Openssl: error:14090086:ssl routines:ssl3_get_server_certificate:certificate verify failed

Question

Problem :

I have upgraded to PHP 5.6 I am getting an error as follows whenever I am trying to connect to the server via fsockopen().

The certificate on the server or host is self signed.

PHP Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

My code as below

if($fp = fsockopen($host, $port, $errno, $errstr, 20)){

    $this->request = 'POST '.substr($this->url, strlen($this->host)).' HTTP/1.1'.$crlf

        .'Host: '.$this->host.$crlf

        .'Content-Length: '.$content_length.$crlf

        .'Connection: Close'.$crlf.$crlf

        .$body;

    fwrite($fp, $this->request);

    while($line = fgets($fp)){

        if($line !== false){

            $this->response .= $line;

        }

    }

    fclose($fp);

}

Have tried following

# cd /etc/ssl/certs/

# wget http://curl.haxx.se/ca/cacert.pem

The php.ini

openssl.cafile = "/etc/ssl/certs/cacert.pem"

But the script is still failing to work as expected.

Answer 1

I was on my CentOS 7 and my php installation was pointing to the certificate that was generated by using update-ca-trust. And the symlink was /etc/pki/tls/cert.pem and was pointing to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem. This was just my test server and I wanted my self signed cert to work properly. So in my case as follows

# My root ca-trust folder was on below path and. I copied the .crt file to this location

# and also renamed it to a .pem

/etc/pki/ca-trust/source/anchors/self-signed-cert.pem

# After that run following command and it should regenerate the certs for you and

#will include your selfsigned cert file.also

update-ca-trust

After doing this some of my api calls started working as my cert was now trusted. After that I just ran the following command man update-ca-trust .