Skip to main content

php cannot request my SSL websites

0884094
Hi friends, I have a PHP script running on my cPanel server (v98.0.8, CENTOS 7.9). My PHP script makes a nightly HTTPS request to a Windows server. The Windows server uses a LetsEncrypt certificate. All has run fine for years but just now, my PHP requests are failing with: SplFileObject::__construct(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed I have hundreds of LetsEncrypt certs on my Windows server and I tried many of them, and they're all now failing in this way when PHP requests them. However, having PHP request another website like Google (worked ok!) * on cPanel server, rebooted * ran: sudo yum update (nothing) * ran: sudo yum update ca-certificates (already updated) * ran: EasyApache4 (Apache 2.4 and PHP 7.4) * inspected php.ini (all default settings for curl, openssl) Maybe PHP has its own built-in list of root CA's and I need to find them & update? Here's my test code, and when I use curl() with CURLOPT_SSL_VERIFYHOST I get the same error behaviour: Limited-Access ##$url = 'getMessage() ); } ?>

Comments

3 comments

Date Votes
  • cPRex Jurassic Moderator
    Hey there! I can't help with the PHP side of things, but does the SSL work outside of your script? Can you use "curl" outside of PHP or just visit the sites in a browser and they work as expected?
    0
  • 0884094
    Thanks, cPRex!! I can confirm that just running curl on command line repros the problem. curl Google (works ok) curl Limited-Access fails with: curl: (60) Peer's Certificate issuer is not recognized. More details here: curl - SSL CA Certificates I can see from this link ( RHEL/CentOS 7 Fix for Let"s Encrypt Change ) that there's a known issue with Centos v7 + OpenSSL 1.0.2k + LetsEncrypt. The link says they fixed it on Sept 24, which matches the timestamp of my ca-bundle in /etc/ssl/certs, but for me the problem started around that time, rather than was fixed. I guess since it is all so new & the powers-that-be are pushing fixes out, I'll just wait a little while. I expect that this command will fix it once they finesse the ca-bundle: sudo yum reinstall ca-certificates
    0
  • cPRex Jurassic Moderator
    Thanks for the additional details - that does sound like it's the root of the issue. If you need us to take a deeper look on our side, feel free to submit a ticket!
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post