使用Kohana验证SSL证书失败 [英] Verifying SSL certificate failing with Kohana
问题描述
我正试图在我的localhost环境中将Kohana与HTTPS配合使用,但它始终抛出以下错误,有人知道如何解决此问题吗?
I'm trying to use HTTPS on my localhost environment with Kohana but it keeps throwing the following error, does anyone know how to fix this?
Request_Exception [ 0 ]: Error fetching remote /protected/someFunctionCall.json [ status 0 ] SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
我正在通过类似这样的发帖请求进行构建:
I'm building by post requests like so:
$url = "https://www.foobar.com:18443";
$data = http_build_query($params);
// This uses POST - http://kohanaframework.org/3.2/guide/kohana/requests#external-requests
$request = Request::factory($url)
->method(Request::POST)
->body($data)
->headers('Content-Type','application/x-www-form-urlencoded; charset=UTF-8');
$response = $request->execute();
我已按照本指南使用OpenSSL生成了自签名证书:
I have generated my self signed certificates with OpenSSL following this guide:
(Simon的答案):如何允许在Apache上使用HTTPS本地主机?
(Simon's answer): How do I allow HTTPS for Apache on localhost?
推荐答案
您最有可能看到此错误,因为您使用的是SSL客户端不信任的自签名证书.我不熟悉Kohana或PHP,但我认为客户端可能在幕后使用openssl.在某个地方应该有一个名为cacerts.pem或ca-bundle.crt之类的文件,其中包含信任锚.这些信任锚是客户端软件将信任的CA证书.如果服务器使用从这些CA之一颁发的证书,则不会收到该错误.您可以尝试将自签名服务器证书添加到CA证书文件(例如cacerts.pem)的末尾.添加证书时,请确保其为PEM格式. PEM格式的证书用以下几行定界:
You are most likely seeing this error because you are using a self signed certificate that the SSL client doesn't trust. I am not familiar with Kohana or PHP, but I think the client is probably using openssl under the covers. Somewhere there should be a file called something like cacerts.pem or ca-bundle.crt that holds the trust anchors. These trust anchors are the CA certs that the client software will trust. If the server uses a certificate issued from one of these CAs you shouldn't get the error. What you could try is adding your self signed server cert to the end of your CA cert file (e.g., cacerts.pem). Make sure your cert is in PEM format when you add it. A PEM formated certificate is delimited with these lines:
-
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
或者,可以有一些选项告诉客户端接受任何服务器证书.这不是一个好的安全实践,但是如果您自己尝试尝试的话,也可以将其作为一种临时解决方案.例如,在cURL中,可以选择执行此操作.
Alternatively, there may be some option to tell the client to accept any server certificate. Not good security practice, but okay as a temporary solution if just trying things out yourself. In cURL, for example, there is an option to do this.
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
cURL中正确的方法是指定包含信任锚的文件.此代码段基于我链接到下面的文章.
The correct approach in cURL is to specify the file holding the trust anchors. This code snippet is based on the article I link to below.
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_CAINFO, getcwd() . "/CAcerts/MyTrustedCerts.crt")
使用CURLOPT_CAINFO,可以指定保存信任锚的文件的名称.该文件应包含一个或多个客户端软件将用来验证服务器证书的证书.
Using CURLOPT_CAINFO, allows you to specify the name of the file holding your trust anchors. This file should hold one or more certificates the client software will use to verify server certs with.
此外,将CURLOPT_SSL_VERIFYHOST设置为2还会告诉cURL检查公用名的存在,并验证其是否与提供的主机名匹配.在生产环境中,此选项的值应保持为2(默认值).
Also, CURLOPT_SSL_VERIFYHOST set to 2 tells cURL to check the existence of a common name and also verify that it matches the hostname provided. In production environments the value of this option should be kept at 2 (default value).
This article Using cURL in PHP to access HTTPS (SSL/TLS) protected sites has some workarounds/fixes for this error when using cURL in PHP.
这篇关于使用Kohana验证SSL证书失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
