cURL 与 SSL 证书失败：错误 58 无法设置私钥文件

Question

I'm trying to connect to a remote host using cURL. The connection requires the use of a certificate and a private key which is password protected. So far I'm unsuccessful with this code below:

<?php
    $wsdl       = 'https://domain.com/?wsdl';
    $certFile   = getcwd() . '/auth/cert.pem';
    $keyFile    = getcwd() . '/auth/key.pem';
    $password   = 'pwd';

    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL,           $wsdl);
    curl_setopt($ch, CURLOPT_SSLCERT,       $certFile);
    curl_setopt($ch, CURLOPT_SSLKEYPASSWD,  $password);
    curl_setopt($ch, CURLOPT_SSLKEY,        $keyFile);
    #curl_setopt($ch, CURLOPT_FRESH_CONNECT, true);
    #curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    #curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
    $output = curl_exec($ch);

    var_dump(curl_errno($ch));
    var_dump(curl_error($ch));

The result I keep getting is error 58 : unable to set private key file: '/home/.../domains/.../public_html/auth/key.pem' type PEM .

Things I've tried so far:

• Check if the key-file is readable as suggested here: Unable to use libcurl to access a site requiring client authentication . Trying to pass the file through openssl_private_key() gives me a resource, and not a boolean. So this seems good.
• Switch the order of the content in the key.pem file as suggested here: Unable to use libcurl to access a site requiring client authentication . No luck so far.
• Played around with some other options like SLL_VERIFY_PEER , SSL_VERIFY_HOST , SSL_CERTTYPE and other options which seemed trivial regarding the official PHP-docs. No luck so far.

I'm pretty sure the problem lies somehwere in my configuration, but I'm not sure where to look.

Answer 1

I've fixed this problem. I think, due to the number of questions regarding this issue and number of different solutions, others will benefit from the solution. Here goes:

I used the openssl CLI program to convert the .p12 key-file to a .pem key-file. The trick is the way the conversion takes place.

First I converted it with this command and I had the issue as described in the question:

openssl pkcs12 -in key.p12 -out key.pem -nodes -clcerts

While the command below did the actual trick:

openssl pkcs12 -in key.p12 -out key.pem -clcerts

For more info please see the source I used: https://community.qualys.com/docs/DOC-3273

Answer 2

Just in case this is useful to others searching for this problem, I ended up discovering that CURLOPT_SSLCERT and CURLOPT_SSLKEY don't seem to work with relative paths.

This is with WAMP, php version 5.5 on Windows.

Answer 3

I got the same error when using the curl and when searching found this question. I was using the command curl --key my.pem https://example.com/

The solution that worked for me was to add the --key option and point to the same PEM file. Apparently, the PEM file (in my case) had the key as well as the certificate.

I tested it with the curl command:

curl --cert my.pem  --key my.pem https://example.com/my/url