SSL certificate verification on PHP 5.6
I recently updated my local OS X Zend Server installation to PHP 5.6 and when I ran composer self-update, I got this error message:
[Composer\Downloader\TransportException] The "https://getcomposer.org/version" file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Failed to enable crypto failed to open stream: operation failed
Googling around, I finally worked out that there have been various SSL improvements in PHP 5.6 and that the problem was that it couldn’t find any OpenSSL certificates on my system. This isn’t a total surprise as OS X has been moving away from using OpenSSL internally in favour of its own libraries.
There’s a new PHP function openssl_get_cert_locations that helps with this and so I ran:
$ php -r "print_r(openssl_get_cert_locations());"
on the command line to find out where PHP was looking. On my system, I got this:
Array ( [default_cert_file] => /usr/local/openssl-0.9.8zb/ssl/cert.pem [default_cert_file_env] => SSL_CERT_FILE [default_cert_dir] => /usr/local/openssl-0.9.8zb/ssl/certs [default_cert_dir_env] => SSL_CERT_DIR [default_private_dir] => /usr/local/openssl-0.9.8zb/ssl/private [default_default_cert_area] => /usr/local/openssl-0.9.8zb/ssl [ini_cafile] => [ini_capath] => )
There is no directory /usr/local/openssl-0.9.8zb on my system and SSL_CERT_FILE and SSL_CERT_DIR are not defined, so it’s no surprise that PHP was struggling.
To fix it, I install openssl via homebrew:
brew install openssl
This installs the openssl certificates to /usr/local/etc/openssl/cert.pem, so we can now use the new PHP 5.6 INI setting openssl.cafile to tell PHP where to find the certificates:
to Zend Server’s php.ini solved the problem and I can now use composer once again!