"password"}' https://canvas.instructure.com/api/v1/accounts

work fine, but through PHP I am getting SSL certificate problem: unable to get local issuer certificate.

So my original issue is fixed now that I use OpenSSL in PHP Curling, but I got this new issue.

I did try to add a PEM file to my php.ini, curl.cainfo = "/usr/local/cacert.pem" but that triggered another error 

error setting certificate verify locations: CAfile: /usr/local/cacert.pem CApath: none.

I am a bit puzzled. I need to have the Brew PHP Curl version working for both API's. Now the one who wasn't working is working, but the other one which was working isn't. (throwing the unable to get local issuer certiciface message). Any wisdom would be appreciated.

EDIT: Curl output from php -i:

cURL support => enabled
cURL Information => 7.38.0
Age => 3
Features
AsynchDNS => No
CharConv => No
Debug => No
GSS-Negotiate => No
IDN => No
IPv6 => Yes
krb4 => No
Largefile => Yes
libz => Yes
NTLM => Yes
NTLMWB => Yes
SPNEGO => No
SSL => Yes
SSPI => No
TLS-SRP => Yes
Protocols => dict, file, ftp, ftps, gopher, http, https, imap, imaps, ldap, ldaps,
             pop3, pop3s, rtsp, smtp, smtps, telnet, tftp
Host => x86_64-apple-darwin14.0.0
SSL Version => OpenSSL/1.0.1j
ZLib Version => 1.2.5
Community
  • 1
  • 1
Mattijs
  • 3,265
  • 3
  • 38
  • 35
  • Can you add the cURL section of the `phpinfo()` output? – Alexander O'Mara Oct 31 '14 at 03:05
  • Which `php.ini` did you edit? The one for Apple's stock php would be in `/etc/php.ini`. Homebrew's `php.ini` would be in `/usr/local/etc/php/5.5/php.ini`. – Asaph Oct 31 '14 at 03:53
  • @Asaph I edited the php.ini in the homebrew location. I disabled to apple php in my apache and when I do php -i I see I am using the homebrew version. In your previous post you did not mention to me to add or change anything in the php.ini so I only added my xdebug settings. Did I forget to enable something in my php.ini? – Mattijs Oct 31 '14 at 05:31

2 Answers2

11

This looks to be a bug in homebrew's curl formula for which I have just submitted a fix. https://canvas.instructure.com/ has a certificate issued by GoDaddy and those don't seem to be working with a brewed curl that uses a brewed openssl. If/when the maintainers of homebrew accept my patch, you'll be able to simply get this fix with:

$ brew rm curl # remove your broken brewed curl
$ brew update
$ brew install --with-openssl curl

Until that happens, you can install the fix directly from my pull request like this:

$ brew rm curl # remove your broken brewed curl
$ brew install --with-openssl https://raw.githubusercontent.com/asaph/homebrew/curl-openssl-godaddy-ca-bug/Library/Formula/curl.rb

Update:

The homebrew maintainers merged my patch so the fix is officially in homebrew now. So just run the first 3 commands I described above. No need to install from the pull request anymore.

Asaph
  • 159,146
  • 25
  • 197
  • 199
0

In my case there was a problem with certificate itself.

I didn't create bundle like this:

#cat public.crt intermediate.crt >> bundle.crt

instead I used the public.crt only.

So, if you have intermediate certificate just try create a bundle.

Be careful, the order of certificates in the bundle - matters, public.crt must go first.

try to check my answer in the parallel topic

Dmitry
  • 186
  • 3
  • 4