Curl导致SSL：无法获取本地颁发者证书 [英] Curl causes SSL: unable to get local issuer certificate

问题描述

在Mac OS Yosemite上安装Homebrew PHP 5.5后，以下答案步骤，我发现我可以连接到外部SSL主机，提示我'错误号：56错误字符串：SSLRead（）返回错误-9806'之前。
这个问题已修复。

但现在，在我的工作我遇到另一个SSL问题与另一个HOST：Canvas API。

在终端上运行以下Curl（使用OSX本机curl）

  curl -v -HAccept：application / json-HContent-type：application / json-X GET \ 
 -d'{userid：mohit ：password}'https://canvas.instructure.com/api/v1/accounts 
  

工作正常，但通过PHP我得到SSL证书问题：无法获得本地颁发者证书。

所以我的原始问题是固定的，因为我在PHP Curling使用OpenSSL，但我有这个新问题。

我试图添加一个PEM文件到我的php.ini， curl.cainfo =/usr/local/cacert.pem但是触发另一个错误

 错误设置证书验证位置：CAfile：/usr/local/cacert.pem CApath：none。 
  

我有点困惑。我需要有Brew PHP Curl版本工作的两个API。现在一个不工作的人正在工作，但另一个工作的不是。 （抛出无法获得本地颁发者证书消息）。

：的curl输出php -i / code>：

  cURL support => enabled 
 cURL Information => 7.38.0 
 Age => 3 
特性
 AsynchDNS =>否
 CharConv =>否
 Debug =>否
 GSS-Negotiate =>否
 IDN =>否
 IPv6 =>是
 krb4 =>否
 Largefile =>是
 libz =>是
 NTLM =>是
 NTLMWB =>是
 SPNEGO =>否
 SSL =>是
 SSPI =>否
 TLS-SRP =>是
协议=> dict，file，ftp，ftps，gopher，http，https，imap，imaps，ldap，ldaps，
 pop3，pop3s，rtsp，smtp，smtps，telnet，tftp 
 Host => x86_64-apple-darwin14.0.0 
 SSL版本=> OpenSSL / 1.0.1j 
 ZLib版本=> 1.2.5 
  

解决方案

这看起来像是homebrew curl公式，我只是提交了修正。 https://canvas.instructure.com/ 有一个由GoDaddy颁发的证书，并且这些证书似乎不是用一个精酿的 curl 使用冲泡的 openssl 。如果/当自制程序的维护者接受我的补丁，你将能够得到这个修复：

  $ brew rm curl＃remove your broken brewed curl 
 $ brew update 
 $ brew install --with-openssl curl 
  

在这之前，您可以直接从我的pull请求安装修订，如下所示：

  $ brew rm curl＃remove your broken brewed curl 
 $ brew install --with-openssl https://raw.githubusercontent.com/asaph/homebrew/curl-openssl-godaddy-ca-bug/Library/Formula/curl.rb 
  





更新：

a href =https://github.com/Homebrew/homebrew/commit/599fe18457f58f9562752af1238097eb95f9f7de>合并我的补丁，所以修复程序现在正式在homebrew。所以只运行前面描述的3个命令。无需再从pull请求安装。

After installing Homebrew PHP 5.5 on Mac OS Yosemite following this answers steps, I found that I could connect to the external SSL hosts which prompted me a 'Error Number:56 Error String:SSLRead() return error -9806' before. This problem has been fixed.

But now, at my day job I run into another SSL issue with another HOST: Canvas API.

Running the following Curl on terminal (using OSX native curl)

curl -v -H "Accept: application/json" -H "Content-type: application/json" -X GET \
  -d '{"userid": "mohit", "password":"password"}' https://canvas.instructure.com/api/v1/accounts

work fine, but through PHP I am getting SSL certificate problem: unable to get local issuer certificate.

So my original issue is fixed now that I use OpenSSL in PHP Curling, but I got this new issue.

I did try to add a PEM file to my php.ini, curl.cainfo = "/usr/local/cacert.pem" but that triggered another error

error setting certificate verify locations: CAfile: /usr/local/cacert.pem CApath: none.

I am a bit puzzled. I need to have the Brew PHP Curl version working for both API's. Now the one who wasn't working is working, but the other one which was working isn't. (throwing the unable to get local issuer certiciface message). Any wisdom would be appreciated.

EDIT: Curl output from php -i:

cURL support => enabled
cURL Information => 7.38.0
Age => 3
Features
AsynchDNS => No
CharConv => No
Debug => No
GSS-Negotiate => No
IDN => No
IPv6 => Yes
krb4 => No
Largefile => Yes
libz => Yes
NTLM => Yes
NTLMWB => Yes
SPNEGO => No
SSL => Yes
SSPI => No
TLS-SRP => Yes
Protocols => dict, file, ftp, ftps, gopher, http, https, imap, imaps, ldap, ldaps,
             pop3, pop3s, rtsp, smtp, smtps, telnet, tftp
Host => x86_64-apple-darwin14.0.0
SSL Version => OpenSSL/1.0.1j
ZLib Version => 1.2.5

解决方案

This looks to be a bug in homebrew's curl formula for which I have just submitted a fix. https://canvas.instructure.com/ has a certificate issued by GoDaddy and those don't seem to be working with a brewed curl that uses a brewed openssl. If/when the maintainers of homebrew accept my patch, you'll be able to simply get this fix with:

$ brew rm curl # remove your broken brewed curl
$ brew update
$ brew install --with-openssl curl

Until that happens, you can install the fix directly from my pull request like this:

$ brew rm curl # remove your broken brewed curl
$ brew install --with-openssl https://raw.githubusercontent.com/asaph/homebrew/curl-openssl-godaddy-ca-bug/Library/Formula/curl.rb

Update:

The homebrew maintainers merged my patch so the fix is officially in homebrew now. So just run the first 3 commands I described above. No need to install from the pull request anymore.

这篇关于Curl导致SSL：无法获取本地颁发者证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！