Web lists-archives.com

Re: PHP 7.2.9 error => fopen(): SSL operation failed with code 1.




Sorry, I forgot to copy the list on this reply.

-------- Forwarded Message --------

Date: Wed, 12 Sep 2018 23:05:10 -0400
Subject: Re: PHP 7.2.9 error => fopen(): SSL operation failed with code 1.
To: Nguyễn Hoàng Lân <somewheremylove.nh87@xxxxxxxxx>
Reply-to: john.iliffe@xxxxxxxxx
From: John <john.iliffe@xxxxxxxxx>
Thanks for the prompt reply!

I checked and there is NO cert.pem file anywhere in the openssl 1.1.0i file structure.   In fact the path that you suggest {prefix}/ssl/certs is not present in openssl 1.1.0i.

I also have openssl 1.0.2k running and that DOES have the cert.pem file on this path.

Can I just copy that file from the previous openssl?

John
==========================================


On Thu, 2018-09-13 at 09:57 +0700, Nguyễn Hoàng Lân wrote:
Can you check if you have cert.pem under your openssl path (something like  /built/openssl/ssl/cert.pem)? Check if your php.ini is using a custom path e.g openssl.cafile or openssl.capath also

Vào Th 5, 13 thg 9, 2018 vào lúc 09:44 John <john.iliffe@xxxxxxxxx> đã viết:
PHP 7.2.9 with openssl 1.1.0i on php-fpm

I just updated to PHP 7.2.9 from PHP 5.6.30 and I have resolved many of the
problems but this one's got me.  The full error message is:

--------------
PHP Warning:  fopen(): SSL operation failed with code 1. OpenSSL Error
messages:\nerror:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed in
/httpd/xxxx.php on line 9999
---------------

and a number of derived errors following.  I reverted to 5.6.30 and this open()
works properly so it is related to PHP 7 somehow.

Googling turned up many possible answers but none of them seem to work on my PHP
here.  The most common answer is to put this in the script ahead of the open:

stream_context_set_default( [
        'ssl' => [
                'verify_peer' => false,
                'verify_peer_name' => false,
                 ],
        ]);

Other than being a huge security hole, it doesn't work.  The location I am
trying to open has a valid certificate and the signing CA is Verisign so it is
unlikely that openssl doesn't have the current CA certificate available.

How would I proceed to debug this?

Any ideas would be very much appreciated.

John
==============================================