php - aws - curl error 60: ssl certificate problem: unable to get local issuer certificate
Guzzle Curl Error 60 SSL no pudo obtener el emisor local (8)
Intentando usar la API de YouTube v3 para obtener información de algunos videos, usando Guzzle en Symfony2 usando descriptores de servicio.
Cuando ejecuto el script, obtengo esto:
[curl] 60: Problema con el certificado SSL: no se puede obtener el certificado del emisor local [url] https://www.googleapis.com/youtube/v3/videos?id=2xbVbCoHBgA&part=snippet&key= {MY_KEY}
500 Error interno del servidor - CurlException
Mi descriptor se ve así:
{
"name": "YouTube",
"baseUrl": "https://www.googleapis.com",
"apiVersion": "v3",
"description": "YouTube GData Graph API",
"operations": {
"GetVideos": {
"httpMethod": "GET",
"uri": "/youtube/v3/videos",
"parameters": {
"id": {
"type":"string",
"location":"query",
"required": true
},
"part": {
"location": "query",
"default": "snippet"
},
"key": {
"location": "query",
"default": "{MY KEY}",
"static": true
},
"maxResults": {
"location": "query",
"default": 50
}
}
}
}
}
Esto se está ejecutando en un entorno de desarrollo local Ubuntu 14.04 con una pila LAMP muy básica en marcha.
¿Alguna idea sobre qué podría estar causando esto?
[curl] 60: SSL certificate problem: unable to get local issuer certificate
Bueno, desde fuera mirando, parece que el certificado del servidor es malo. No incluye el nombre "googleapis.com".
Primero, openssl s_client el certificado con openssl s_client :
openssl s_client -connect googleapis.com:443
Luego guarda el certificado en un archivo. El certificado comienza con -----BEGIN CERTIFICATE----- EL -----BEGIN CERTIFICATE----- y finaliza con -----END CERTIFICATE----- .
A continuación, imprima el certificado con openssl x509 (se muestra a continuación). Su falta googleapis.com .
Probablemente deba aceptar la falta de coincidencia de nombres y fijar la clave pública del servidor. Google rota sus certificados cada 30 días aproximadamente para mantener los CRL pequeños para los clientes móviles. Eso significa que no puedes clavar el certificado. Sin embargo, Google vuelve a certificar la misma clave pública, por lo que los esquemas de continuidad clave, como la fijación de claves públicas, funcionan.
Hay un segundo problema más pequeño al usar openssl s_client . s_client necesita la opción CAfile usando Google Internet Authority G2 . La CA que falta está causando que el error unable to get local issuer certificate continuación. Puede descargar el archivo CA de Google en pki.google.com .
$ openssl s_client -connect googleapis.com:443
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
También puede usar Equifax Secure Certificate Authority como la raíz de la confianza, ya que parece que la CA de Google cuenta con la certificación de Equifax.
Pero la falta de coincidencia de nombre es un factor decisivo. Eso es lo único que se supone que debe hacer un certificado X509: vincular una entidad, como un nombre de servidor o usuario, a una clave pública a través de una autoridad confiable. No importa quién firmó el certificado roto (podría haberlo firmado).
$ openssl x509 -in googleapis-com.txt -inform PEM -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 9106978240760957072 (0x7e627c7589c4c890)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2
Validity
Not Before: Jul 2 13:04:27 2014 GMT
Not After : Sep 30 00:00:00 2014 GMT
Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=google.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ab:02:29:67:f1:08:cc:f0:5c:63:ff:75:b3:bd:
41:62:c6:83:0c:3b:e6:1b:9a:41:0d:dc:5a:b3:34:
db:a3:37:6f:4f:bf:f5:8a:01:39:6a:91:b7:d1:a6:
83:6d:c6:28:60:79:c9:07:f2:ad:23:00:f2:31:74:
b0:a3:d0:d6:ac:5a:f4:31:c8:98:9c:49:c6:20:0b:
ce:81:2b:51:b6:54:0f:65:54:f2:b3:08:c9:c0:c8:
ca:a6:ec:bb:fc:8e:a5:64:70:6b:dc:08:45:9c:14:
cd:cd:aa:49:fd:e9:a5:f1:7d:c6:f8:5d:52:e8:d8:
3d:21:81:46:49:ba:f7:bd:7d:07:42:31:cf:79:61:
b1:47:2c:ba:ce:5a:cd:52:4a:5f:d2:b6:88:d0:a2:
94:53:e2:65:d6:66:80:43:17:e1:2e:43:ab:ca:2f:
79:e6:11:8b:4a:35:fa:e1:43:e3:49:66:5a:1f:e0:
a3:1c:5e:1c:6e:aa:de:0d:ba:cb:20:e3:3d:9e:66:
47:32:25:3c:01:22:b3:69:a6:96:0e:2e:13:c7:fd:
70:c6:61:7e:a9:f0:ad:a4:a6:41:13:36:8c:46:74:
c8:a5:ac:b0:b5:17:00:b8:0e:62:79:1a:fc:7e:7c:
2b:f7:2e:c0:ab:07:fc:8e:46:3c:8f:f2:e5:6e:8f:
83:17
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:google.com, DNS:*.2mdn.net, DNS:*.android.com, DNS:*.appengine.google.com,
DNS:*.au.doubleclick.net, DNS:*.cc-dt.com, DNS:*.cloud.google.com, DNS:*.de.doubleclick.net,
DNS:*.doubleclick.com, DNS:*.doubleclick.net, DNS:*.fls.doubleclick.net, DNS:*.fr.doubleclick.net,
DNS:*.google-analytics.com, DNS:*.google.ac, DNS:*.google.ad, DNS:*.google.ae, DNS:*.google.af,
DNS:*.google.ag, DNS:*.google.al, DNS:*.google.am, DNS:*.google.as, DNS:*.google.at,
DNS:*.google.az, DNS:*.google.ba, DNS:*.google.be, DNS:*.google.bf, DNS:*.google.bg,
DNS:*.google.bi, DNS:*.google.bj, DNS:*.google.bs, DNS:*.google.bt, DNS:*.google.by,
DNS:*.google.ca, DNS:*.google.cat, DNS:*.google.cc, DNS:*.google.cd, DNS:*.google.cf,
DNS:*.google.cg, DNS:*.google.ch, DNS:*.google.ci, DNS:*.google.cl, DNS:*.google.cm,
DNS:*.google.cn, DNS:*.google.co.ao, DNS:*.google.co.bw, DNS:*.google.co.ck, DNS:*.google.co.cr,
DNS:*.google.co.hu, DNS:*.google.co.id, DNS:*.google.co.il, DNS:*.google.co.im, DNS:*.google.co.in,
DNS:*.google.co.je, DNS:*.google.co.jp, DNS:*.google.co.ke, DNS:*.google.co.kr, DNS:*.google.co.ls,
DNS:*.google.co.ma, DNS:*.google.co.mz, DNS:*.google.co.nz, DNS:*.google.co.th, DNS:*.google.co.tz,
DNS:*.google.co.ug, DNS:*.google.co.uk, DNS:*.google.co.uz, DNS:*.google.co.ve, DNS:*.google.co.vi,
DNS:*.google.co.za, DNS:*.google.co.zm, DNS:*.google.co.zw, DNS:*.google.com, DNS:*.google.com.af,
DNS:*.google.com.ag, DNS:*.google.com.ai, DNS:*.google.com.ar, DNS:*.google.com.au,
DNS:*.google.com.bd, DNS:*.google.com.bh, DNS:*.google.com.bn, DNS:*.google.com.bo,
DNS:*.google.com.br, DNS:*.google.com.by, DNS:*.google.com.bz, DNS:*.google.com.cn,
DNS:*.google.com.co, DNS:*.google.com.cu, DNS:*.google.com.cy, DNS:*.google.com.do,
DNS:*.google.com.ec, DNS:*.google.com.eg, DNS:*.google.com.et, DNS:*.google.com.fj,
DNS:*.google.com.ge, DNS:*.google.com.gh, DNS:*.google.com.gi, DNS:*.google.com.gr,
DNS:*.google.com.gt, DNS:*.google.com.hk, DNS:*.google.com.iq, DNS:*.google.com.jm,
DNS:*.google.com.jo, DNS:*.google.com.kh, DNS:*.google.com.kw, DNS:*.google.com.lb,
DNS:*.google.com.ly, DNS:*.google.com.mm, DNS:*.google.com.mt, DNS:*.google.com.mx,
DNS:*.google.com.my, DNS:*.google.com.na, DNS:*.google.com.nf, DNS:*.google.com.ng,
DNS:*.google.com.ni, DNS:*.google.com.np, DNS:*.google.com.nr, DNS:*.google.com.om,
DNS:*.google.com.pa, DNS:*.google.com.pe, DNS:*.google.com.pg, DNS:*.google.com.ph,
DNS:*.google.com.pk, DNS:*.google.com.pl, DNS:*.google.com.pr, DNS:*.google.com.py,
DNS:*.google.com.qa, DNS:*.google.com.ru, DNS:*.google.com.sa, DNS:*.google.com.sb,
DNS:*.google.com.sg, DNS:*.google.com.sl, DNS:*.google.com.sv, DNS:*.google.com.tj,
DNS:*.google.com.tn, DNS:*.google.com.tr, DNS:*.google.com.tw, DNS:*.google.com.ua,
DNS:*.google.com.uy, DNS:*.google.com.vc, DNS:*.google.com.ve, DNS:*.google.com.vn, DNS:*.google.cv,
DNS:*.google.cz, DNS:*.google.de, DNS:*.google.dj, DNS:*.google.dk, DNS:*.google.dm,
DNS:*.google.dz, DNS:*.google.ee, DNS:*.google.es, DNS:*.google.fi, DNS:*.google.fm,
DNS:*.google.fr, DNS:*.google.ga, DNS:*.google.ge, DNS:*.google.gg, DNS:*.google.gl,
DNS:*.google.gm, DNS:*.google.gp, DNS:*.google.gr, DNS:*.google.gy, DNS:*.google.hk,
DNS:*.google.hn, DNS:*.google.hr, DNS:*.google.ht, DNS:*.google.hu, DNS:*.google.ie,
DNS:*.google.im, DNS:*.google.info, DNS:*.google.iq, DNS:*.google.ir, DNS:*.google.is,
DNS:*.google.it, DNS:*.google.it.ao, DNS:*.google.je, DNS:*.google.jo, DNS:*.google.jobs,
DNS:*.google.jp, DNS:*.google.kg, DNS:*.google.ki, DNS:*.google.kz, DNS:*.google.la,
DNS:*.google.li, DNS:*.google.lk, DNS:*.google.lt, DNS:*.google.lu, DNS:*.google.lv,
DNS:*.google.md, DNS:*.google.me, DNS:*.google.mg, DNS:*.google.mk, DNS:*.google.ml,
DNS:*.google.mn, DNS:*.google.ms, DNS:*.google.mu, DNS:*.google.mv, DNS:*.google.mw,
DNS:*.google.ne, DNS:*.google.ne.jp, DNS:*.google.net, DNS:*.google.ng, DNS:*.google.nl,
DNS:*.google.no, DNS:*.google.nr, DNS:*.google.nu, DNS:*.google.off.ai, DNS:*.google.pk,
DNS:*.google.pl, DNS:*.google.pn, DNS:*.google.ps, DNS:*.google.pt, DNS:*.google.ro,
DNS:*.google.rs, DNS:*.google.ru, DNS:*.google.rw, DNS:*.google.sc, DNS:*.google.se,
DNS:*.google.sh, DNS:*.google.si, DNS:*.google.sk, DNS:*.google.sm, DNS:*.google.sn,
DNS:*.google.so, DNS:*.google.sr, DNS:*.google.st, DNS:*.google.td, DNS:*.google.tg,
DNS:*.google.tk, DNS:*.google.tl, DNS:*.google.tm, DNS:*.google.tn, DNS:*.google.to,
DNS:*.google.tt, DNS:*.google.us, DNS:*.google.uz, DNS:*.google.vg, DNS:*.google.vu,
DNS:*.google.ws, DNS:*.googleapis.cn, DNS:*.googlecommerce.com, DNS:*.googlevideo.com,
DNS:*.gstatic.com, DNS:*.gvt1.com, DNS:*.jp.doubleclick.net, DNS:*.metric.gstatic.com,
DNS:*.uk.doubleclick.net, DNS:*.urchin.com, DNS:*.url.google.com, DNS:*.youtube-nocookie.com,
DNS:*.youtube.com, DNS:*.youtubeeducation.com, DNS:*.ytimg.com, DNS:ad.mo.doubleclick.net,
DNS:android.com, DNS:doubleclick.net, DNS:g.co, DNS:goo.gl, DNS:google-analytics.com, DNS:google.ac,
DNS:google.ad, DNS:google.ae, DNS:google.af, DNS:google.ag, DNS:google.al, DNS:google.am,
DNS:google.as, DNS:google.at, DNS:google.az, DNS:google.ba, DNS:google.be, DNS:google.bf,
DNS:google.bg, DNS:google.bi, DNS:google.bj, DNS:google.bs, DNS:google.bt, DNS:google.by,
DNS:google.ca, DNS:google.cat, DNS:google.cc, DNS:google.cd, DNS:google.cf, DNS:google.cg,
DNS:google.ch, DNS:google.ci, DNS:google.cl, DNS:google.cm, DNS:google.cn, DNS:google.co.ao,
DNS:google.co.bw, DNS:google.co.ck, DNS:google.co.cr, DNS:google.co.hu, DNS:google.co.id,
DNS:google.co.il, DNS:google.co.im, DNS:google.co.in, DNS:google.co.je, DNS:google.co.jp,
DNS:google.co.ke, DNS:google.co.kr, DNS:google.co.ls, DNS:google.co.ma, DNS:google.co.mz,
DNS:google.co.nz, DNS:google.co.th, DNS:google.co.tz, DNS:google.co.ug, DNS:google.co.uk,
DNS:google.co.uz, DNS:google.co.ve, DNS:google.co.vi, DNS:google.co.za, DNS:google.co.zm,
DNS:google.co.zw, DNS:google.com.af, DNS:google.com.ag, DNS:google.com.ai, DNS:google.com.ar,
DNS:google.com.au, DNS:google.com.bd, DNS:google.com.bh, DNS:google.com.bn, DNS:google.com.bo,
DNS:google.com.br, DNS:google.com.by, DNS:google.com.bz, DNS:google.com.cn, DNS:google.com.co,
DNS:google.com.cu, DNS:google.com.cy, DNS:google.com.do, DNS:google.com.ec, DNS:google.com.eg,
DNS:google.com.et, DNS:google.com.fj, DNS:google.com.ge, DNS:google.com.gh, DNS:google.com.gi,
DNS:google.com.gr, DNS:google.com.gt, DNS:google.com.hk, DNS:google.com.iq, DNS:google.com.jm,
DNS:google.com.jo, DNS:google.com.kh, DNS:google.com.kw, DNS:google.com.lb, DNS:google.com.ly,
DNS:google.com.mm, DNS:google.com.mt, DNS:google.com.mx, DNS:google.com.my, DNS:google.com.na,
DNS:google.com.nf, DNS:google.com.ng, DNS:google.com.ni, DNS:google.com.np, DNS:google.com.nr,
DNS:google.com.om, DNS:google.com.pa, DNS:google.com.pe, DNS:google.com.pg, DNS:google.com.ph,
DNS:google.com.pk, DNS:google.com.pl, DNS:google.com.pr, DNS:google.com.py, DNS:google.com.qa,
DNS:google.com.ru, DNS:google.com.sa, DNS:google.com.sb, DNS:google.com.sg, DNS:google.com.sl,
DNS:google.com.sv, DNS:google.com.tj, DNS:google.com.tn, DNS:google.com.tr, DNS:google.com.tw,
DNS:google.com.ua, DNS:google.com.uy, DNS:google.com.vc, DNS:google.com.ve, DNS:google.com.vn,
DNS:google.cv, DNS:google.cz, DNS:google.de, DNS:google.dj, DNS:google.dk, DNS:google.dm,
DNS:google.dz, DNS:google.ee, DNS:google.es, DNS:google.fi, DNS:google.fm, DNS:google.fr,
DNS:google.ga, DNS:google.ge, DNS:google.gg, DNS:google.gl, DNS:google.gm, DNS:google.gp,
DNS:google.gr, DNS:google.gy, DNS:google.hk, DNS:google.hn, DNS:google.hr, DNS:google.ht,
DNS:google.hu, DNS:google.ie, DNS:google.im, DNS:google.info, DNS:google.iq, DNS:google.ir,
DNS:google.is, DNS:google.it, DNS:google.it.ao, DNS:google.je, DNS:google.jo, DNS:google.jobs,
DNS:google.jp, DNS:google.kg, DNS:google.ki, DNS:google.kz, DNS:google.la, DNS:google.li,
DNS:google.lk, DNS:google.lt, DNS:google.lu, DNS:google.lv, DNS:google.md, DNS:google.me,
DNS:google.mg, DNS:google.mk, DNS:google.ml, DNS:google.mn, DNS:google.ms, DNS:google.mu,
DNS:google.mv, DNS:google.mw, DNS:google.ne, DNS:google.ne.jp, DNS:google.net, DNS:google.ng,
DNS:google.nl, DNS:google.no, DNS:google.nr, DNS:google.nu, DNS:google.off.ai, DNS:google.pk,
DNS:google.pl, DNS:google.pn, DNS:google.ps, DNS:google.pt, DNS:google.ro, DNS:google.rs,
DNS:google.ru, DNS:google.rw, DNS:google.sc, DNS:google.se, DNS:google.sh, DNS:google.si,
DNS:google.sk, DNS:google.sm, DNS:google.sn, DNS:google.so, DNS:google.sr, DNS:google.st,
DNS:google.td, DNS:google.tg, DNS:google.tk, DNS:google.tl, DNS:google.tm, DNS:google.tn,
DNS:google.to, DNS:google.tt, DNS:google.us, DNS:google.uz, DNS:google.vg, DNS:google.vu,
DNS:google.ws, DNS:googlecommerce.com, DNS:gstatic.com, DNS:urchin.com, DNS:youtu.be,
DNS:youtube.com, DNS:youtubeeducation.com
Authority Information Access:
CA Issuers - URI:http://pki.google.com/GIAG2.crt
OCSP - URI:http://clients1.google.com/ocsp
X509v3 Subject Key Identifier:
71:D7:BB:09:DE:42:EB:E5:E0:75:3D:49:64:97:E5:9A:8D:6E:C3:8E
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:4A:DD:06:16:1B:BC:F6:68:B5:76:F5:81:B6:BB:62:1A:BA:5A:81:2F
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.11129.2.5.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://pki.google.com/GIAG2.crl
Signature Algorithm: sha1WithRSAEncryption
8f:f3:ec:dd:ca:45:d2:20:12:40:cd:ce:72:10:42:b5:ac:4b:
8c:45:15:15:d7:9f:fb:01:e7:84:63:c6:41:b4:93:8b:79:ab:
51:56:b9:3f:07:74:5b:c7:38:ad:f0:ee:97:53:3b:f8:2d:bc:
94:23:ca:2e:1f:0c:5b:21:82:ae:b8:0f:55:43:1a:58:8f:4d:
25:0a:80:32:a6:c9:ff:3f:43:f5:1f:39:63:9f:a6:82:20:b4:
74:d4:e1:ef:e0:f9:92:c5:63:b6:e2:61:e4:e7:4e:c7:a3:dd:
44:1b:32:e0:06:7f:84:b6:45:20:57:6a:71:07:c2:54:b0:69:
9c:a2:f6:3f:5f:52:ca:9e:ba:77:b3:0b:4f:2a:b7:14:ca:c9:
7a:6c:f3:ce:2b:aa:c1:0d:ea:33:8f:e6:39:24:83:84:dc:3c:
ac:f0:83:2e:98:9f:2f:54:de:c4:c5:b0:05:a3:e3:ca:a5:13:
9c:28:ba:6b:e9:ee:e0:10:41:4a:d7:78:cd:60:0f:79:0f:0a:
e3:76:46:ce:7a:b4:84:1b:07:91:21:83:23:17:7a:77:e8:32:
3b:14:7c:3a:a8:fb:d6:c2:bf:18:4a:ad:d7:c1:d6:30:cd:67:
b4:8f:7d:27:43:97:b8:12:9d:0b:7e:ae:de:27:83:fa:89:29:
d9:be:e4:43
1) Guarde el contenido de este archivo de paquete ca en su sistema, por ejemplo, a: C:/ca-bundle.crt
2) Actualizar la propiedad php.ini openssl.cafile así: openssl.cafile="C:/ca-bundle.crt"
3) reiniciar el servidor / hecho / debería funcionar ahora
Más información aquí: verify
Con Guzzle 6+, debe configurarlo en la matriz de opciones de solicitud del cliente.
$response = $client->request(''GET'', ''https://example.com/v1/WebHooks'',
[''verify'' => false,
''headers'' => [''Authorization'' => "ApiKey $apiKey"]
]);
En lugar de deshabilitar la verificación por completo, esto puede solucionarse proporcionando un archivo de paquete de CA adecuado. Ver verify en la documentación de Guzzle.
En mi sistema pude reutilizar un paquete con Git:
$client = new /GuzzleHttp/Client();
$client->setDefaultOption(''verify'', ''C:/Program Files (x86)/Git/bin/curl-ca-bundle.crt'');
Puede ser que esté buscando el certificado SSL de su sitio.
Si este es el caso, intente deshabilitar la certificación SSL:
$client->setDefaultOption(''verify'', false);
También puedes probar esto en guzzle 6+
$client = new /GuzzleHttp/Client(array( ''curl'' => array( CURLOPT_SSL_VERIFYPEER => false ),''verify'' => false));
Yo uso guzzle / guzzle 3. * y este código funciona para mí:
$client = new Client(env(''API_HOST''));
$client->setSslVerification(false);
esto realmente me ayuda
Siga este enlace: http://curl.haxx.se/ca/cacert.pem Copie la página completa y guárdela en "cacert.pem"
Luego en su archivo php.ini inserte o edite el
;;;;;;;;;;;;;;;;;;;;
; php.ini Options ;
;;;;;;;;;;;;;;;;;;;;
curl.cainfo = "[pathtothisfile]/cacert.pem"
Problema resuelto (no recomendado en un entorno de producción)