今天一个同事反映,使用curl发起https请求的时候报错:“SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed”
很明显,验证证书的时候出现了问题。
使用curl如果想发起的https请求正常的话有2种做法:
方法一、设定为不验证证书和host。
在执行curl_exec()之前。设置option
$ch = curl_init();
......
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
方法二、设定一个正确的证书。
本地ssl判别证书太旧,导致链接报错ssl证书不正确。
我们需要下载新的ssl 本地判别文件
<a href="http://curl.haxx.se/ca/cacert.pem">http://curl.haxx.se/ca/cacert.pem</a>
放到 程序文件目录
curl 增加下面的配置
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,true); ;
curl_setopt($ch,CURLOPT_CAINFO,dirname(__FILE__).'/cacert.pem');
大功告成
(本人验证未通过。。。报错信息为:SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed)
为了防止某天该文章被Q今复制过来。内容如下:
If you simply try to access a HTTPS (SSL or TLS-protected resource) in PHP using cURL, you’re likely to run into some difficulty. Say you have the following code: (Error handling omitted for brevity)
If <code>$url</code> points toward an HTTPS resource, you’re likely to encounter an error like the one below:
There are two ways to solve this problem. Firstly, we can simply configure cURL to accept any server(peer) certificate. This isn’t optimal from a security point of view, but if you’re not passing sensitive information back and forth, this is probably alright. Simply add the following line before calling <code>curl_exec()</code>:
This basically causes cURL to blindly accept any server certificate, without doing any verification as to which CA signed it, and whether or not that CA is trusted. If you’re at all concerned about the data you’re passing to or receiving from the server, you’ll want to enable this peer verification properly. Doing so is a bit more complicated.
First, you’ll need to visit the URL with your web browser in order to grab the CA certificate. Then, (in Firefox) open up the security details for the site by double-clicking on the padlock icon in the lower right corner:
Then click on “View Certificate”:
Bring up the “Details” tab of the cerficates page, and select the certificate at the top of the hierarchy. This is the CA certificate.
Then click “Export”, and save the CA certificate to your selected location, making sure to select the X.509 Certificate (PEM) as the save type/format.
Now we need to modify the cURL setup to use this CA certificate, with <code>CURLOPT_CAINFO</code> set to point to where we saved the CA certificate file to.
The other option I’ve included, <code>CURLOPT_SSL_VERIFYHOST</code> can be set to the following integer values:
0: Don’t check the common name (CN) attribute
1: Check that the common name attribute at least exists
2: Check that the common name exists and that it matches the host name of the server
![Centos 7 Apache配置虚拟主机[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)