0

The new certificate is "Symantec Class 3 EV SSL CA - G3". The client has CentOS. There is no control over the server, it is third party. When the WDSL https address is loaded in Firefox and Chrome, both browsers show "Secure connection", no problem.

The WSDL address is https://palena.sii.cl/DTEWS/CrSeed.jws?WSDL

Test code:

$success = false;
$attempts = 0;

while (($success === false) && ($attempts < 10)) {
    $attempts ++;
    echo 'Attempt ' . $attempts . '<br>';

    try {
        $wsdl = 'https://palena.sii.cl/DTEWS/CrSeed.jws?WSDL';
        $entity_loader_status_old = libxml_disable_entity_loader(false);
        $SoapClient = new SoapClient($wsdl);
        $seed = $SoapClient -> getSeed();
        libxml_disable_entity_loader($entity_loader_status_old);
        $success = true;
    } catch (Exception $Exception) {
        echo $Exception -> getMessage() . '<br>';
    }
}

if ($success === true) {
    echo 'SUCCESS';
} else {
    echo 'ERROR';
}

The connection is secure by default, because the PHP version is 5.6.22 (more than 5.5.x).

mikl
  • 1,067
  • 1
  • 20
  • 34
  • maybe cert installation was missing somewhere. look like secure connection fail. – weirdo Dec 16 '16 at 01:24
  • @weirdo indeed the secure connection fails, if I disable security it works. I need a secure connection. If cert installation was missing, then why the browser shows "Secure connection" when I load the WSDL in the browser? – mikl Dec 16 '16 at 01:30
  • 1
    normally SOAP using cURL to establish the connection. As default, cURL using strict mode and will be fail if secure connection have issue. if you have access to the server try this `curl https://palena.sii.cl/DTEWS/CrSeed.jws?WSDL` and see the output – weirdo Dec 16 '16 at 01:36
  • What error do you get if you try `file_get_contents('https://palena.sii.cl/DTEWS/CrSeed.jws?WSDL')` ? – Guillaume Boudreau Dec 16 '16 at 02:21
  • Possible duplicate of [OpenSSL: unable to verify the first certificate for Experian URL](http://stackoverflow.com/questions/7587851/openssl-unable-to-verify-the-first-certificate-for-experian-url) – mikl Dec 16 '16 at 07:28
  • Nothing to do with the code ... Your certificate is not deployed properly - the intermediate one is missing from the chain (or incorrectly formatted). Your setup could do with other improvements too, see https://www.ssllabs.com/ssltest/analyze.html?d=palena.sii.cl&hideResults=on – Narf Dec 16 '16 at 12:23
  • @Narf do you mean the CA bundle client-side? or do you mean server side configuration? I have no control over the server. – mikl Dec 16 '16 at 19:41
  • 1
    @mikl I meant the server. If you don't control it, I hope you could at least tell someone to fix it. Otherwise you surely won't be the last to have a problem with it ... – Narf Dec 16 '16 at 21:42

1 Answers1

0

Possible duplicate: OpenSSL: unable to verify the first certificate for Experian URL

To solve create a cafile.pem and concatenate the required Symantec certificates (primary intermediate and root) as shown in the possible duplicate question link above (see spuder's answer).

The cafile.pem to create as quoted from spuder:

-----BEGIN CERTIFICATE----- 
(Your Primary SSL certificate: your_domain_name.crt) 
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
(Your Intermediate certificate: DigiCertCA.crt) 
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
(Your Root certificate: TrustedRoot.crt) 
-----END CERTIFICATE-----

Then in PHP use the next $options for creating the SoapClient object:

$options = [
    'stream_context' => stream_context_create([
        'ssl' => [
            'cafile' => __DIR__ . '/cafile.pem',
        ],
    ]),
];

$SoapClient = new SoapClient($wsdl, $options);
Community
  • 1
  • 1
mikl
  • 1,067
  • 1
  • 20
  • 34
  • Bundling the root CA cert only adds overhead. – Narf Dec 16 '16 at 12:17
  • The solution I posted is a workaround, I really have no control over the server configuration. I prefer some overhead, otherwise I would need to disable peer verifification or not use the service at all. What else could I do if I have no way to fix it server side? – mikl Dec 16 '16 at 19:47
  • 1
    I thought you were talking about the server and maybe commented hastily, but probably still correct both ways as both client and server are supposed to already have the root. Overhead on the client side isn't that big of a deal though, as long as it works for you. I'd still notify the site admins. – Narf Dec 16 '16 at 21:51