Wick 12c Wick 12c - 1 month ago 30
Apache Configuration Question

Apache CURL error SSL: CA certificate set, but certificate verification is disabled

Issue: My dev environment is creating this error everything I submit a login form that is using CURL. CURL is producing this error which I believe is association to the certificates generated for the SSL connection.

My dev environment is:


  • Mac OS X Capitan 10.11

  • Apache 2.4 / PHP 7.0.12



phpinfo() states:


  • cURL: enabled / 7.50.3 / SSL: Yes / Protocols: dict, file, ftp, ftps, gopher, http, https, imap, imaps, ldap, ldaps, pop3, pop3s, rtsp, scp, sftp, smb, smbs, smtp, smtps, telnet, tftp / SSL Version: SecureTransport / ZLib Version: 1.2.5 / libSSH Version: libssh2/1.4.3

  • OpenSSL: enabled / Library Version: OpenSSL 1.0.2h 3 May 2016 / header Version: OpenSSL 1.0.2h 3 May 2016 / openssl.cafile: (local) /usr/local/php5/ssl/certs/cacert.pem and (master) /usr/local/php5/ssl/certs/cacert.pem



In order to create the SSL setup I followed this Enable SSL in Apache (OSX) article to a tee which eliminates browser requests and allows me to pull requests for projects that involves say Twitter etc that require SSL connections even in dev environments.

However, PHP 5.6. I had originally used to develop this specific project and as of recent I upgraded to 7 which has now caused this error.

In terms of testing the certificates, in terminal it shows the error as per the below:

echo | openssl s_client -connect localhost:443


The above command produced:

CONNECTED(00000003)
depth=0 C = AU, ST = New South Wales, L = Sydney, O = localhost, CN = localhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = AU, ST = New South Wales, L = Sydney, O = localhost, CN = localhost
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=AU/ST=New South Wales/L=Sydney/O=localhost/CN=localhost
i:/C=AU/ST=New South Wales/L=Sydney/O=localhost/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDgDCCAmigAwIBAgIJAIqaBKmBWQOqMA0GCSqGSIb3DQEBCwUAMGAxCzAJBgNV
BAYTAkFVMRgwFgYDVQQIDA9OZXcgU291dGggV2FsZXMxDzANBgNVBAcMBlN5ZG5l
eTESMBAGA1UECgwJbG9jYWxob3N0MRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMTYx
MTAyMjEzODQ3WhcNMTcxMTAyMjEzODQ3WjBgMQswCQYDVQQGEwJBVTEYMBYGA1UE
CAwPTmV3IFNvdXRoIFdhbGVzMQ8wDQYDVQQHDAZTeWRuZXkxEjAQBgNVBAoMCWxv
Y2FsaG9zdDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAmD67Hq/iOUL+b+cjgeO/xwfjmkAu2QI4ZbOV4w/pH66T+U9a
KN3snz504u8xo1DUDKyUp+eX40q2jbWghzOoPVrhIRWwhY4woyX6FYILzvNDym59
Hqc9CzGZ6lkuApelsSAFyC2Q0K7VeOFwEepNZ6ou7WhqfoS9N/CPptut/+NkByxt
m8sEvFbLS4dtVKHB8QoPsVJ8w7f+4zKk3NjVLQPlw8xxzLMStzlwsOSLJYEaiU1a
fdzOoe/l0DroMpTZmDPth6/Fc9loCC3AcgIrzOG7q9eaR5ANNA1+Ca/4/3+qdQOU
CVYjFwwTsTZdcd73nHVjJCe/3bX30T3s9dTD/QIDAQABoz0wOzAJBgNVHRMEAjAA
MAsGA1UdDwQEAwIF4DAhBgNVHREEGjAYgglsb2NhbGhvc3SCCyoubG9jYWxob3N0
MA0GCSqGSIb3DQEBCwUAA4IBAQB9Z5cbIq6gGQ7xg22AxUUQ2GUQ+/u2heHogphP
S/k2OmPg2mmtZ6UPS2B8m8TRx6roHZhO6pWGuDh0BuwRMHC0kYMB7p+XFiOl9Xo+
EVpiM4oXHJ7f1JgF0k/77MGIcyWBHfkvEzNcmhdmabyV5cdyXJs4IaJqnnczwjgC
jh2kvPL4mYQ6Tq26j+vWU2BklFTeMEjr3MgEL+prBTCx6DJ+vKDW3h9USm2yHMGa
EWiP+tJ+6vXKzHdpAVjTNYsoR9stfduZylG9m5pZSISOlaZnDDEwyiQ33U15FAM4
ZnfDOJX1Tbb0MpdbjH36QS2uBhUebxEM361BVGXPZQUaCqp2
-----END CERTIFICATE-----
subject=/C=AU/ST=New South Wales/L=Sydney/O=localhost/CN=localhost
issuer=/C=AU/ST=New South Wales/L=Sydney/O=localhost/CN=localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, B-571, 570 bits
---
SSL handshake has read 1666 bytes and written 513 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 8B39BE1C255BDD6ED6E42E85612AB24C9CD1CB2195676A2CAEA7E3FAE0E65D68
Session-ID-ctx:
Master-Key: 86DCCE7468DE39C619A64AC7C08E6F3AA55B02DC025564D4E67C7BCDDE90415D518D780FB4EEB98A69DF785ED62FFB09
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - e0 da 63 c7 3d b0 eb 5c-0b 30 c8 0f 8f 43 b2 5e ..c.=..\.0...C.^
0010 - 93 49 cb 87 c5 f8 a5 f4-42 bf 19 e1 16 3d 24 73 .I......B....=$s
0020 - ab 0a 76 b9 a7 84 1b 1b-ad 3f 4b 2d 60 c7 0c 8a ..v......?K-`...
0030 - 3d e8 0d b2 29 db 95 b0-a6 e6 49 f6 60 3c fe 1d =...).....I.`<..
0040 - c2 f5 51 8f 40 ae 93 ac-f2 eb b9 99 2c c5 f0 45 ..Q.@.......,..E
0050 - bb d7 16 a7 0f a5 52 c7-c4 b8 e4 6a 05 ab a0 25 ......R....j...%
0060 - 9c 44 dc 15 8c 0e cf 69-18 f8 dd 8d f1 ad 21 32 .D.....i......!2
0070 - f5 f9 d6 54 37 87 46 6d-9e 4f d2 8a 3e 16 e2 1a ...T7.Fm.O..>...
0080 - 41 1a 26 27 31 83 f1 ad-31 26 ab 22 17 84 50 ae A.&'1...1&."..P.
0090 - 06 ef 51 9e f4 40 0f 48-8b a9 66 26 1f d8 32 88 ..Q..@.H..f&..2.
00a0 - 46 19 a2 97 44 26 9c b1-b0 15 5c 0b 02 d7 23 ea F...D&....\...#.
00b0 - 07 b6 72 57 b7 47 ee 9a-85 fe 16 d4 59 8d b8 34 ..rW.G......Y..4

Start Time: 1478128414
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
DONE


For the login page that is producing this error, I am using Auth0.com and I refuse to change the CURL request verifypeer = false to suppress this error as the error is clearly identifying leakage. As developers, we want to replicate our development environment as much as possible to ensure nothing is left behind when moving to production.

Thank you and hope I have covered everything necessary here. I don't use external packages such as MAMP or XAMPP etc, just brewed PHP7 installation as an upgrade to the existing PHP 5.5 that comes with Capitan.

Cheers!

Answer

Find a way to switch your curl code so that if you are in dev ($_SERVER['HTTP_HOST']=='localhost') then you set verifypeer = false but that doesn't get set and remains true for production.