I'm running an Apache2 on a Linux Ubuntu 15.04 VM. I've created a self signed openssl certificate. Therefore, I have the following folder structure: "usr/local/openssl", while this directory consists of the following main folders: bin; certs; lib; private; openssl.conf; ...
Within the certs folder, I created an "zertifikat-pub.pem" file, and in private folder an "zertifikat-key.pem" file. When trying to run "composer update" to connect to a repository running on apache2, I keep getting the following error:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Failed to enable crypto failed to open stream: operation failed
When running "var_dump(openssl_get_cert_locations());", I get the following:
From what I've read, default_cert_file and default_cert_dir seem to be massive wrong, but I don't know how to change it.
In php ini file, I added the following two lines:
openssl.cafile=/usr/local/openssl/certs/ca.crt
openssl.capath=/usr/local/openssl/certs
In addition, I changed the variables "SSL_CERT_FILE" and "SSL_CERT_DIR" to the same paths like in php.ini.
In openssl.conf file, I've set:
dir = /usr/local/openssl
And in apache2 Virtual host file (which is hosting the repository on port 443 composer is trying to connect to), I've added:
# ssl
SSLEngine on
SSLCertificateFile /usr/local/openssl/certs/ca.crt
SSLCertificateKeyFile /usr/local/openssl/private/ca.key
Restarting apache and computer etc. does not solve the error. Always getting the same certificate failed error.
What am I doing wrong? Strange behaviour is that I can access the site in the browser, but not via composer..
Do I need to copy some file to my windows client, like importing a certificate? Currently, ca.crt and ca.key lay on the linux server. I also tried copying ca.crt to windows and add to the composer.json file of the project on windows:
"options": {
"ssl": {
"local_cert": "C:/Users/Pb/Documents/ca.crt"
}
}
When you created the self signed certificates. They will have been signed by a "Certificate Authority" certificate. This will be on your local machine too.
Your question doesn't specify how you created the self signed cert, but if using openssl, it probably had a command along the lines of:
openssl ca -in apache.csr -cert /path/to/ca.crt -keyfile /path/to/ca.key -out apache.crt
In your php.ini, cafile needs to point to the ca certficate and not the apache one:
openssl.cafile=/path/to/ca.crt
What happens during the ssl negotiations is that the web server will send a variant of the apache.crt contents to the client (composer) which includes details of how the certificate was signed - in this case by ca.crt. The client compares this with the list of certificates it trusts which is set by openssl.cafile. If there is a match and various cryptographic checksums add up then the verification is complete. If there is no match then it doesn't.
.................. Update following you answer:
When setting up SSL hosting, you need a few things.
Apache config:
SSLCACertificateFile /path/to/ca.crt
SSLCertificateKeyFile /path/to/zertifikat-key
SSLCertificateFile /path/to/zertifikat-pub.pem
php config:
openssl.cafile=/path/to/ca.crt
If the contents of the files is correct then I would expect this to work. You can also test the server configuration with curl:
curl https://yoursite.com/ --cacert /path/to/ca.crt
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.