http 使用curl发起https请求 error 60 51

转载 2016年08月29日 16:24:52

curl_setopt换成 curl_easy_setopt  cacert.pem路径换成字符串 CURLOPT_SSL_VERIFYHOST 解决error 51 大概7.28版本后要设置2,不是true


今天一个同事反映,使用curl发起https请求的时候报错:“SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed”

很明显,验证证书的时候出现了问题。

使用curl如果想发起的https请求正常的话有2种做法:

方法一、设定为不验证证书和host。

在执行curl_exec()之前。设置option

$ch = curl_init();

......

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);

 

方法二、设定一个正确的证书。

本地ssl判别证书太旧,导致链接报错ssl证书不正确。

我们需要下载新的ssl 本地判别文件

http://curl.haxx.se/ca/cacert.pem

放到 程序文件目录

curl 增加下面的配置

   curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,true); ;
   curl_setopt($ch,CURLOPT_CAINFO,dirname(__FILE__).'/cacert.pem');

大功告成

(本人验证未通过。。。报错信息为:SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed)

如果对此感兴趣的话可以参看国外一大神文章。http://unitstep.net/blog/2009/05/05/using-curl-in-php-to-access-https-ssltls-protected-sites/

为了防止某天该文章被Q今复制过来。内容如下:

Using cURL in PHP to access HTTPS (SSL/TLS) protected sites

From PHP, you can access the useful cURL Library (libcurl) to make requests to URLs using a variety of protocols such as HTTP, FTP, LDAP and even Gopher. (If you’ve spent time on the *nix command line, most environments also have the curl command available that uses the libcurl library)

In practice, however, the most commonly-used protocol tends to be HTTP, especially when usingPHP for server-to-server communication. Typically this involves accessing another web server as part of a web service call, using some method such as XML-RPC or REST to query a resource. For example, Delicious offers HTTP-based API to manipulate and read a user’s posts. However, when trying to access a HTTPS resource (such as the delicious API), there’s a little more configuration you have to do before you can get cURL working right in PHP.

 

The problem

If you simply try to access a HTTPS (SSL or TLS-protected resource) in PHP using cURL, you’re likely to run into some difficulty. Say you have the following code: (Error handling omitted for brevity)

// Initialize session and set URL. 
$ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); 
// Set so curl_exec returns the result instead of outputting it. 
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); 
// Get the response and close the channel. 
$response = curl_exec($ch); 
curl_close($ch);

If $url points toward an HTTPS resource, you’re likely to encounter an error like the one below:

Failed: Error Number: 60. Reason: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

The problem is that cURL has not been configured to trust the server’s HTTPS certificate. The concepts of certificates and PKI revolves around the trust of Certificate Authorities (CAs), and by default, cURL is setup to not trust any CAs, thus it won’t trust any web server’s certificate. So why don’t you have problems visiting HTTPs sites through your web browser? As it happens, the browser developers were nice enough to include a list of default CAs to trust, covering most situations, so as long as the website operator purchased a certificate from one of these CAs.

The quick fix

There are two ways to solve this problem. Firstly, we can simply configure cURL to accept any server(peer) certificate. This isn’t optimal from a security point of view, but if you’re not passing sensitive information back and forth, this is probably alright. Simply add the following line before calling curl_exec():

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

This basically causes cURL to blindly accept any server certificate, without doing any verification as to which CA signed it, and whether or not that CA is trusted. If you’re at all concerned about the data you’re passing to or receiving from the server, you’ll want to enable this peer verification properly. Doing so is a bit more complicated.

The proper fix

The proper fix involves setting the CURLOPT_CAINFO parameter. This is used to point towards a CA certificate that cURL should trust. Thus, any server/peer certificates issued by this CA will also be trusted. In order to do this, we first need to get the CA certificate. In this example, I’ll be using the https://api.del.icio.us/ server as a reference.

First, you’ll need to visit the URL with your web browser in order to grab the CA certificate. Then, (in Firefox) open up the security details for the site by double-clicking on the padlock icon in the lower right corner:

Then click on “View Certificate”:

Bring up the “Details” tab of the cerficates page, and select the certificate at the top of the hierarchy. This is the CA certificate.

Then click “Export”, and save the CA certificate to your selected location, making sure to select the X.509 Certificate (PEM) as the save type/format.

Now we need to modify the cURL setup to use this CA certificate, with CURLOPT_CAINFO set to point to where we saved the CA certificate file to.

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); 
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); 
curl_setopt($ch, CURLOPT_CAINFO, getcwd() . "/CAcerts/BuiltinObjectToken-EquifaxSecureCA.crt");

The other option I’ve included, CURLOPT_SSL_VERIFYHOST can be set to the following integer values:

  • 0: Don’t check the common name (CN) attribute
  • 1: Check that the common name attribute at least exists
  • 2: Check that the common name exists and that it matches the host name of the server

If you have CURLOPT_SSL_VERIFYPEER set to false, then from a security perspective, it doesn’t really matter what you’ve set CURLOPT_SSL_VERIFYHOST to, since without peer certificate verification, the server could use any certificate, including a self-signed one that was guaranteed to have a CN that matched the server’s host name. So this setting is really only relevant if you’ve enabled certificate verification.

This ensures that not just any server certificate will be trusted by your cURL session. For example, if an attacker were to somehow redirect traffic from api.delicious.com to their own server, the cURL session here would not properly initialize, since the attacker would not have access to a server certificate (i.e. would not have the private key) trusted by the CA we added. These steps effectively export the trusted CA from the web browser to the cURL configuration.

More information

If you have the CA certificate, but it is not in the PEM format (i.e. it is in a binary or DER format that isn’t Base64-encoded), you’ll need to use something like OpenSSL to convert it to the PEM format. The exact command differs depending on whether you’re converting from PKCS12 or DER format.

There is a CURLOPT_CAPATH option that allows you to specify a directory that holds multiple CA certificates to trust. But it’s not as simple as dumping every single CA certificate in this directory. Instead, they CA certificates must be named properly, and the OpenSSL c_rehash utility can be used to properly setup this directory for use by cURL.

curl: (60) SSL certificate problem: unable to get local issuer certificate 错误

今天同事做微信分享时,碰到如下 SSL certificate problem: unable to get local issuer certificate。 的错误信息。 此问题的出现是由于...
  • sanbingyutuoniao123
  • sanbingyutuoniao123
  • 2017年05月03日 16:35
  • 6804

cURL error 60: SSL certificate problem...

php在curl的时候报此错误:cURL error 60: SSL certificate problem: unable to get local issuer certificate (see ...
  • buer2202
  • buer2202
  • 2017年07月19日 12:30
  • 1042

OSX安装meteor时候CURL报SSL证书无效,curl: (60) SSL certificate problem: Invalid certificate chain

按照meteor官方说明安装的时候,在OSX下报出以下证书无效错误: curl  https://install.meteor.com/ | sh   % Total    % R...
  • MarkBoo
  • MarkBoo
  • 2016年05月23日 13:25
  • 3067

支付宝 微信支付 curl: (60) SSL certificate problem: unable to get local issuer certificate 错误

curl: (60) SSL certificate problem: unable to get local issuer certificate 错误   今天同事做微信管理的项目,请求接口返回...
  • zhangfeng1133
  • zhangfeng1133
  • 2017年06月30日 14:32
  • 1554

curl error code 60 51 代码解决方式

curl error code 60  命令行加选项-k就可以 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, false);  curl er...
  • xp5xp6
  • xp5xp6
  • 2016年08月29日 10:44
  • 1177

curl返回常见错误码

http://www.cnblogs.com/wainiwann/p/3492939.html  CURLE_OK(0)   所有罚款。继续像往常一样。   CURLE_UNSUPPORTED_PR...
  • kenkao
  • kenkao
  • 2015年07月14日 11:40
  • 17048

解决使用CURL出现code ERROR 60错误的问题

今天用CURL调用和风天气的API,(本来想用file_get_cntent()的,但是听说curl好用..就去试试了,也可以写爬虫什么的,确实好用) CURL, 在调用下面这段代码的时候,显示cod...
  • mazicwong
  • mazicwong
  • 2017年02月09日 14:45
  • 4448

微信支付:curl出错,错误码:60

最近一个微信项目用到微信支付系统,在微信官方下载了一个官方的demo。运行后竟然报错。 Fatal error: Uncaught exception ‘WxPayException‘ with...
  • qq_34755805
  • qq_34755805
  • 2016年04月22日 17:28
  • 9106

curl命令详解

linux curl是一个利用URL规则在命令行下工作的文件传输工具。它支持文件的上传和下载,所以是综合传输工具,但按传统,习惯称url为下载工具。...
  • foxman209
  • foxman209
  • 2011年03月25日 16:03
  • 289168

php curl常见错误:SSL错误、bool(false)

症状:php curl调用https出错 排查方法:在命令行中使用curl调用试试。 原因:服务器所在机房无法验证SSL证书。 解决办法:跳过SSL证书检查。 curl_setopt($ch,...
  • u012600104
  • u012600104
  • 2016年10月31日 13:30
  • 1221
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:http 使用curl发起https请求 error 60 51
举报原因:
原因补充:

(最多只允许输入30个字)