OpenSSL with PHP 5.6 and Composer - Certificate verify failed

Question

I'm running an Apache2 on a Linux Ubuntu 15.04 VM. I've created a self signed openssl certificate. Therefore, I have the following folder structure: "usr/local/openssl", while this directory consists of the following main folders: bin; certs; lib; private; openssl.conf; ...

Within the certs folder, I created an "zertifikat-pub.pem" file, and in private folder an "zertifikat-key.pem" file. When trying to run "composer update" to connect to a repository running on apache2, I keep getting the following error:

error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Failed to enable crypto failed to open stream: operation failed

When running "var_dump(openssl_get_cert_locations());", I get the following:

From what I've read, default_cert_file and default_cert_dir seem to be massive wrong, but I don't know how to change it.

In php ini file, I added the following two lines:

openssl.cafile=/usr/local/openssl/certs/ca.crt
openssl.capath=/usr/local/openssl/certs

In addition, I changed the variables "SSL_CERT_FILE" and "SSL_CERT_DIR" to the same paths like in php.ini.

In openssl.conf file, I've set:

dir = /usr/local/openssl

And in apache2 Virtual host file (which is hosting the repository on port 443 composer is trying to connect to), I've added:

# ssl
    SSLEngine on
    SSLCertificateFile      /usr/local/openssl/certs/ca.crt
    SSLCertificateKeyFile  /usr/local/openssl/private/ca.key

Restarting apache and computer etc. does not solve the error. Always getting the same certificate failed error.

What am I doing wrong? Strange behaviour is that I can access the site in the browser, but not via composer..

Do I need to copy some file to my windows client, like importing a certificate? Currently, ca.crt and ca.key lay on the linux server. I also tried copying ca.crt to windows and add to the composer.json file of the project on windows:

"options": {
            "ssl": {
                "local_cert": "C:/Users/Pb/Documents/ca.crt"
            }
        }

Answer 1

When you created the self signed certificates. They will have been signed by a "Certificate Authority" certificate. This will be on your local machine too.

Your question doesn't specify how you created the self signed cert, but if using openssl, it probably had a command along the lines of:

openssl ca -in apache.csr -cert /path/to/ca.crt -keyfile /path/to/ca.key -out apache.crt

In your php.ini, cafile needs to point to the ca certficate and not the apache one:

openssl.cafile=/path/to/ca.crt

What happens during the ssl negotiations is that the web server will send a variant of the apache.crt contents to the client (composer) which includes details of how the certificate was signed - in this case by ca.crt. The client compares this with the list of certificates it trusts which is set by openssl.cafile. If there is a match and various cryptographic checksums add up then the verification is complete. If there is no match then it doesn't.

.................. Update following you answer:

When setting up SSL hosting, you need a few things.

1. A certificate Authority - key and cert. This is what both the client and server must trust. Usually these are pre-set for public use via pre-shared public lists in web browsers etc. But it's possible to create and use your own which is what it looks like you are doing.
2. A site specific certificate. This must be signed by the Certificate Authority and is configured on the server. When web hosting, the Common Name of the certificate must match the host name of the server for it to be considered valid.

Apache config:

SSLCACertificateFile /path/to/ca.crt
SSLCertificateKeyFile /path/to/zertifikat-key
SSLCertificateFile /path/to/zertifikat-pub.pem

php config:

openssl.cafile=/path/to/ca.crt

If the contents of the files is correct then I would expect this to work. You can also test the server configuration with curl:

curl https://yoursite.com/ --cacert /path/to/ca.crt