file_get_contents:无法设置本地证书链文件 [英] file_get_contents: Unable to set local cert chain file

问题描述

我们正在使用composer来升级Satis的依赖关系.最近的服务器升级后，我们无法执行此操作.我们发现，缩小可能的原因是，尝试建立ssl连接时，file_get_contents php函数失败.

We're using composer to upgrade dependencies with Satis. After a recent server upgrade we were unable to do so. Narrowing down possible causes, we've discovered, that file_get_contents php function fails while trying to establish an ssl connection.

我们正在使用以下脚本来测试ssl:

We're using the following script to test our ssl:

<?php
$url = 'https://satis.work.com/packages.json';
$contextOptions = [
    'ssl' => [
        'verify_peer'      => false,
        'verify_peer_name' => false,
        'local_cert'       => '/home/work/.ssl/deployer.pem',
    ]
];
$sslContext = stream_context_create($contextOptions);
$result = file_get_contents($url, false, $sslContext);
echo $result, "\n"; 

这被抛出:

PHP警告:file_get_contents():无法设置本地证书链文件`/home/work/.ssl/deployer.pem';在第12行的/home/omlook/test-ssl.php中检查您的cafile/capath设置是否包含证书及其颁发者的详细信息 PHP警告:file_get_contents():无法在第12行的/home/work/test-ssl.php中启用加密 PHP警告:file_get_contents( https://satis.work.com/packages.json ):无法打开流:第12行上的/home/work/test-ssl.php中的操作失败

PHP Warning: file_get_contents(): Unable to set local cert chain file `/home/work/.ssl/deployer.pem'; Check that your cafile/capath settings include details of your certificate and its issuer in /home/omlook/test-ssl.php on line 12 PHP Warning: file_get_contents(): Failed to enable crypto in /home/work/test-ssl.php on line 12 PHP Warning: file_get_contents(https://satis.work.com/packages.json): failed to open stream: operation failed in /home/work/test-ssl.php on line 12

权限或文件所有权绝对不是问题，脚本可以读取.pem.令人困惑的是， exact 相同的脚本和.pem键如何在我的本地环境中正常工作，并且版本差异似乎并不那么重要.

It is definitely not a problem with rights or file ownership, script can read .pem just fine. What's bewildering about this, is how the exact same script and .pem key work just fine in my local environment, and version differences aren't that significant, it seems.

本地环境:

PHP 7.0.18-0ubuntu0.16.04.1(cli)(NTS) 版权所有(c)1997-2017 The PHP Group Zend Engine v3.0.0，版权所有(c)1998-2017 Zend Technologies 与Zend OPcache v7.0.18-0ubuntu0.16.04.1，版权所有(c)1999-2017，由Zend Technologies

PHP 7.0.18-0ubuntu0.16.04.1 (cli) ( NTS ) Copyright (c) 1997-2017 The PHP Group Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies with Zend OPcache v7.0.18-0ubuntu0.16.04.1, Copyright (c) 1999-2017, by Zend Technologies

OpenSSL 1.0.2g 2016年3月1日

OpenSSL 1.0.2g 1 Mar 2016

服务器:

PHP 7.1.7-1 + ubuntu14.04.1 + deb.sury.org + 1(cli)(内置:2017年7月7日10:07:42)(NTS) 版权所有(c)1997-2017 The PHP Group Zend Engine v3.1.0，版权所有(c)1998-2017 Zend Technologies 与Zend OPcache v7.1.7-1 + ubuntu14.04.1 + deb.sury.org + 1，Zend Technologies版权所有(c)1999-2017

PHP 7.1.7-1+ubuntu14.04.1+deb.sury.org+1 (cli) (built: Jul 7 2017 10:07:42) ( NTS ) Copyright (c) 1997-2017 The PHP Group Zend Engine v3.1.0, Copyright (c) 1998-2017 Zend Technologies with Zend OPcache v7.1.7-1+ubuntu14.04.1+deb.sury.org+1, Copyright (c) 1999-2017, by Zend Technologies

OpenSSL 1.1.0f 2017年5月25日

OpenSSL 1.1.0f 25 May 2017

推荐答案

我为我解决了同样的问题.看来，明文元数据并不重要. 类似的代码在使用openssl 1.1.0j的php 7.0上对我有用，并在使用openssl 1.1.1c的php 7.3上被破坏了-我有相同的错误文本. 添加明文元数据对我没有帮助.使用当前的ca证书添加cafile上下文参数也没有帮助我.

I solved the same problem for me. It seems that cleartext metadata doesn't matter. Similar code worked for me on php 7.0 with openssl 1.1.0j and was broken on php 7.3 with openssl 1.1.1c - I've got the same error text. Adding cleartext metadata didn't help me. Adding cafile context parameter with current ca certificate didn't helped me too.

当我尝试使用curl发出相同的请求时，出现错误:

When I tried to make the same request with curl, I've got error:

curl -k --cert cert.pem https://myservice.com/soap/ShopService/
curl: (58) could not load PEM client certificate, OpenSSL error error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak, (no key found, wrong pass phrase, or wrong file format?)

因此，我发现现有的旧客户端证书已使用弱sha1WithRsaEncryption算法签名. 私钥为2048位长度-没关系(如果您有1024位-现在不安全，还需要一个新的更长的密钥)

So I find existing old client certificate was signed with weak sha1WithRsaEncryption algorithm. Private key was 2048 bit lenth - it's ok (if you have 1024 bits - it's not safe now and you need a new longer key also)

我重新发布了带有实际sha256哈希值的客户证书(openssl选项-sha256).我的CA证书具有相同的弱哈希值sha1，但不必更改它，只需更改客户端证书即可.命令:

I've reissued my client certificate with actual sha256 hash (openssl option -sha256). My CA certificate had the same weak hash sha1 but it was not necessary to change it, just client certificate. Commands:

# here: 
# cert.pem - my old client certificate with private key
# ca.pem - service's current CA certificate for signing client certificates with it's private key
# cert2.pem - my new working client certificate with the same old private key
#
# make new certificate request from current client certificate
openssl x509 -x509toreq -in cert.pem -out cert2.csr -signkey cert.pem -sha256

# make new certificate
openssl x509 -req -in cert2.csr -out cert2.pem -CA ca.pem -sha256 -days 730 -set_serial 0x51ca170d

# append private key
openssl rsa -in cert.pem >> cert2.pem

数小时的痛苦，现在可以了) 似乎php为此错误发送了错误的错误消息.

Hours of pain and now it's ok ) Seems that php sends incorrect error message for this error.

这篇关于file_get_contents:无法设置本地证书链文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！