8

The error that alot of people get with Facebook authentication is:

CurlException: 60: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

And the only information I can find about it suggest to add the following lines of code to curl:

$opts[CURLOPT_SSL_VERIFYPEER] = false;
$opts[CURLOPT_SSL_VERIFYHOST] = 2;

I know this works, but what is going on here? Isn't there any server settings/configuraton that can be changed instead of hacking up facebook.php.

user2009750
  • 3,169
  • 5
  • 35
  • 58
John
  • 460
  • 1
  • 5
  • 18

3 Answers3

17

What It Does & Meaning:

The following code tells the cURL to NOT verify that security certificates are correct. Hence, the error disappears.

  $opts[CURLOPT_SSL_VERIFYPEER] = false;
  $opts[CURLOPT_SSL_VERIFYHOST] = 2;

When you connect to a remote server with SSL, their certificate might be invalid, expired, or not signed by a recognized CA. The cURL normally checks it.

CURLOPT_SSL_VERIFYHOST:

  • 1: to check the existence of a common name in the SSL peer certificate.
  • 2: to check the existence of a common name and also verify that it matches the hostname provided.

CURLOPT_SSL_VERIFYPEER: FALSE to stop CURL from verifying the peer's certificate. Alternate certificates to verify against can be specified with the CURLOPT_CAINFO option or a certificate directory can be specified with the CURLOPT_CAPATH option. CURLOPT_SSL_VERIFYHOST may also need to be TRUE or FALSE if CURLOPT_SSL_VERIFYPEER is disabled (it defaults to 2).

How to Enable & Verify Correctly:

To verify correctly, we need to to verify the certificate being presented to us is good for real. We do this by comparing it against a certificate we reasonable* trust.

If the remote resource is protected by a certificate issued by one of the main CA's like Verisign, GeoTrust et al, you can safely compare against Mozilla's CA certificate bundle which you can get from http://curl.haxx.se/docs/caextract.html

Save the file cacert.pem somewhere in your server and set the following options in your script.

curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, TRUE); 
curl_setopt ($ch, CURLOPT_CAINFO, "pathto/cacert.pem");

If you are connecting to a resource protected by a self-signed certificate, all you need to do is obtain a copy of the certificate in PEM format and append it to the cacert.pem of the above paragraph.

shamittomar
  • 46,210
  • 12
  • 74
  • 78
  • I think his main question is what to do to get around this hack. – Pekka Sep 04 '10 at 15:06
  • so what would be the reason that this only happens on one of my servers and not the other? – John Sep 04 '10 at 16:29
  • @John, other servers have in-built security certificates and do not need specifying certificates manually. Just like the browsers IE/Firefox have certificates in-built and does not require by YOU to give a cert file everytime you want to connect to a secure login site like GMAil, HoTMaiL. – shamittomar Sep 04 '10 at 16:45
  • the variable $ch, where is it defined? – Phil Nov 28 '10 at 15:34
  • in facebook.php. Thanks shamit! – Phil Nov 28 '10 at 15:42
  • Ah! I've been looking everywhere for this relating to using a self signed certificate for nuSOAP. – salmonmoose Jun 20 '12 at 04:02
2

In my case, I could not use curl_setopt, because I could not edit Facebook API classes ( conditions of project I was working in ).

I solved the problem by adding path to cacert.pem downloaded from http://curl.haxx.se/docs/caextract.html to my php.ini 

[curl]
curl.cainfo = "c:\wamp\cacert.pem"
malloc4k
  • 1,742
  • 3
  • 22
  • 22
0

I just had the same problem, and disabling peer verification is not acceptable in my case. I updated the fa_ca_chain_bundle.crt file (from facebook's gitbub) and it works now.

Regards, Marek

Marek Roj
  • 1,221
  • 8
  • 10