unable to get local issuer certificate / SOAP-ERROR: Parsing WSDL: Couldn't load from

Question

ZenLoadBalancer sits in front of my web servers (Debian). The load balancer strips of SSL. This works fine in a browser. However, when connecting via SOAP or Curl, I am having a problem.

I used a curl test from another SO post to ensure the problem was with SSL:

$_h = curl_init();
curl_setopt($_h, CURLOPT_HEADER, 1);
curl_setopt($_h, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($_h, CURLOPT_HTTPGET, 1);
curl_setopt($_h, CURLOPT_URL, 'https://mydomain.ca/webservice/soap/server.php?wsdl' );
curl_setopt($_h, CURLOPT_DNS_USE_GLOBAL_CACHE, false );
curl_setopt($_h, CURLOPT_DNS_CACHE_TIMEOUT, 2 );

//curl_setopt($_h, CURLOPT_SSL_VERIFYPEER, false);

var_dump(curl_exec($_h));
var_dump(curl_getinfo($_h));
var_dump(curl_error($_h));

This returns:

string(63) "SSL certificate problem: unable to get local issuer certificate"

If I uncomment CURLOPT_SSL_VERIFYPEER, I get the XML back as expected.

So here is the real issue ... when I try to make the SOAP call:

$soap=new SoapClient('https://mydomain.ca/webservice/soap/server.php?wsdl');

This returns:

PHP Fatal error:  SOAP-ERROR: Parsing WSDL: Couldn't load from 'https://mydomain.ca/webservice/soap/server.php?wsdl' : failed to load external entity "https://mydomain.ca/webservice/soap/server.php?wsdl"

If I take the load balancer out of the equation (and setup ssl virtualhosts, etc), the soap service works fine. Its only when I add in the load balancer that I get this problem.

I am under the impression that the problem is exactly what the response from Curl is saying .. "unable to get local issuer certificate" .. however, I tried installing ca-certificates, specifying PEM files, etc etc .. but nothing seems to work.

I think the problem is on the load balancer side, but I have been testing things on the web server side just in case it gets through the load balancer ok.

On the web server, I can:

openssl s_client -connect mydomain.ca:443

That does return the certificate.

I confirmed that the server is listening on ports 443/8080/80 .. so that should be ok too (disabled iptables just in case). I checked ports.conf and everything is listening on that end.

Hoping someone on SO can help point me in a different direction b/c I'm not quite sure what to search in bing/google at this point. Any help would be appreciated.

Thanks.

Answer 1

Finally figured this out. They key to knowing this was finally fixed was by running:

# openssl verify domain.pem

which should respond with:

domain.pem: OK

Before this was fixed, the response was:

unable to get local issuer certificate

Now, the fix ... well, the problem .... it was because when I created the PEM file, I used the wrong intermediate cert. Oddly enough, the browsers (IE/Chrome/FF) had no problem with this .. it was only when using Curl/SOAP that I got an error.

To fix this in my case, I got the proper intermediate cert from my ssl provider (found on their support page), rebuilt my PEM file with their intermediate cert, tested the pem with "openssl verify" and got the expected answer ... "OK". After that, I reconfigured the load balancer to use this new PEM file and it worked .. SOAP was able to connect!

Anyways, hope this might help someone in the future so they don't burn 6 hours like I did ugh.