SSL Error at Composer Install - ssl

While installing Composer to XAMPP, I got some errors. My system OS was Windows 7, how can I solve this and install Composer?
Download failed: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
file_get_contents(): Failed to enable crypto
file_get_contents(https://getcomposer.org/composer.phar.sig): failed to open stream: operation failed
Download failed: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
file_get_contents(): Failed to enable crypto
file_get_contents(https://getcomposer.org/composer.phar.sig): failed to open stream: operation failed

Make sure you configured the path to the ca certificates in php.ini:
curl.cainfo=/full/path/to/ssl/certs/ca-bundle.crt
openssl.cafile=/full/path/to/ssl/certs/ca-bundle.crt
In case you don't have a ca certificate bundle download it:
https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt
To install Composer (without using cURL):
php -r "readfile('https://getcomposer.org/installer');" | php
Or, to install Composer (with cURL):
curl -sS https://getcomposer.org/installer | php
(If that doesn't work out, simple download the Composer PHAR via your browser.
https://getcomposer.org/composer.phar
But, you will run into the issue again, when fetching packages, until you fix the certificate issue.)

That's exactly the same issue I'm facing. While installing the Composer Installer on my Windows 7 machine I'm getting the below error:
The "https://getcomposer.org/versions" file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Failed to enable crypto
failed to open stream: operation failed
Tried this:
$ curl -sS https://getcomposer.org/installer | php
stdin is not a tty
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
And this:
$ ping getcomposer.org
Pinging getcomposer.org [87.98.253.108] with 32 bytes of data:
Reply from 87.98.253.108: bytes=32 time=137ms TTL=47
Reply from 87.98.253.108: bytes=32 time=127ms TTL=47
Reply from 87.98.253.108: bytes=32 time=127ms TTL=47
Reply from 87.98.253.108: bytes=32 time=127ms TTL=47
Ping statistics for 87.98.253.108:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 127ms, Maximum = 137ms, Average = 129ms
My PHP version is:
$ php -v
PHP 5.5.37 (cli) (built: Jun 22 2016 16:14:46)
Copyright (c) 1997-2015 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2015 Zend Technologies
with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2015, by Zend Technologies
I've enabled the following list in my php.ini:
extension=php_curl.dll
extension=php_openssl.dll
curl.cainfo="C:/xampp/php/extras/certs/cacert.pem"
openssl.cafile="C:/xampp/php/extras/certs/cacert.pem"
Where I've downloaded the cacert.pem from https://curl.haxx.se/ca/cacert.pem
I was missing to add the proxy settings while installation, when added it worked like charm! :)
http://username:password#your_proxy:your_port

I was having the same issue while changing php version on my Windows. Hope this could help someone.
php.ini didn't have right extensions and I just had to uncomment:
extension_dir = "ext"
extension=openssl

Check the php.ini of your php for me Im using ampps on mac and just changed it to:
curl.cainfo =/Applications/AMPPS/ca-bundle.crt
openssl.cafile =/Applications/AMPPS/ca-bundle.crt
After Updating php.ini, you need to restart your apache
You may download the ca-bundle.cer here https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt and rename as ca-bundle.crt.
check attached for your reference before and after updating php.ini

Related

Wget fails with certificate error

As part of an automated build, we run download some code from github. Minimal example:
wget github.com
Recently, the command started failing with a certificate error:
URL transformed to HTTPS due to an HSTS policy
--2017-10-05 11:43:45-- https://github.com/
Resolving github.com (github.com)... 192.30.253.112, 192.30.253.113
Connecting to github.com (github.com)|192.30.253.112|:443... connected.
ERROR: cannot verify github.com's certificate, issued by 'CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US':
Unable to locally verify the issuer's authority.
I tried updating the certificate store, and wget itself:
update-ca-certificates
apt-get install wget
The error is still the same.
My wget version is GNU Wget 1.17.1, and the OS is Ubuntu 16.04.3.
You can avoid checking the validity of the certificate adding the --no-check-certificate option on the wget command-line.
The answer turned out to lie somewhere in packet configuration. Unfortunately, I am unable to tell exactly why. The suspicion is some mono version installed from a ppa was messing with our cert store.

Chef ssl validation failure

I have one chef-server version 12.0.1 and can connect linux (rhel/centos) systems to the chef-server with knife bootstrap but cannot with windows and locally on my rhel client knife ssl check fails.
I have two problems but I think they are both related.
Problem 1 - knife ssl check fails:
Connecting to host chef-server:443
ERROR: The SSL certificate of chef-server could not be verified
Problem 2 - bootstrap windows server fails:
ERROR: SSL Validation failure connecting to host: chef-server - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Chef encountered an error attempting to create the client "desktop"
I have tried a number of things:
1) knife ssl fetch - no changes
2) I have a signed digicert crt on the server which is accepted by the management-console and chrome web browser
3) I have changed set this in the chef-server.rb
nginx['ssl_certificate'] = "/var/opt/opscode/nginx/ca/hostname.crt"
nginx['ssl_certificate_key'] = "/var/opt/opscode/nginx/ca/hostname.key"
which go to the signed certs.
Anything else I should be trying or am I being a plank?
Try running these commands on your Chef server:
mkdir /root/.chef/trusted_certs
cp /var/opt/chef-server/nginx/ca/YOUR_SERVER'S_HOSTNAME.crt /root/.chef/trusted_certs/
I was having the same problem and it was fixed after I looked through this article, and tried out the steps it gave: http://jtimberman.housepub.org/blog/2014/12/11/chef-12-fix-untrusted-self-sign-certs/
I was having the same issue using a valid wildcard certificate, although it was linux rather than windows. Looks like the issue is that the chef client uses openssl and didn't have the CA and root certificates. I was getting errors when I ran the following from the chef client server:
openssl s_client -connect chef_server_url*:443 -showcerts
I solved my issue by browsing to the chef server, inspecting the certs and exporting each cert in the chain to a single file, ordered with the issued certificate at the top, and the root at the bottom. I then used this bundled-cert as the certificate file in the chef server config file and reconfigured chef.

Does buildout/easy_install/setup_tools verify SSL certificates?

I'm trying to diagnose this error:
Getting distribution for 'zc.buildout<2dev'.
Got zc.buildout 1.7.1.
Generated script '/opt/mytardis/releases/a549cd05272afe8f16c2fe5efe8158490acbde82/bin/buildout'.
Download error on http://pypi.python.org/simple/buildout-versions/: [Errno 104] Connection reset by peer -- Some packages may not be found!
Couldn't find index page for 'buildout-versions' (maybe misspelled?)
Download error on http://pypi.python.org/simple/: [Errno 104] Connection reset by peer -- Some packages may not be found!
Getting distribution for 'buildout-versions'.
STDERR: /usr/lib64/python2.6/distutils/dist.py:266: UserWarning: Unknown distribution option: 'src_root'
warnings.warn(msg)
While:
Installing.
Loading extensions.
Getting distribution for 'buildout-versions'.
Error: Couldn't find a distribution for 'buildout-versions'.
It happens deep inside a Chef + buildout installation stack. One thing I have discovered is that if I attempt to access the buildout-versions package directly:
$ wget https://pypi.python.org/packages/source/b/buildout-versions/buildout-versions-1.7.tar.gz#md5=731ecc0c9029f45826fa9f31d44e311d
--2013-07-09 12:50:18-- https://pypi.python.org/packages/source/b/buildout-versions/buildout-versions-1.7.tar.gz
Resolving proxy.redacted.com... 123.45.67.8
Connecting to proxy.redacted.com|123.45.67.8|:8080... connected.
ERROR: certificate common name “*.a.ssl.fastly.net” doesn’t match requested host name “pypi.python.org”.
To connect to pypi.python.org insecurely, use ‘--no-check-certificate’.
I can access the file fine from my desktop. So I suspect the proxy (provided by a university, and this server has to use it to reach the web). It's set with https_proxy=....
Is this the likely cause of buildout failing? Any way around it?
Your version of wget is too old.
wget started to support SNI (Server Name Indication) only since version 1.14 and that TLS extension is needed to be presented the correct certificate on pypi.python.org.
Yes, zc.buildout and easy_install both use urllib2 to retrieve HTTPS resources, which does not verify SSL certificates:
Warning: HTTPS requests do not do any verification of the server’s certificate.
Your wget tool does verify certificates, but your local certificate authorities certificates are incomplete, it seems; see SSL certificate rejected trying to access GitHub over HTTPS behind firewall for instructions on how to update those.
As for your original error, it appears your firewall proxy is doing the peer resets.
As per PEP 476, Python 2.7.9 remedies this situation. From that version onwards, urllib2 will verify SSL certificates by default.
Since Python 2.7.9 (released) / 3.4.3 (released soon), certificates are validated by default:
HTTPS certificate validation using the system's certificate store is
now enabled by default. See PEP 476 for details.
https://www.python.org/downloads/release/python-279/
you can try it:
wget http://pypi.python.org/packages/2.7/s/setuptools/setuptools-0.6c11-py2.7.egg#md5=fe1f997bc722265116870bc7919059ea --no-check-certificate

Getting error in Curl - Peer certificate cannot be authenticated with known CA certificates

I am getting the below error while making ssl connection with self signed certificate.
"Peer certificate cannot be authenticated with known CA certificates"
It is working fine with CA signed certificate.
I am setting the below using curl_easy_setopt().
curl_easy_setopt(MyContext, CURLOPT_CAPATH, CA_CERTIFICATE_PATH)
curl_easy_setopt(MyContext, CURLOPT_SSL_VERIFYPEER,TRUE);
The curl version:
libcurl-7.19.7-26
Openssl version is:
0_9_8u
Please let me know how to solve this issue.
By default CURL will generally verify the SSL certificate to see if its valid and issued by an accepted CA. To do this, curl uses a bundled set of CA certificates.
If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. Here's an example:
curl --noproxy -k \* -D - https://127.0.0.1:443/some-secure-endpoint
Security issue: This answer disables a security feature. Do not use this in production!
For php it is possible to switch off curl's verification of the certificate (see warning below) e.g. for curl_exec
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
http://php.net/manual/en/function.curl-setopt.php
(evaluate the security risk yourself, in my case it was on a partner company's server and the file required contained no secure information - just happened to be on a secure server)
We fixed a similar issue on CentOS 6 by updating curl to the latest version available in the standard repositories and installing the newest ca-certificates bundle:
yum update curl
yum install ca-certificates
libcurl performs peer SSL certificate verification by default. This is done
by using CA cert bundle that the SSL library can use to make sure the peer's
server certificate is valid.
If you communicate with HTTPS or FTPS servers using certificates that are
signed by CAs present in the bundle, you can be sure that the remote server
really is the one it claims to be.
Until 7.18.0, curl bundled a severely outdated ca bundle file that was
installed by default. These days, the curl archives include no ca certs at
all. You need to get them elsewhere. See below for example.
For more to know about Peer SSL Certificate Verification visit http://curl.haxx.se/docs/sslcerts.html
Though this error happened in the case of using git clone rather than with using curl, I've recently stumbled across an identical error message:
Peer certificate cannot be authenticated with known CA certificates
Similar to Arth's findings, something that worked for CentOS 6 (in order to successfully use HTTPS URLs with git clone for related GitLab repositories) involved updating the trusted certificates on the server (i.e., the server that is using HTTPS), using the following steps:
sudo yum install ca-certificates
sudo update-ca-trust enable
sudo cp /path/to/your_new_cert.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust extract
Perhaps the same certificate steps can be applied for the case of curl (or other similar scenarios) for users on CentOS in the future.
Security issue: This answer disables a security feature. Do not use this in production!
In 'C'
curl_easy_setopt(curl_handle, CURLOPT_SSL_VERIFYPEER, 0);
worked for me
As we checked and observed/ Found in Centos 8 .
Due to Proxy issue your packages not allowing you to get accessible to update or download any packages.
try to add sslverify=0 in file /etc/dnf/dnf.conf
Its worked for me.
Also make sure you must have proper internet acess on your server.

RVM won't install on Ubuntu 11.10

I'm running Ubuntu 11.10 and I'm trying to install RVM.
I enter "bash < <(curl -s https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer)" and then press enter, and nothing happens. It pauses for a second and then returns to the command prompt.
RVM doesn't install. I run rmv-v and get The program 'rvm' is currently not installed.
No errors.
Any thoughts?
Thanks.
Jason
UPDATE: I removed the -s option from curl and now I see some messages. Specifically:
0curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
UPDATE 2: I reinstalled Git, and now when I run curl-config --ca, I get:
curl-config --ca
/etc/ssl/certs/ca-certificates.crt
I downloaded the cacert.pem file from curl.haxx.se and created a new ca-certificates.crt file with it.
However, I'm still getting:
0curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Not sure what else to try other than disabling the checking, which I'd rather not do.
The SSL certificate on https://rvm.io expired. Looks like RVM migrated to a new domain. See: https://github.com/wayneeseguin/rvm/issues/889