SSL錯誤Omnipay Guzzle CI - 驗證CA證書是否正確

我正在使用Omnipay（最新版本）執行一些在線支付。SSL錯誤Omnipay Guzzle CI - 驗證CA證書是否正確

我通過Cloudflares fleixble SSL使用SSL，因此沒有在域/服務器上安裝實際的SSL證書。它是所有工作完全正常，直到昨天，我開始收到以下錯誤：

Fatal error: Uncaught exception 'Guzzle\Http\Exception\CurlException' with message '[curl] 60: 
SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed [url] 
https://api.sandbox.ewaypayments.com/CreateAccessCode.json' in /home/verecsta/vendor/guzzle 
/http/Guzzle/Http/Curl/CurlMulti.php:359 Stack trace: #0 /home/verecsta/vendor/guzzle/http/Guzzle 
/Http/Curl/CurlMulti.php(292): Guzzle\Http\Curl\CurlMulti->isCurlException(Object(Guzzle 
\Http\Message\EntityEnclosingRequest), Object(Guzzle\Http\Curl\CurlHandle), Array) #1 
/home/verecsta/vendor/guzzle/http/Guzzle/Http/Curl/CurlMulti.php(257): Guzzle\Http 
\Curl\CurlMulti->processResponse(Object(Guzzle\Http\Message\EntityEnclosingRequest), 
Object(Guzzle\Http\Curl\CurlHandle), Array) #2 /home/verecsta/vendor/guzzle/http/Guzzle/Http/Curl 
/CurlMulti.php(240): Guzzle\Http\Curl\CurlMulti->processMessages() #3 /home/verecsta/vendor 
/guzzle/http/Guzzle/Http/Curl/CurlMulti.php(224): Guzzle\Http\Curl\CurlM in /home/verecsta/vendor 
/guzzle/http/Guzzle/Http/Curl/CurlMulti.php on line 359

如果我在狂飲設置$certificateAuthority = false;再次工作。但這並不理想。

我想不通它爲什麼突然停止工作？可以在我的服務器上過期嗎？我一直在谷歌上搜索這個問題，並遇到了幾次：

「基本上，這意味着你的服務器沒有最新的證書頒發機構捆包安裝」

這是什麼意思是什麼呢？我是否必須爲該域安裝SSL證書？或者還有其他需要更新的服務器？（因爲它工作正常，直到昨天使用clouldflares SSL所以猜測別的東西需要更新？）

另外我還以爲古怪使用它自己的證書$opts[CURLOPT_CAINFO] = __DIR__ . '/Resources/cacert.pem';所以再次不知道爲什麼我得到這個錯誤。

來源

2014-08-28 Ralph Vugts

這個問題發生在我有一天。這是因爲CentOS有一箇舊的證書權限包。

假設您正在運行CentOS，請嘗試通過ssh運行以下命令。首先備份您的證書，以防止它中斷。

# cp /etc/pki/tls/certs/ca-bundle.crt /root/backup/

然後只需下載新的證書包。

# curl http://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt

一旦更新這應該解決您的問題。

來源

2014-08-28 03:22:41 woody1990

謝謝你修好了！我現在可以使用$ opts [CURLOPT_CAINFO] = __DIR__。 '/Resources/cacert.pem';與Guzzle一起出現。 – 2014-08-28 03:31:31

Equifax認證api.sandbox.ewaypayments.com。你知道，因爲Equifax公司是發行人在兩個級別（請參見下面的2 i:）：

$ openssl s_client -connect api.sandbox.ewaypayments.com:443 
CONNECTED(00000003) 
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA 
verify error:num=20:unable to get local issuer certificate 
verify return:0 
--- 
Certificate chain 
0 s:/serialNumber=heE9O2tltnG/R8itCXJOsm8M-n1x0sDe/OU=GT69801168/ 
    OU=See www.rapidssl.com/.../CN=api.sandbox.ewaypayments.com 
    i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA 
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA 
    i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 
    i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority 
--- 
...

轉到GeoTrust Root Certificates，並下載根1 - Equifax安全證書頒發機構。它的默認文件名是Equifax_Secure_Certificate_Authority.pem。

現在，再次運行s_client。但是這次使用-CAfile選項。注意你完成Verify return code: 0 (ok)。

$ openssl s_client -connect api.sandbox.ewaypayments.com:443 -CAfile Equifax_Secure_Certificate_Authority.pem 
CONNECTED(00000003) 
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority 
verify return:1 
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA 
verify return:1 
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA 
verify return:1 
depth=0 serialNumber = heE9O2tltnG/R8itCXJOsm8M-n1x0sDe, OU = GT69801168, OU = See www.rapidssl.com/resources/cps (c)14, OU = Domain Control Validated - RapidSSL(R), CN = api.sandbox.ewaypayments.com 
verify return:1 
--- 
...

所以你的工作就是插上Equifax安全證書頒發機構進入暴食或捲曲。而不是cacerts.pem文件，您只需使用Equifax_Secure_Certificate_Authority.pem，因爲這是證明該站點的CA.

所以，我想你的代碼將類似於：

$opts[CURLOPT_CAINFO] = __DIR__ . '/Resources/Equifax_Secure_Certificate_Authority.pem';

如果需要，您可以cat的Equifax公司證書到cacert.pem，但我不會推薦：

$ cat Equifax_Secure_Certificate_Authority.pem >> Resources/cacert.pem

$ openssl s_client -connect api.sandbox.ewaypayments.com:443 -CAfile Equifax_Secure_Certificate_Authority.pem 
CONNECTED(00000003) 
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority 
verify return:1 
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA 
verify return:1 
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA 
verify return:1 
depth=0 serialNumber = heE9O2tltnG/R8itCXJOsm8M-n1x0sDe, OU = GT69801168, OU = See www.rapidssl.com/resources/cps (c)14, OU = Domain Control Validated - RapidSSL(R), CN = api.sandbox.ewaypayments.com 
verify return:1 
--- 
Certificate chain 
0 s:/serialNumber=heE9O2tltnG/R8itCXJOsm8M-n1x0sDe/OU=GT69801168/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=api.sandbox.ewaypayments.com 
    i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA 
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA 
    i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 
    i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority 
--- 
Server certificate 
-----BEGIN CERTIFICATE----- 
MIIFPjCCBCagAwIBAgIDFM3cMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT 
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew 
HhcNMTQwODI0MDUxNTE4WhcNMTUxMTI2MDU0NzM4WjCByzEpMCcGA1UEBRMgaGVF 
OU8ydGx0bkcvUjhpdENYSk9zbThNLW4xeDBzRGUxEzARBgNVBAsTCkdUNjk4MDEx 
NjgxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg 
KGMpMTQxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk 
U1NMKFIpMSUwIwYDVQQDExxhcGkuc2FuZGJveC5ld2F5cGF5bWVudHMuY29tMIIB 
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkdAtu8bclON50W7iy4idaXok 
NIwakZQiOv0P2++fVGMgHdE97zVL1oOCvFyIjMM4Tec6OMpAdIyWpivTYv1fG+Ak 
dtt53JiipL1nbRpyR3BMy6HZDUuiY7h23O0eEiV1QXt8EIbXlSXF6StLnvRfoSaA 
2g2HnglOgtNSYKzUY0+m6174vm4dtejGrCuiLQ5a+jGpeQPGQC7ZHYbLeVuZ3TJ4 
7+6JlYTtmwuTpGHcC2Vac7TKWqf10I3gT6nqMaImsgJAcnMn5zblYeGR2wzcIK0Y 
9GfxNNvCO5VtNS4ZGJ4//newHKyjKa02dBKu1VG4us84bR+PNN66xSv2NrJ2oQID 
AQABo4IBtzCCAbMwHwYDVR0jBBgwFoAUa2k9ahhCSt2PAmU5/TUkhniRFjAwDgYD 
VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAnBgNV 
HREEIDAeghxhcGkuc2FuZGJveC5ld2F5cGF5bWVudHMuY29tMEMGA1UdHwQ8MDow 
OKA2oDSGMmh0dHA6Ly9yYXBpZHNzbC1jcmwuZ2VvdHJ1c3QuY29tL2NybHMvcmFw 
aWRzc2wuY3JsMB0GA1UdDgQWBBSttX4dSHpDQ8i8UhLPCKagSwI0bjAMBgNVHRMB 
Af8EAjAAMHgGCCsGAQUFBwEBBGwwajAtBggrBgEFBQcwAYYhaHR0cDovL3JhcGlk 
c3NsLW9jc3AuZ2VvdHJ1c3QuY29tMDkGCCsGAQUFBzAChi1odHRwOi8vcmFwaWRz 
c2wtYWlhLmdlb3RydXN0LmNvbS9yYXBpZHNzbC5jcnQwTAYDVR0gBEUwQzBBBgpg 
hkgBhvhFAQc2MDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuZ2VvdHJ1c3QuY29t 
L3Jlc291cmNlcy9jcHMwDQYJKoZIhvcNAQEFBQADggEBAHPzeBWb4JHduYBMlfjS 
KnWC9XuGGanEhibB4llJfdwn19YyUpzICsCIPZtAUe0+pXfG3n2mLbRouLy8FDse 
HD/fHYSGv1V1E69S78kD28cTHFGqsfHjfoo5rsY/aYpZQ55gaCEle11LCvmH6Qe7 
Y8is2OiV5VzsOea8kMAPCNnZk/bxLfPQFqNkzJZU03F+Mwayc821AKbg+MubXGW2 
8r5/RtLrqzpYUvpwbq1e4rwqedQ3tdGT7IlaUawVRTKVl+xccTO2AfVrVAbuDtlo 
0h0Y+qGsJhhFRxRULRCbcxqcgZVOqO2JnEXCjLCBg3ucLnneLN3wrLgzq7j8q6aI 
5/c= 
-----END CERTIFICATE----- 
subject=/serialNumber=heE9O2tltnG/R8itCXJOsm8M-n1x0sDe/OU=GT69801168/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=api.sandbox.ewaypayments.com 
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA 
--- 
No client certificate CA names sent 
--- 
SSL handshake has read 4207 bytes and written 506 bytes 
--- 
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA 
Server public key is 2048 bit 
Secure Renegotiation IS supported 
Compression: NONE 
Expansion: NONE 
SSL-Session: 
    Protocol : TLSv1 
    Cipher : DHE-RSA-AES256-SHA 
    Session-ID: DD7775A6CE6031234C07C11FD8EB297BD3936C4B5C630217EA7658D86A89A89D 
    Session-ID-ctx: 
    Master-Key: 28FE5406F41EAC68000D949D101EE3FED1753AFBB77E2853314D8436CA22D80FBA656976DF17E9C3A0DB3E9CEE4365B1 
    Key-Arg : None 
    PSK identity: None 
    PSK identity hint: None 
    SRP username: None 
    TLS session ticket lifetime hint: 300 (seconds) 
    TLS session ticket: 
    0000 - 6d 7c 92 08 26 2d 51 a7-93 e5 d9 f3 ca 35 e9 c3 m|..&-Q......5.. 
    0010 - ad 36 7b 52 bd 24 fc 06-f5 66 0f 15 f4 6c 90 a8 .6{R.$...f...l.. 
    0020 - 86 07 5b 90 b4 eb bd c7-63 73 0a 71 6c b7 17 eb ..[.....cs.ql... 
    0030 - 5a c5 21 5d 88 5e ff 74-76 55 0a fc 3d 5a 9e a6 Z.!].^.tvU..=Z.. 
    0040 - 20 70 b6 c9 f6 61 d6 87-f2 58 14 c4 ef 1a 52 9b p...a...X....R. 
    0050 - cc 11 0c c3 52 7c 8a 72-cf 6c 2e fb 26 ad 38 97 ....R|.r.l..&.8. 
    0060 - 67 54 f3 70 b1 49 36 e9-34 c1 fb 51 5a 1c ee 7f gT.p.I6.4..QZ... 
    0070 - 22 61 73 dc 75 0e f1 ff-33 47 7a 1e 6a 92 8b b6 "as.u...3Gz.j... 
    0080 - 20 4e 0a a8 bd 3a 53 04-56 af de 7d 65 a8 09 db N...:S.V..}e... 
    0090 - 7d 2d 9e 91 df cd f2 6b-f9 ba 57 ff 37 8c 09 0b }-.....k..W.7... 

    Start Time: 1409189687 
    Timeout : 300 (sec) 
    Verify return code: 0 (ok) 
---

來源

2014-08-28 01:41:00 jww

謝謝我剛剛下載了Equifax_Secure_Certificate_Authority.pem並指出Guzzle。但是現在我得到錯誤：致命錯誤：未收集異常'Guzzle \ Http \ Exception \ CurlException'帶有消息'[curl] 77：錯誤設置證書驗證位置：CAfile：/ home/verecsta/vendor/guzzle/http/Guzzle/Http/Resources/Equifax_Secure_Certificate_Authority.pem CApath：none [url] https://api.sandbox.ewaypayments.com/CreateAccessCode.json'in/home/verecsta/vendor/guzzle/http/Guzzle/Ht – 2014-08-28 02:18:05

還有什麼想法爲什麼它會突然停止工作？因爲它在 – 2014-08-28 02:19:44

*之前運行良好[捲曲] 77：錯誤設置證書驗證位置...「 - - 你應該問另一個問題。但是請看看[如何在使用cURL處理證書時嘗試訪問HTTPS URL？]（https://stackoverflow.com/questions/3160909/how-do-i-deal-with-certificates-using- curl-while-trying-access-an-https-url）cURL的作者Daniel Stenberg回答說。 – jww 2014-08-28 02:42:19

Also any idea why it would all of a sudden stop working? As it was running fine before

它看起來他們最近獲得了新證書。請看下面的日期notBefore。

（並且不用擔心error:num=20:unable to get local issuer certificate。我沒有使用-CAfile選項）。

$ openssl s_client -connect api.sandbox.ewaypayments.com:443 | openssl x509 -text -noout 
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA 
verify error:num=20:unable to get local issuer certificate 
verify return:0 
Certificate: 
    Data: 
     Version: 3 (0x2) 
     Serial Number: 1363420 (0x14cddc) 
    Signature Algorithm: sha1WithRSAEncryption 
     Issuer: C=US, O=GeoTrust, Inc., CN=RapidSSL CA 
     Validity 
      Not Before: Aug 24 05:15:18 2014 GMT 
      Not After : Nov 26 05:47:38 2015 GMT 
     Subject: serialNumber=heE9O2tltnG/R8itCXJOsm8M-n1x0sDe, OU=GT69801168, OU=See www.rapidssl.com/resources/cps (c)14, OU=Domain Control Validated - RapidSSL(R), CN=api.sandbox.ewaypayments.com 
     Subject Public Key Info: 
      Public Key Algorithm: rsaEncryption 
       Public-Key: (2048 bit) 
       Modulus: 
        00:91:d0:2d:bb:c6:dc:94:e3:79:d1:6e:e2:cb:88: 
        9d:69:7a:24:34:8c:1a:91:94:22:3a:fd:0f:db:ef: 
        9f:54:63:20:1d:d1:3d:ef:35:4b:d6:83:82:bc:5c: 
        88:8c:c3:38:4d:e7:3a:38:ca:40:74:8c:96:a6:2b: 
        d3:62:fd:5f:1b:e0:24:76:db:79:dc:98:a2:a4:bd: 
        67:6d:1a:72:47:70:4c:cb:a1:d9:0d:4b:a2:63:b8: 
        76:dc:ed:1e:12:25:75:41:7b:7c:10:86:d7:95:25: 
        c5:e9:2b:4b:9e:f4:5f:a1:26:80:da:0d:87:9e:09: 
        4e:82:d3:52:60:ac:d4:63:4f:a6:eb:5e:f8:be:6e: 
        1d:b5:e8:c6:ac:2b:a2:2d:0e:5a:fa:31:a9:79:03: 
        c6:40:2e:d9:1d:86:cb:79:5b:99:dd:32:78:ef:ee: 
        89:95:84:ed:9b:0b:93:a4:61:dc:0b:65:5a:73:b4: 
        ca:5a:a7:f5:d0:8d:e0:4f:a9:ea:31:a2:26:b2:02: 
        40:72:73:27:e7:36:e5:61:e1:91:db:0c:dc:20:ad: 
        18:f4:67:f1:34:db:c2:3b:95:6d:35:2e:19:18:9e: 
        3f:fe:77:b0:1c:ac:a3:29:ad:36:74:12:ae:d5:51: 
        b8:ba:cf:38:6d:1f:8f:34:de:ba:c5:2b:f6:36:b2: 
        76:a1 
       Exponent: 65537 (0x10001) 
     X509v3 extensions: 
      X509v3 Authority Key Identifier: 
       keyid:6B:69:3D:6A:18:42:4A:DD:8F:02:65:39:FD:35:24:86:78:91:16:30 

      X509v3 Key Usage: critical 
       Digital Signature, Key Encipherment 
      X509v3 Extended Key Usage: 
       TLS Web Server Authentication, TLS Web Client Authentication 
      X509v3 Subject Alternative Name: 
       DNS:api.sandbox.ewaypayments.com 
      X509v3 CRL Distribution Points: 

       Full Name: 
        URI:http://rapidssl-crl.geotrust.com/crls/rapidssl.crl 

      X509v3 Subject Key Identifier: 
       AD:B5:7E:1D:48:7A:43:43:C8:BC:52:12:CF:08:A6:A0:4B:02:34:6E 
      X509v3 Basic Constraints: critical 
       CA:FALSE 
      Authority Information Access: 
       OCSP - URI:http://rapidssl-ocsp.geotrust.com 
       CA Issuers - URI:http://rapidssl-aia.geotrust.com/rapidssl.crt 

      X509v3 Certificate Policies: 
       Policy: 2.16.840.1.113733.1.7.54 
        CPS: http://www.geotrust.com/resources/cps 

    Signature Algorithm: sha1WithRSAEncryption 
     73:f3:78:15:9b:e0:91:dd:b9:80:4c:95:f8:d2:2a:75:82:f5: 
     7b:86:19:a9:c4:86:26:c1:e2:59:49:7d:dc:27:d7:d6:32:52: 
     9c:c8:0a:c0:88:3d:9b:40:51:ed:3e:a5:77:c6:de:7d:a6:2d: 
     b4:68:b8:bc:bc:14:3b:1e:1c:3f:df:1d:84:86:bf:55:75:13: 
     af:52:ef:c9:03:db:c7:13:1c:51:aa:b1:f1:e3:7e:8a:39:ae: 
     c6:3f:69:8a:59:43:9e:60:68:21:25:7b:5d:4b:0a:f9:87:e9: 
     07:bb:63:c8:ac:d8:e8:95:e5:5c:ec:39:e6:bc:90:c0:0f:08: 
     d9:d9:93:f6:f1:2d:f3:d0:16:a3:64:cc:96:54:d3:71:7e:33: 
     06:b2:73:cd:b5:00:a6:e0:f8:cb:9b:5c:65:b6:f2:be:7f:46: 
     d2:eb:ab:3a:58:52:fa:70:6e:ad:5e:e2:bc:2a:79:d4:37:b5: 
     d1:93:ec:89:5a:51:ac:15:45:32:95:97:ec:5c:71:33:b6:01: 
     f5:6b:54:06:ee:0e:d9:68:d2:1d:18:fa:a1:ac:26:18:45:47: 
     14:54:2d:10:9b:73:1a:9c:81:95:4e:a8:ed:89:9c:45:c2:8c: 
     b0:81:83:7b:9c:2e:79:de:2c:dd:f0:ac:b8:33:ab:b8:fc:ab: 
     a6:88:e7:f7

來源

2014-08-28 02:39:31 jww

感謝你的時間，並沒有解決我的問題，但你已經教會了我很多關於openssl的知識。 woody1990的答案解決了我的問題，出於某種原因GA套件必須通過curl在服務器上更新http://curl.haxx.se/ca/cacert.pem -o/etc/pki/tls/certs/ca-bundle .crt – 2014-08-28 03:50:06

SSL錯誤Omnipay Guzzle CI - 驗證CA證書是否正確

回答

相關問題