2

We're using composer to upgrade dependencies with Satis. After a recent server upgrade we were unable to do so. Narrowing down possible causes, we've discovered, that file_get_contents php function fails while trying to establish an ssl connection.

We're using the following script to test our ssl: 

<?php
$url = 'https://satis.work.com/packages.json';
$contextOptions = [
    'ssl' => [
        'verify_peer'      => false,
        'verify_peer_name' => false,
        'local_cert'       => '/home/work/.ssl/deployer.pem',
    ]
];
$sslContext = stream_context_create($contextOptions);
$result = file_get_contents($url, false, $sslContext);
echo $result, "\n";

This is thrown:

PHP Warning: file_get_contents(): Unable to set local cert chain file `/home/work/.ssl/deployer.pem'; Check that your cafile/capath settings include details of your certificate and its issuer in /home/omlook/test-ssl.php on line 12 PHP Warning: file_get_contents(): Failed to enable crypto in /home/work/test-ssl.php on line 12 PHP Warning: file_get_contents(https://satis.work.com/packages.json): failed to open stream: operation failed in /home/work/test-ssl.php on line 12

It is definitely not a problem with rights or file ownership, script can read .pem just fine. What's bewildering about this, is how the exact same script and .pem key work just fine in my local environment, and version differences aren't that significant, it seems.

Local environment:

PHP 7.0.18-0ubuntu0.16.04.1 (cli) ( NTS ) Copyright (c) 1997-2017 The PHP Group Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies with Zend OPcache v7.0.18-0ubuntu0.16.04.1, Copyright (c) 1999-2017, by Zend Technologies

OpenSSL 1.0.2g 1 Mar 2016

Server:

PHP 7.1.7-1+ubuntu14.04.1+deb.sury.org+1 (cli) (built: Jul 7 2017 10:07:42) ( NTS ) Copyright (c) 1997-2017 The PHP Group Zend Engine v3.1.0, Copyright (c) 1998-2017 Zend Technologies with Zend OPcache v7.1.7-1+ubuntu14.04.1+deb.sury.org+1, Copyright (c) 1999-2017, by Zend Technologies

OpenSSL 1.1.0f 25 May 2017

serqol
  • 21
  • 4
  • have you tried to verify you certificate? should be something like this "openssl verify -verbose /home/work/.ssl/deployer.pem" – R A Jul 20 '17 at 21:44
  • Verify works fine: COMMAND(openssl verify -verbose -CAfile /home/work/.ssl/ca.pem /home/work/.ssl/deployer.pem) RESULTS IN (/home/work/.ssl/deployer.pem: OK) – Anton Jul 25 '17 at 10:03

2 Answers2

0

This seems to happen only if you leave out the cleartext-metadata (Issuer, Validity, etc.) before the "BEGIN CERTIFICATE" part in the PEM file. For newer builds of PHP (including 7.0) this part seems to be mandatory now. I haven't found out more so far, but my guess is, this is rather an openssl-issue. Renewing the certificate, including the metadata-part generated by openssl, solved the Problem for me.

borke79
  • 1
  • 1
0

I solved the same problem for me. It seems that cleartext metadata doesn't matter. Similar code worked for me on php 7.0 with openssl 1.1.0j and was broken on php 7.3 with openssl 1.1.1c - I've got the same error text. Adding cleartext metadata didn't help me. Adding cafile context parameter with current ca certificate didn't helped me too.

When I tried to make the same request with curl, I've got error:

curl -k --cert cert.pem https://myservice.com/soap/ShopService/
curl: (58) could not load PEM client certificate, OpenSSL error error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak, (no key found, wrong pass phrase, or wrong file format?)

So I find existing old client certificate was signed with weak sha1WithRsaEncryption algorithm. Private key was 2048 bit lenth - it's ok (if you have 1024 bits - it's not safe now and you need a new longer key also)

I've reissued my client certificate with actual sha256 hash (openssl option -sha256). My CA certificate had the same weak hash sha1 but it was not necessary to change it, just client certificate. Commands:

# here: 
# cert.pem - my old client certificate with private key
# ca.pem - service's current CA certificate for signing client certificates with it's private key
# cert2.pem - my new working client certificate with the same old private key
#
# make new certificate request from current client certificate
openssl x509 -x509toreq -in cert.pem -out cert2.csr -signkey cert.pem -sha256

# make new certificate
openssl x509 -req -in cert2.csr -out cert2.pem -CA ca.pem -sha256 -days 730 -set_serial 0x51ca170d

# append private key
openssl rsa -in cert.pem >> cert2.pem

Hours of pain and now it's ok ) Seems that php sends incorrect error message for this error.

Evgeny Smolin
  • 46
  • 1
  • 2