Composer self signed cert

Question

Updated to the lastest release of composer. For years we have been hosting our package repository on http with no issues but now composer says it needs to connect over https. I can get round this by placing :-

    "secure-http": false

in my composer.json config statement. However I feel this is a bit of a work around and would like to get the https service connecting correcting. To achive this I've created a self signing certificate on the hosting server and enabled ssl. I can connect to the repository using my browser(with the usual exception message) but composer still refuses to connect to it.

My question is do I need to install a different certificate to get this to work?

How about create root cert and sign server cert, than install the root cert in the system key chain / certificate store? — Ken Cheung, Mar 03 '16 at 08:54
`hosting our package repository` Do you use Satis? // You could use a free SSL cert from https://letsencrypt.org/ — Jens A. Koch, Mar 03 '16 at 10:52
Unfortunately not - its an internal system and I'm not sure using a beta software on the server would be a good idea. — Graham Dodgson, Mar 03 '16 at 10:57

score 8 · Accepted Answer · edited Mar 03 '16 at 13:10

Sort of pointed me in the right direction - I concatenated my certificate and key files into a pen file and then did:

"repositories": [
    {
        "type": "composer",
        "url": "https://packages.at.my.company.com",
        "options": {
            "ssl": {
                "verify_peer": true,
                "allow_self_signed": true,
                "local_cert": "/etc/apache2/ssl/packages.pem"
            }
        }
    }
],

Jens A. Koch · Answer 2 · 2016-03-03T11:26:34.583

3

I suggest to setup an internal package store using Satis and combine it with using a self-signed cert. But you could also swap the self-signed cert for a trusted one.

Configure your cafile and local_cert and allow using a self_signed certs, e.g.

 "repositories": [
        {
            "type": "composer",
            "url":  "https://packages.company.com/vendor",
            "options": {
                "ssl": {
                    "verify_peer": true,
                    "allow_self_signed": true,
                    "cafile": "scripts/build/config/cert/vendor.ca.pem",
                    "local_cert": "scripts/build/config/cert/client.pem"
                }
            }
        }
    ]

Docu: https://getcomposer.org/doc/articles/handling-private-packages-with-satis.md#satis

edited Mar 03 '16 at 11:26

answered Mar 03 '16 at 11:19

Jens A. Koch

39,862
13
113
141

Sort of pointed me in the right direction - I concatenated my certificate and key files into a pen file and then did:- "repositories": [ { "type": "composer", "url": "https://packages.at.my.company.com", "options": { "ssl": { "verify_peer": true, "allow_self_signed": true, "local_cert": "/etc/apache2/ssl/packages.pem" } } } ], – Graham Dodgson Mar 03 '16 at 11:42
Glad i could help a bit :) – Jens A. Koch Mar 03 '16 at 12:24

Composer self signed cert

2 Answers2

Linked