PHP CURL | Can't read certificate on CENTOS 7 environment

Question

We have written some code to get get a some data of an API. The API is requiring us to pass a certificate, which works fine on macbook. We can specify both a p12 certificate or a PEM file using the following options for Guzzle (which uses CURL underwater):

    $options = [
        RequestOptions::FORM_PARAMS => [
            'grant_type'    => 'password',
            'client_id'     => $this->clientId,
            'client_secret' => $this->clientSecret,
            'scope'         => 'openid profile',
        ],
        'cert' => [
            Storage::disk('certificates')->path(config('hdn.client.p12_key_path')),
            config('hdn.client.p12_key_password'),
        ]
    ];

    if (config('hdn.client.use_p12')) {
        $options['curl'] = [
            CURLOPT_SSLCERTTYPE => 'P12'
        ];
    }

Locally on my Macbook this code works fine to retrieve the data of the API. But when trying to retrieve the public key using the same code and same certificate on our centos 7 environemnt (using PEM certificate) it throws the following error:

cURL error 58: unable to load client key: -8178 (SEC_ERROR_BAD_KEY) (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)

And when using the P12 certificate it throws us this error

cURL error 58: unable to load client cert: -8018 (SEC_ERROR_UNKNOWN_PKCS11_ERROR) (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)

I don't get it, because on macbook it works like a charm with same certificates.

Macbook Curl Version:

curl 7.76.1 (x86_64-pc-linux-gnu) libcurl/7.76.1 OpenSSL/1.0.2k-fips zlib/1.2.7 Release-Date: 2021-04-14 Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp Features: alt-svc AsynchDNS HTTPS-proxy IPv6 Largefile libz NTLM NTLM_WB SSL UnixSockets

Centos curl version:

curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.53.1 zlib/1.2.7 libidn/1.28 libssh2/1.8.0 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets

Macbook php -i | grep SSL

SSL => Yes
MULTI_SSL => Yes
SSL Version => (SecureTransport) OpenSSL/1.1.1k
core SSL => supported
extended SSL => supported
OpenSSL support => enabled
OpenSSL Library Version => OpenSSL 1.1.1k  25 Mar 2021
OpenSSL Header Version => OpenSSL 1.1.1k  25 Mar 2021
SSL support => enabled
OpenSSL support => enabled

Centos 7 php -i | grep SSL

SSL => Yes
SSL Version => NSS/3.53.1
core SSL => supported
extended SSL => supported
OpenSSL support => enabled
OpenSSL Library Version => OpenSSL 1.0.2k-fips  26 Jan 2017
OpenSSL Header Version => OpenSSL 1.0.2k  26 Jan 2017
Native OpenSSL support => enabled

What I tried:

Upgrading CURL to the same version and also made sure PHP is using this version.
Instead of using PEM format using the PKCS12 format, which also works on my Macbook
SSL certificate generated with OpenSSL not working on NSS

We read about curl on macbook using libressl / securotransport and on centos it's using openssl (or something like that).

But I have no clue about how to make it run on CENTOS, if any one of you has an idea, please let me know! Thanks a lot in advance.

So I think the question should be, how do I get my certificate (OpenSSL/1.1.1k ) to work with NSS/3.53.1? — Jelmer de Vries, May 06 '21 at 12:01

PHP CURL | Can't read certificate on CENTOS 7 environment

0 Answers0