Home → Problems →

SSL Certificate

• Edit

Mark Hurst

16 Sep, 2014 02:38 AM

I'm a developer wanting to test out the PHP API, preferably on localhost. Is it possible to do this without purchasing an SSL certificate?

So far I just receive the following error when trying to connect:

Exception: cUrl session resulted in an error: (60)SSL certificate problem: self signed certificate in certificate chain

1. Support Staff 1 Posted by Marc Guyer on 16 Sep, 2014 02:16 PM

   

   Hi Mark -- Are you using the PHP client? It would help us troubleshoot with you if you posted the relevant bit of your code here.

   • Edit

2. 2 Posted by Mark Hurst on 16 Sep, 2014 05:05 PM

   

   Hi Marc,
    
   Yes, I'm using the client. Here's the code:
    
   $client = new CheddarGetter_Client('https://cheddargetter.com', '[email blocked]', 'mypassword', 'myproduct');
   $customers = $client->getCustomers();
    
   The error is thrown by the call to getCustomers().
    
   I've tried running this both on the command line and in Drupal 7 on Windows 7.

   Mark

   • Edit

3. Support Staff 3 Posted by Marc Guyer on 16 Sep, 2014 09:24 PM

   

   Hi Mark -- I just ran a test here and didn't have any problems. You could turn on the verbose option in the curl resource and see if that gives you something meaningful.

   Fwiw, the error you're getting is odd. We don't have a self signed cert in our chain so I'm not sure where that would be coming from.

   • Edit

4. 4 Posted by Mark Hurst on 17 Sep, 2014 11:21 PM

   

   I didn't get anything useful from curl verbose so tried this:
    
   openssl s_client -connect cheddargetter.com:443 -showcerts
    
   The response below suggests there is a self-signed certificate. Incidentally, they're all in my (Chrome) config as trusted signed certificates. Any ideas?
    
   -----------------------------
   Loading 'screen' into random state - done
   CONNECTED(000001AC)
   depth=3 /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
   verify error:num=19:self signed certificate in certificate chain
   verify return:0
   ---
   Certificate chain
    0 s:/OU=Domain Control Validated/CN=*.cheddargetter.com
      i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
   -----BEGIN CERTIFICATE-----
   ***blah***
   -----END CERTIFICATE-----
    1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
      i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
   -----BEGIN CERTIFICATE-----
   ***blah***
   -----END CERTIFICATE-----
    2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
      i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
   -----BEGIN CERTIFICATE-----
   ***blah***
   -----END CERTIFICATE-----
    3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
      i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
   -----BEGIN CERTIFICATE-----
   ***blah***
   -----END CERTIFICATE-----
   ---
   Server certificate
   subject=/OU=Domain Control Validated/CN=*.cheddargetter.com
   issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Au
   thority - G2
   ---
   No client certificate CA names sent
   ---
   SSL handshake has read 4917 bytes and written 459 bytes
   ---
   New, TLSv1/SSLv3, Cipher is RC4-SHA
   Server public key is 2048 bit
   Secure Renegotiation IS supported
   Compression: NONE
   Expansion: NONE
   SSL-Session:
       Protocol : TLSv1
       Cipher : RC4-SHA
       Session-ID: ***blah***
       Session-ID-ctx:
       Master-Key: ***blah***
       Key-Arg : None
       Start Time: 1410994906
       Timeout : 300 (sec)
       Verify return code: 19 (self signed certificate in certificate chain)
   ---
   read:errno=0

   • Edit

5. Support Staff 5 Posted by Marc Guyer on 18 Sep, 2014 12:19 AM

   

   What in that openssl output suggests a self signed cert? I see the error message but all of the cert info in the output shows that it's signed by godaddy.

   Are you saving a cert locally that needs to be refreshed?

   • Edit

6. 6 Posted by Mark Hurst on 18 Sep, 2014 12:52 AM

   

   Here http://tinyurl.com/lwownnv states that the ultimate CA root certificate in all chains is self-signed, and the error occurs because the openssl s_client function doesn't check the default store against the root certificates being passed back from the server. This should be fixable by passing a CApath. However, I've tried this with both a direct cmd line openssl call and by using CURLOPT_CAPATH in the PHP.
    
   BTW, if I use CURLOPT_SSL_VERIFYPEER = 0 in CurlAdapter->request() then I get a good response, which at least means my setup is otherwise ok...

   • Edit

7. 7 Posted by Mark Hurst on 18 Sep, 2014 01:11 AM

   

   Aha! It works if I use CURLOPT_CAINFO. For example:
    
   curl_setopt($this->_resource, CURLOPT_CAINFO, "C:/***/cacert.pem");
    
   (I downloaded cacert.pem from http://curl.haxx.se/docs/caextract.html)
    
   Now I just have to figure out how to do this by config instead of by editing CurlAdapter.php

   • Edit

8. 8 Posted by Mark Hurst on 18 Sep, 2014 01:42 AM

   

   Ok, found a config solution. I set curl.cainfo = C:/***/cacert.pem in my php.ini and restarted apache. Thanks, we got there eventually :-)

   • Edit

9. Support Staff 9 Posted by Marc Guyer on 18 Sep, 2014 12:03 PM

   

   That's good news! What version of openssl are you using?

   • Edit

10. 10 Posted by Mark Hurst on 22 Sep, 2014 08:06 PM

    

    I'm currently using 0.9.8y for development but I guess this needs to be updated to 1.0.1g...?

    • Edit

11. Support Staff 11 Posted by Marc Guyer on 22 Sep, 2014 08:12 PM

    

    Hi Mark -- Well, I suppose it's typically a good idea to use a recent version. I suspect that version 0.9.8y has a significant number of security vulnerabilities.

    The reason I asked is because I think the root cert info is bundled with openssl. So, if the root certs have updated since your version of openssl, then you'd have the problem discussed in this thread. I suspect that you wouldn't have experienced this problem with a more recent version of openssl.

    • Edit

12. Marc Guyer closed this discussion on 22 Sep, 2014 08:12 PM.

13. Marc Guyer re-opened this discussion on 22 Sep, 2014 08:19 PM

14. Support Staff 12 Posted by Marc Guyer on 22 Sep, 2014 08:19 PM

    

    Actually I see that they're still issuing security fixes for the 0.9.8 version and the 'y' release is fairly recent. I wonder if those security fixes include root cert updates. Probably not.

    • Edit

15. Marc Guyer closed this discussion on 22 Sep, 2014 08:19 PM.