Wick 12c Wick 12c - 1 year ago 304
Apache Configuration Question

Apache CURL error SSL: CA certificate set, but certificate verification is disabled

Issue: My dev environment is creating this error everything I submit a login form that is using CURL. CURL is producing this error which I believe is association to the certificates generated for the SSL connection.

My dev environment is:

  • Mac OS X Capitan 10.11

  • Apache 2.4 / PHP 7.0.12

phpinfo() states:

  • cURL: enabled / 7.50.3 / SSL: Yes / Protocols: dict, file, ftp, ftps, gopher, http, https, imap, imaps, ldap, ldaps, pop3, pop3s, rtsp, scp, sftp, smb, smbs, smtp, smtps, telnet, tftp / SSL Version: SecureTransport / ZLib Version: 1.2.5 / libSSH Version: libssh2/1.4.3

  • OpenSSL: enabled / Library Version: OpenSSL 1.0.2h 3 May 2016 / header Version: OpenSSL 1.0.2h 3 May 2016 / openssl.cafile: (local) /usr/local/php5/ssl/certs/cacert.pem and (master) /usr/local/php5/ssl/certs/cacert.pem

In order to create the SSL setup I followed this Enable SSL in Apache (OSX) article to a tee which eliminates browser requests and allows me to pull requests for projects that involves say Twitter etc that require SSL connections even in dev environments.

However, PHP 5.6. I had originally used to develop this specific project and as of recent I upgraded to 7 which has now caused this error.

In terms of testing the certificates, in terminal it shows the error as per the below:

echo | openssl s_client -connect localhost:443

The above command produced:

depth=0 C = AU, ST = New South Wales, L = Sydney, O = localhost, CN = localhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = AU, ST = New South Wales, L = Sydney, O = localhost, CN = localhost
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate chain
0 s:/C=AU/ST=New South Wales/L=Sydney/O=localhost/CN=localhost
i:/C=AU/ST=New South Wales/L=Sydney/O=localhost/CN=localhost
Server certificate
subject=/C=AU/ST=New South Wales/L=Sydney/O=localhost/CN=localhost
issuer=/C=AU/ST=New South Wales/L=Sydney/O=localhost/CN=localhost
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, B-571, 570 bits
SSL handshake has read 1666 bytes and written 513 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 8B39BE1C255BDD6ED6E42E85612AB24C9CD1CB2195676A2CAEA7E3FAE0E65D68
Master-Key: 86DCCE7468DE39C619A64AC7C08E6F3AA55B02DC025564D4E67C7BCDDE90415D518D780FB4EEB98A69DF785ED62FFB09
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - e0 da 63 c7 3d b0 eb 5c-0b 30 c8 0f 8f 43 b2 5e ..c.=..\.0...C.^
0010 - 93 49 cb 87 c5 f8 a5 f4-42 bf 19 e1 16 3d 24 73 .I......B....=$s
0020 - ab 0a 76 b9 a7 84 1b 1b-ad 3f 4b 2d 60 c7 0c 8a ..v......?K-`...
0030 - 3d e8 0d b2 29 db 95 b0-a6 e6 49 f6 60 3c fe 1d =...).....I.`<..
0040 - c2 f5 51 8f 40 ae 93 ac-f2 eb b9 99 2c c5 f0 45 ..Q.@.......,..E
0050 - bb d7 16 a7 0f a5 52 c7-c4 b8 e4 6a 05 ab a0 25 ......R....j...%
0060 - 9c 44 dc 15 8c 0e cf 69-18 f8 dd 8d f1 ad 21 32 .D.....i......!2
0070 - f5 f9 d6 54 37 87 46 6d-9e 4f d2 8a 3e 16 e2 1a ...T7.Fm.O..>...
0080 - 41 1a 26 27 31 83 f1 ad-31 26 ab 22 17 84 50 ae A.&'1...1&."..P.
0090 - 06 ef 51 9e f4 40 0f 48-8b a9 66 26 1f d8 32 88 ..Q..@.H..f&..2.
00a0 - 46 19 a2 97 44 26 9c b1-b0 15 5c 0b 02 d7 23 ea F...D&....\...#.
00b0 - 07 b6 72 57 b7 47 ee 9a-85 fe 16 d4 59 8d b8 34 ..rW.G......Y..4

Start Time: 1478128414
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)

For the login page that is producing this error, I am using Auth0.com and I refuse to change the CURL request verifypeer = false to suppress this error as the error is clearly identifying leakage. As developers, we want to replicate our development environment as much as possible to ensure nothing is left behind when moving to production.

Thank you and hope I have covered everything necessary here. I don't use external packages such as MAMP or XAMPP etc, just brewed PHP7 installation as an upgrade to the existing PHP 5.5 that comes with Capitan.


Answer Source

Find a way to switch your curl code so that if you are in dev ($_SERVER['HTTP_HOST']=='localhost') then you set verifypeer = false but that doesn't get set and remains true for production.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download