SSL certificate verification on PHP 5.6
I recently updated my local OS X Zend Server installation to PHP 5.6 and when I ran composer self-update, I got this error message:
[Composer\Downloader\TransportException] The "https://getcomposer.org/version" file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Failed to enable crypto failed to open stream: operation failed
Googling around, I finally worked out that there have been various SSL improvements in PHP 5.6 and that the problem was that it couldn’t find any OpenSSL certificates on my system. This isn’t a total surprise as OS X has been moving away from using OpenSSL internally in favour of its own libraries.
There’s a new PHP function openssl_get_cert_locations that helps with this and so I ran:
$ php -r "print_r(openssl_get_cert_locations());"
on the command line to find out where PHP was looking. On my system, I got this:
Array
(
[default_cert_file] => /usr/local/openssl-0.9.8zb/ssl/cert.pem
[default_cert_file_env] => SSL_CERT_FILE
[default_cert_dir] => /usr/local/openssl-0.9.8zb/ssl/certs
[default_cert_dir_env] => SSL_CERT_DIR
[default_private_dir] => /usr/local/openssl-0.9.8zb/ssl/private
[default_default_cert_area] => /usr/local/openssl-0.9.8zb/ssl
[ini_cafile] =>
[ini_capath] =>
)
There is no directory /usr/local/openssl-0.9.8zb on my system and SSL_CERT_FILE and SSL_CERT_DIR are not defined, so it’s no surprise that PHP was struggling.
To fix it, I install openssl via homebrew:
brew install openssl
This installs the openssl certificates to /usr/local/etc/openssl/cert.pem, so we can now use the new PHP 5.6 INI setting openssl.cafile to tell PHP where to find the certificates:
Adding
openssl.cafile=/usr/local/etc/openssl/cert.pem
to Zend Server’s php.ini solved the problem and I can now use composer once again!
Must say that it works fine here using PHP 5.6 (via MAMP PRO 3.0.7.2) on OS X 10.10.
Here some console output:
$ composer self-update Updating to version 095dc6129550de93cd98170c8e6c6ccd4558e983. Downloading: 100% Use composer self-update --rollback to return to version d249d0c1218a06a9380a97edee3b7a6b9e42d714$ php -v PHP 5.6.2 (cli) (built: Oct 20 2014 16:21:27) Copyright (c) 1997-2014 The PHP Group Zend Engine v2.6.0, Copyright (c) 1998-2014 Zend Technologies$ php -r "print_r(openssl_get_cert_locations());" Array ( [default_cert_file] => /System/Library/OpenSSL/cert.pem [default_cert_file_env] => SSL_CERT_FILE [default_cert_dir] => /System/Library/OpenSSL/certs [default_cert_dir_env] => SSL_CERT_DIR [default_private_dir] => /System/Library/OpenSSL/private [default_default_cert_area] => /System/Library/OpenSSL [ini_cafile] => [ini_capath] => )What happens if you change those paths to the ones I've got?
Thanks Rob, i had the same problems using when using XAMPP and this fixed it perfectly.
I also had this issue (XAMPP 5.6.3 on OSX 10.10.1) except I got these directories instead:
$ php -r "print_r(openssl_get_cert_locations());" Array ( [default_cert_file] => /Applications/XAMPP/xamppfiles/share/openssl/cert.pem [default_cert_file_env] => SSL_CERT_FILE [default_cert_dir] => /Applications/XAMPP/xamppfiles/share/openssl/certs [default_cert_dir_env] => SSL_CERT_DIR [default_private_dir] => /Applications/XAMPP/xamppfiles/share/openssl/private [default_default_cert_area] => /Applications/XAMPP/xamppfiles/share/openssl [ini_cafile] => [ini_capath] => )Although the directory was there, the "cert.pem" file didn't exist so I downloaded http://curl.haxx.se/ca/cacert.pem and saved it as "cert.pem" in the directory. Tried "composer install" again and no more ssl issues! :D