Geek Answers Handbook

Failed to connect to SSL-encrypted web service using PHP

I received two certificate files from the provider, one in .cer format and one in .p7b format. Then I converted the p7b certificate to a p12 certificate. With this certificate, I can connect to wsdl from my browser. Then I started to convert this certificate to .pem-format, using some instructions that I found on this site.

openssl pkcs12 -clcerts -nokeys -out test.pem -in mycert.p12 openssl pkcs12 -nocerts -out key.pem -in mycert.p12

then combing cert with the key using the following command:

 cat test.pem key.pem > cert.pem

Here is my design for the web service class:

 public function __construct() { $wsdl_url = 'https://url.to/web_service?wsdl'; $pass = 'passphrase'; $cert = 'cert.pem'; try { $this->client = new SoapClient($wsdl_url, array('local_cert' => $cert, 'passphrase' => $pass)); } catch(SoapFault $e) { print_r($e); } }

And here is the error:

 SSL operation failed with code 1. OpenSSL Error messages: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca in /var/www/html/..

Attempting to verify a certificate with:

 openssl verify cert.pem

gives the following error:

 error 20 at 0 depth lookup:unable to get local issuer certificate

I also tried creating a .pem certificate using the following openssl command:

 openssl pkcs12 -in mycert.p12 -out mycert.pem

Checking this gives me OK, but PHP gives me the following error:

 Unable to set local cert chain file `mycert.pem'; Check that your cafile/capath settings include details of your certificate and its issuer

I suppose it should be possible to make it work somehow, since I can access wsdl through my browser using a .p12 certificate. But I can’t find a solution on how I should act. Thanks in advance.

+4
source share
2 answers

I think you have a few problems here. Firstly, I don’t think that your parameters for the local certificate are used by the constructor for the SoapClient object. The parameter array does not support SSL configuration parameters. Secondly, given that the parameters that you supply SoapClient are not used. Open SSL complains about the certificate on the remote host, which is a certified certificate.

I think it should be possible to get around this, but without playing with the code, I cannot be sure of all the options. I think you need to create your own stream context using stream_context_create () to set the SSL parameters you need (see http://ca.php.net/stream_context_create and context parameters for SSL). You can then pass this to the SoapClient object as the stream_context parameter in the config array. Using stream_context, you can set the various SSL parameters that you need, and they override the default values.

Sorry, I cannot clarify the parameters you need to set. Hope playing around the flow context will solve your problem.

0
source

I think that he cannot find the root certificate that issued the certificate that was provided to you.

Certificates are usually signed and issued by the subscription authority, and your client must know the public key of the authorization body. If your certificate is a self-signed certificate, it does not matter.

Check openssl x509 -text -noout -in key.pem

Check the release and find the Issuer. If the issuer does not match the CN certificate, you need a root certificate from the certification authority that provided your certificate.

You can usually use this browser to open your wsdl address and check the certificate chain and export the root certificate from the hierarchy tab.

If you save it in your situation, I'm not sure, but there will be some indication of a trust store of some kind.

0
source

More articles:


All Articles