问题
I'm trying to use HTTPS on my localhost environment with Kohana but it keeps throwing the following error, does anyone know how to fix this?
Request_Exception [ 0 ]: Error fetching remote /protected/someFunctionCall.json [ status 0 ] SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I'm building by post requests like so:
$url = "https://www.foobar.com:18443";
$data = http_build_query($params);
// This uses POST - http://kohanaframework.org/3.2/guide/kohana/requests#external-requests
$request = Request::factory($url)
->method(Request::POST)
->body($data)
->headers('Content-Type','application/x-www-form-urlencoded; charset=UTF-8');
$response = $request->execute();
I have generated my self signed certificates with OpenSSL following this guide:
(Simon's answer): How do I allow HTTPS for Apache on localhost?
回答1:
You are most likely seeing this error because you are using a self signed certificate that the SSL client doesn't trust. I am not familiar with Kohana or PHP, but I think the client is probably using openssl under the covers. Somewhere there should be a file called something like cacerts.pem or ca-bundle.crt that holds the trust anchors. These trust anchors are the CA certs that the client software will trust. If the server uses a certificate issued from one of these CAs you shouldn't get the error. What you could try is adding your self signed server cert to the end of your CA cert file (e.g., cacerts.pem). Make sure your cert is in PEM format when you add it. A PEM formated certificate is delimited with these lines:
-----BEGIN CERTIFICATE----------END CERTIFICATE-----
Alternatively, there may be some option to tell the client to accept any server certificate. Not good security practice, but okay as a temporary solution if just trying things out yourself. In cURL, for example, there is an option to do this.
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
The correct approach in cURL is to specify the file holding the trust anchors. This code snippet is based on the article I link to below.
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_CAINFO, getcwd() . "/CAcerts/MyTrustedCerts.crt")
Using CURLOPT_CAINFO, allows you to specify the name of the file holding your trust anchors. This file should hold one or more certificates the client software will use to verify server certs with.
Also, CURLOPT_SSL_VERIFYHOST set to 2 tells cURL to check the existence of a common name and also verify that it matches the hostname provided. In production environments the value of this option should be kept at 2 (default value).
This article Using cURL in PHP to access HTTPS (SSL/TLS) protected sites has some workarounds/fixes for this error when using cURL in PHP.
来源:https://stackoverflow.com/questions/9808312/verifying-ssl-certificate-failing-with-kohana