New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed #3346

Closed
haxwell opened this Issue Oct 11, 2014 · 42 comments

Comments

Projects
None yet
@haxwell

haxwell commented Oct 11, 2014

I installed composer using the instruction at: https://getcomposer.org/doc/00-intro.md.

  1. I executed command "curl -sS https://getcomposer.org/installer | php"
  2. copied the .phar to /usr/local/bin/composer
  3. created my composer.json file in the project directory
  4. executed 'composer install' from the directory containing composer.json

I get the following error:

  [Composer\Downloader\TransportException]                                                                                           
  The "https://packagist.org/packages.json" file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages:  
  error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed                                                  
  Failed to enable crypto                                                                                                            
  failed to open stream: operation failed  

This is very similar to issue #2798 but that issue seemed to have to do with missing certificates, and I don't know OpenSSL well enough to know which certificates to put where (or even if that is the problem).

I can, however, get "https://packagist.org/packages.json" using cURL, so I'm at a loss.

I'm willing to research and RTFA, if someone could tell me TFA to R. Thanks...

@aikar

This comment has been minimized.

Show comment
Hide comment
@aikar

aikar Oct 13, 2014

I am also receiving this with:

Ubuntu Server 14.0.4.1
PHP 5.5.9-1ubuntu4.4 (cli) (built: Sep 4 2014 06:56:34)
OpenSSL Library Version => OpenSSL 1.0.1f 6 Jan 2014

Straight from the official repos.
Installing composer should not require me changing my system SSL configuration as suggested in the previous bug.... so please resolve this.

aikar commented Oct 13, 2014

I am also receiving this with:

Ubuntu Server 14.0.4.1
PHP 5.5.9-1ubuntu4.4 (cli) (built: Sep 4 2014 06:56:34)
OpenSSL Library Version => OpenSSL 1.0.1f 6 Jan 2014

Straight from the official repos.
Installing composer should not require me changing my system SSL configuration as suggested in the previous bug.... so please resolve this.

@apinnecke

This comment has been minimized.

Show comment
Hide comment
@apinnecke

apinnecke Oct 23, 2014

Same issue on following System:

Server: ContOS 6.5

php -v

PHP 5.5.8 (cli) (built: Jan 14 2014 12:14:02)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2013 Zend Technologies
    with Zend OPcache v7.0.3-dev, Copyright (c) 1999-2013, by Zend Technologies

openssl version:

OpenSSL 1.0.1e-fips 11 Feb 2013

Error message:

Download failed: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
file_get_contents(): Failed to enable crypto
file_get_contents(https://getcomposer.org/composer.phar): failed to open stream: operation failed

apinnecke commented Oct 23, 2014

Same issue on following System:

Server: ContOS 6.5

php -v

PHP 5.5.8 (cli) (built: Jan 14 2014 12:14:02)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2013 Zend Technologies
    with Zend OPcache v7.0.3-dev, Copyright (c) 1999-2013, by Zend Technologies

openssl version:

OpenSSL 1.0.1e-fips 11 Feb 2013

Error message:

Download failed: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
file_get_contents(): Failed to enable crypto
file_get_contents(https://getcomposer.org/composer.phar): failed to open stream: operation failed
@mikl0s

This comment has been minimized.

Show comment
Hide comment
@mikl0s

mikl0s Oct 23, 2014

Same on FreeBSD 9.X and 10.X

php -v

$ php -v
PHP 5.6.2 (cli) (built: Oct 23 2014 12:59:40)
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2014 Zend Technologies

openssl

$ openssl version
OpenSSL 1.0.1j-freebsd 15 Oct 2014

Error

$ sudo composer self-update

  [Composer\Downloader\TransportException]
  The "https://getcomposer.org/version" file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages:
  error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
  Failed to enable crypto
  failed to open stream: operation failed

mikl0s commented Oct 23, 2014

Same on FreeBSD 9.X and 10.X

php -v

$ php -v
PHP 5.6.2 (cli) (built: Oct 23 2014 12:59:40)
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2014 Zend Technologies

openssl

$ openssl version
OpenSSL 1.0.1j-freebsd 15 Oct 2014

Error

$ sudo composer self-update

  [Composer\Downloader\TransportException]
  The "https://getcomposer.org/version" file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages:
  error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
  Failed to enable crypto
  failed to open stream: operation failed
@iasenov

This comment has been minimized.

Show comment
Hide comment
@iasenov

iasenov Oct 27, 2014

Same problem on FreeBSD 10.0
#composer -V
Warning: This development build of composer is over 30 days old. It is recommended to update it by running "/usr/local/bin/composer self-update" to get the latest version.
Composer version cfed932 2014-04-16 15:23:42
#composer self-update
[Composer\Downloader\TransportException]
The "https://getcomposer.org/version" file could not be downloaded: SSL oper
ation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify f
ailed
Failed to enable crypto
failed to open stream: operation failed

Any ideas ... :(

I found only this:
#3045

iasenov commented Oct 27, 2014

Same problem on FreeBSD 10.0
#composer -V
Warning: This development build of composer is over 30 days old. It is recommended to update it by running "/usr/local/bin/composer self-update" to get the latest version.
Composer version cfed932 2014-04-16 15:23:42
#composer self-update
[Composer\Downloader\TransportException]
The "https://getcomposer.org/version" file could not be downloaded: SSL oper
ation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify f
ailed
Failed to enable crypto
failed to open stream: operation failed

Any ideas ... :(

I found only this:
#3045

@iasenov

This comment has been minimized.

Show comment
Hide comment
@iasenov

iasenov Oct 27, 2014

I solved the issue on FreeBSD 10.
I saw that the command
#php -r "var_dump(openssl_get_cert_locations());"
Give me:
array(8) {
["default_cert_file"]=>
string(17) "/etc/ssl/cert.pem"
["default_cert_file_env"]=>
string(13) "SSL_CERT_FILE"
["default_cert_dir"]=>
string(14) "/etc/ssl/certs"
["default_cert_dir_env"]=>
string(12) "SSL_CERT_DIR"
["default_private_dir"]=>
string(16) "/etc/ssl/private"
["default_default_cert_area"]=>
string(8) "/etc/ssl"
["ini_cafile"]=>
string(0) ""
["ini_capath"]=>
string(0) ""
}

On my FreeBSD box the certificate file is in
/usr/local/share/certs
And the file is ca-root-nss.crt, which is a key bundle.
So, I remove ca_root_nss package:
#/usr/ports/security/ca_root_nss make deinstall
And install again with
#/usr/ports/security/ca_root_nss make config install clean
Confirm the option
ETCSYMLINK Add symlink to /etc/ssl/cert.pem
And then
Composer self-update is working. :)

iasenov commented Oct 27, 2014

I solved the issue on FreeBSD 10.
I saw that the command
#php -r "var_dump(openssl_get_cert_locations());"
Give me:
array(8) {
["default_cert_file"]=>
string(17) "/etc/ssl/cert.pem"
["default_cert_file_env"]=>
string(13) "SSL_CERT_FILE"
["default_cert_dir"]=>
string(14) "/etc/ssl/certs"
["default_cert_dir_env"]=>
string(12) "SSL_CERT_DIR"
["default_private_dir"]=>
string(16) "/etc/ssl/private"
["default_default_cert_area"]=>
string(8) "/etc/ssl"
["ini_cafile"]=>
string(0) ""
["ini_capath"]=>
string(0) ""
}

On my FreeBSD box the certificate file is in
/usr/local/share/certs
And the file is ca-root-nss.crt, which is a key bundle.
So, I remove ca_root_nss package:
#/usr/ports/security/ca_root_nss make deinstall
And install again with
#/usr/ports/security/ca_root_nss make config install clean
Confirm the option
ETCSYMLINK Add symlink to /etc/ssl/cert.pem
And then
Composer self-update is working. :)

@aikar

This comment has been minimized.

Show comment
Hide comment
@aikar

aikar Oct 27, 2014

Users should not have to change their system configuration in order to get
it to work. Users in a shared hosting environment will not have that
ability.

On Mon, Oct 27, 2014 at 11:19 AM, Ivaylo Asenov notifications@github.com
wrote:

I solved the issue on FreeBSD 10.
I saw that the command
#php -r "var_dump(openssl_get_cert_locations());"
Give me:
array(8) {
["default_cert_file"]=>
string(17) "/etc/ssl/cert.pem"
["default_cert_file_env"]=>
string(13) "SSL_CERT_FILE"
["default_cert_dir"]=>
string(14) "/etc/ssl/certs"
["default_cert_dir_env"]=>
string(12) "SSL_CERT_DIR"
["default_private_dir"]=>
string(16) "/etc/ssl/private"
["default_default_cert_area"]=>
string(8) "/etc/ssl"
["ini_cafile"]=>
string(0) ""
["ini_capath"]=>
string(0) ""
}

On my FreeBSD box the certificate file is in
/usr/local/share/certs
And the file is ca-root-nss.crt, which is a key bundle.
So, I remove ca_root_nss package:
#/usr/ports/security/ca_root_nss make deinstall
And install again with
#/usr/ports/security/ca_root_nss make config install clean
Confirm the option
ETCSYMLINK Add symlink to /etc/ssl/cert.pem
And then
Composer self-update is working. :)


Reply to this email directly or view it on GitHub
#3346 (comment).

aikar commented Oct 27, 2014

Users should not have to change their system configuration in order to get
it to work. Users in a shared hosting environment will not have that
ability.

On Mon, Oct 27, 2014 at 11:19 AM, Ivaylo Asenov notifications@github.com
wrote:

I solved the issue on FreeBSD 10.
I saw that the command
#php -r "var_dump(openssl_get_cert_locations());"
Give me:
array(8) {
["default_cert_file"]=>
string(17) "/etc/ssl/cert.pem"
["default_cert_file_env"]=>
string(13) "SSL_CERT_FILE"
["default_cert_dir"]=>
string(14) "/etc/ssl/certs"
["default_cert_dir_env"]=>
string(12) "SSL_CERT_DIR"
["default_private_dir"]=>
string(16) "/etc/ssl/private"
["default_default_cert_area"]=>
string(8) "/etc/ssl"
["ini_cafile"]=>
string(0) ""
["ini_capath"]=>
string(0) ""
}

On my FreeBSD box the certificate file is in
/usr/local/share/certs
And the file is ca-root-nss.crt, which is a key bundle.
So, I remove ca_root_nss package:
#/usr/ports/security/ca_root_nss make deinstall
And install again with
#/usr/ports/security/ca_root_nss make config install clean
Confirm the option
ETCSYMLINK Add symlink to /etc/ssl/cert.pem
And then
Composer self-update is working. :)


Reply to this email directly or view it on GitHub
#3346 (comment).

@mikl0s

This comment has been minimized.

Show comment
Hide comment
@mikl0s

mikl0s Oct 28, 2014

That is my default setup (ca_root_nss with etcsymlink) and still not working.

mikl0s commented Oct 28, 2014

That is my default setup (ca_root_nss with etcsymlink) and still not working.

@mikl0s

This comment has been minimized.

Show comment
Hide comment
@mikl0s

mikl0s Oct 28, 2014

]# php -r "var_dump(openssl_get_cert_locations());"
array(8) {
  ["default_cert_file"]=>
  string(27) "/usr/local/openssl/cert.pem"
  ["default_cert_file_env"]=>
  string(13) "SSL_CERT_FILE"
  ["default_cert_dir"]=>
  string(24) "/usr/local/openssl/certs"
  ["default_cert_dir_env"]=>
  string(12) "SSL_CERT_DIR"
  ["default_private_dir"]=>
  string(26) "/usr/local/openssl/private"
  ["default_default_cert_area"]=>
  string(18) "/usr/local/openssl"
  ["ini_cafile"]=>
  string(0) ""
  ["ini_capath"]=>
  string(0) ""
}

On FreeBSD with

WITH_OPENSSL_PORT=yes

in /etc/make.conf before installing (or before reinstalling/updating) ports that require openssl

then run

ln -s /usr/local/share/certs/ca-root-nss.crt /usr/local/openssl/cert.pem

and composer works again.

mikl0s commented Oct 28, 2014

]# php -r "var_dump(openssl_get_cert_locations());"
array(8) {
  ["default_cert_file"]=>
  string(27) "/usr/local/openssl/cert.pem"
  ["default_cert_file_env"]=>
  string(13) "SSL_CERT_FILE"
  ["default_cert_dir"]=>
  string(24) "/usr/local/openssl/certs"
  ["default_cert_dir_env"]=>
  string(12) "SSL_CERT_DIR"
  ["default_private_dir"]=>
  string(26) "/usr/local/openssl/private"
  ["default_default_cert_area"]=>
  string(18) "/usr/local/openssl"
  ["ini_cafile"]=>
  string(0) ""
  ["ini_capath"]=>
  string(0) ""
}

On FreeBSD with

WITH_OPENSSL_PORT=yes

in /etc/make.conf before installing (or before reinstalling/updating) ports that require openssl

then run

ln -s /usr/local/share/certs/ca-root-nss.crt /usr/local/openssl/cert.pem

and composer works again.

@apinnecke

This comment has been minimized.

Show comment
Hide comment
@apinnecke

apinnecke Oct 28, 2014

(y)
Am 27.10.2014 19:23 schrieb "Daniel Ennis" notifications@github.com:

Users should not have to change their system configuration in order to get
it to work. Users in a shared hosting environment will not have that
ability.

On Mon, Oct 27, 2014 at 11:19 AM, Ivaylo Asenov notifications@github.com

wrote:

I solved the issue on FreeBSD 10.
I saw that the command
#php -r "var_dump(openssl_get_cert_locations());"
Give me:
array(8) {
["default_cert_file"]=>
string(17) "/etc/ssl/cert.pem"
["default_cert_file_env"]=>
string(13) "SSL_CERT_FILE"
["default_cert_dir"]=>
string(14) "/etc/ssl/certs"
["default_cert_dir_env"]=>
string(12) "SSL_CERT_DIR"
["default_private_dir"]=>
string(16) "/etc/ssl/private"
["default_default_cert_area"]=>
string(8) "/etc/ssl"
["ini_cafile"]=>
string(0) ""
["ini_capath"]=>
string(0) ""
}

On my FreeBSD box the certificate file is in
/usr/local/share/certs
And the file is ca-root-nss.crt, which is a key bundle.
So, I remove ca_root_nss package:
#/usr/ports/security/ca_root_nss make deinstall
And install again with
#/usr/ports/security/ca_root_nss make config install clean
Confirm the option
ETCSYMLINK Add symlink to /etc/ssl/cert.pem
And then
Composer self-update is working. :)


Reply to this email directly or view it on GitHub
#3346 (comment).


Reply to this email directly or view it on GitHub
#3346 (comment).

apinnecke commented Oct 28, 2014

(y)
Am 27.10.2014 19:23 schrieb "Daniel Ennis" notifications@github.com:

Users should not have to change their system configuration in order to get
it to work. Users in a shared hosting environment will not have that
ability.

On Mon, Oct 27, 2014 at 11:19 AM, Ivaylo Asenov notifications@github.com

wrote:

I solved the issue on FreeBSD 10.
I saw that the command
#php -r "var_dump(openssl_get_cert_locations());"
Give me:
array(8) {
["default_cert_file"]=>
string(17) "/etc/ssl/cert.pem"
["default_cert_file_env"]=>
string(13) "SSL_CERT_FILE"
["default_cert_dir"]=>
string(14) "/etc/ssl/certs"
["default_cert_dir_env"]=>
string(12) "SSL_CERT_DIR"
["default_private_dir"]=>
string(16) "/etc/ssl/private"
["default_default_cert_area"]=>
string(8) "/etc/ssl"
["ini_cafile"]=>
string(0) ""
["ini_capath"]=>
string(0) ""
}

On my FreeBSD box the certificate file is in
/usr/local/share/certs
And the file is ca-root-nss.crt, which is a key bundle.
So, I remove ca_root_nss package:
#/usr/ports/security/ca_root_nss make deinstall
And install again with
#/usr/ports/security/ca_root_nss make config install clean
Confirm the option
ETCSYMLINK Add symlink to /etc/ssl/cert.pem
And then
Composer self-update is working. :)


Reply to this email directly or view it on GitHub
#3346 (comment).


Reply to this email directly or view it on GitHub
#3346 (comment).

@apinnecke

This comment has been minimized.

Show comment
Hide comment
@apinnecke

apinnecke Nov 3, 2014

For us, a reinstall of the ca-cert package fixed the problem!

apinnecke commented Nov 3, 2014

For us, a reinstall of the ca-cert package fixed the problem!

@yuklia

This comment has been minimized.

Show comment
Hide comment
@yuklia

yuklia commented Nov 29, 2014

@vzool

This comment has been minimized.

Show comment
Hide comment
@vzool

vzool Mar 1, 2015

Finally I found the answer :)

First: Check certificate file location which will be in default_cert_file key, you will found it in openssl_get_cert_locations() its php openssl function:

$ php -r "print_r(openssl_get_cert_locations());"
Array
(
    [default_cert_file] => /opt/lampp/share/openssl/cert.pem
    [default_cert_file_env] => SSL_CERT_FILE
    [default_cert_dir] => /opt/lampp/share/openssl/certs
    [default_cert_dir_env] => SSL_CERT_DIR
    [default_private_dir] => /opt/lampp/share/openssl/private
    [default_default_cert_area] => /opt/lampp/share/openssl
    [ini_cafile] => 
    [ini_capath] => 
)

Second: Download http://curl.haxx.se/ca/cacert.pem:

$ wget http://curl.haxx.se/ca/cacert.pem

Third: Copy certificate PEM file into default_cert_file location:

$ sudo mv cacert.pem /opt/lampp/share/openssl/cert.pem

My php-cli is under XAMPP and default_cert_file maybe point to some place that is different than this.
I hope anything after that should goes fine with you brothers.

vzool commented Mar 1, 2015

Finally I found the answer :)

First: Check certificate file location which will be in default_cert_file key, you will found it in openssl_get_cert_locations() its php openssl function:

$ php -r "print_r(openssl_get_cert_locations());"
Array
(
    [default_cert_file] => /opt/lampp/share/openssl/cert.pem
    [default_cert_file_env] => SSL_CERT_FILE
    [default_cert_dir] => /opt/lampp/share/openssl/certs
    [default_cert_dir_env] => SSL_CERT_DIR
    [default_private_dir] => /opt/lampp/share/openssl/private
    [default_default_cert_area] => /opt/lampp/share/openssl
    [ini_cafile] => 
    [ini_capath] => 
)

Second: Download http://curl.haxx.se/ca/cacert.pem:

$ wget http://curl.haxx.se/ca/cacert.pem

Third: Copy certificate PEM file into default_cert_file location:

$ sudo mv cacert.pem /opt/lampp/share/openssl/cert.pem

My php-cli is under XAMPP and default_cert_file maybe point to some place that is different than this.
I hope anything after that should goes fine with you brothers.

@Gardencoder

This comment has been minimized.

Show comment
Hide comment
@Gardencoder

Gardencoder Jun 7, 2015

@vzool your solution work , Thanks

Gardencoder commented Jun 7, 2015

@vzool your solution work , Thanks

@Zemke

This comment has been minimized.

Show comment
Hide comment
@Zemke

Zemke Jun 19, 2015

@vzool, works for me, too. Thanks a lot!

Zemke commented Jun 19, 2015

@vzool, works for me, too. Thanks a lot!

@ericx

This comment has been minimized.

Show comment
Hide comment
@ericx

ericx Jul 4, 2015

In FreeBSD 10.x, the trend is to now sym-link the nss cafile to /usr/local/etc/ssl/cert.pem. Previously, it was /etc/ssl/cert.pem. I found that on older machines the /etc/ssl link was still in place; but newer installs only had /usr/local/etc/ssl. Adding the symlink in the old location fixes the problem; but probably a better solution is to add:

openssl.cafile = /usr/local/etc/ssl/cert.pem

to your favorite /usr/local/etc/php/*.ini config until the php56 port catches up.

ericx commented Jul 4, 2015

In FreeBSD 10.x, the trend is to now sym-link the nss cafile to /usr/local/etc/ssl/cert.pem. Previously, it was /etc/ssl/cert.pem. I found that on older machines the /etc/ssl link was still in place; but newer installs only had /usr/local/etc/ssl. Adding the symlink in the old location fixes the problem; but probably a better solution is to add:

openssl.cafile = /usr/local/etc/ssl/cert.pem

to your favorite /usr/local/etc/php/*.ini config until the php56 port catches up.

@vipmaa

This comment has been minimized.

Show comment
Hide comment
@vipmaa

vipmaa Aug 5, 2015

@vzool this solution work with me in Ubuntu - Xampp . Thanks

vipmaa commented Aug 5, 2015

@vzool this solution work with me in Ubuntu - Xampp . Thanks

@nrsutton

This comment has been minimized.

Show comment
Hide comment
@nrsutton

nrsutton Aug 26, 2015

I'm still having this problem and I'm pulling what's left of my hair out. I've copied cert.pm to the location specified by default_cert_file and I still get the error message. Does anyone else have any kind of update for this. It seems upgrading to PHP 5.6 is a big no no if you use composer.

nrsutton commented Aug 26, 2015

I'm still having this problem and I'm pulling what's left of my hair out. I've copied cert.pm to the location specified by default_cert_file and I still get the error message. Does anyone else have any kind of update for this. It seems upgrading to PHP 5.6 is a big no no if you use composer.

@gravypower

This comment has been minimized.

Show comment
Hide comment
@gravypower

gravypower Aug 27, 2015

Have been having this issue for a few weeks and could not pinpoint what was going on, installing new certificates and making sure NTLM usernames and passwords were all ok, it did not seem to stop the issue as composer diag reported everything were still not working. It turned out that I had to remove the protocol from my https_proxy.

Here is what solved my issue on Ubuntu with PHP 5.6.4 behind a corporate proxy.

My first issue was I needed to pass user credentials to the proxy, I solved this issue with cntlm. Basically you set your proxy to a local address and then cntlm passes the request onto the corporate proxy with credentials. I had a hard time getting this to work so if anyone needs help with this drop me a line.

So now I had internet access with our supplying my username and password each time I made a request :D

I was still having issues with SSL event after working through the suggestions listed in this thread, finlay I read somewhere that removing the protocol from your https proxy worked. Using this command:

export set https_proxy="127.0.0.1:3128"

This command made composer diag work for the terminal session but every time I opened a new session this command needed to be run again. That was all good, I can live with that.

All my problems seemed to be solved, I was so happy, well until I tried to install aegir. This used apt-get ran with the sudo command, and I was seeing the SSL error again. NOOOOOO /CRY

What was happening (I think) was that the default environmental variables were being used as sudo was opening a new session. It was time to fix this once and for all (well so far) I made a change to the default environment variables.

sudo nano /etc/environment 

I changed the https_proxy to https_proxy="127.0.0.1:3128"

I hope this helps someone.

Aaron

gravypower commented Aug 27, 2015

Have been having this issue for a few weeks and could not pinpoint what was going on, installing new certificates and making sure NTLM usernames and passwords were all ok, it did not seem to stop the issue as composer diag reported everything were still not working. It turned out that I had to remove the protocol from my https_proxy.

Here is what solved my issue on Ubuntu with PHP 5.6.4 behind a corporate proxy.

My first issue was I needed to pass user credentials to the proxy, I solved this issue with cntlm. Basically you set your proxy to a local address and then cntlm passes the request onto the corporate proxy with credentials. I had a hard time getting this to work so if anyone needs help with this drop me a line.

So now I had internet access with our supplying my username and password each time I made a request :D

I was still having issues with SSL event after working through the suggestions listed in this thread, finlay I read somewhere that removing the protocol from your https proxy worked. Using this command:

export set https_proxy="127.0.0.1:3128"

This command made composer diag work for the terminal session but every time I opened a new session this command needed to be run again. That was all good, I can live with that.

All my problems seemed to be solved, I was so happy, well until I tried to install aegir. This used apt-get ran with the sudo command, and I was seeing the SSL error again. NOOOOOO /CRY

What was happening (I think) was that the default environmental variables were being used as sudo was opening a new session. It was time to fix this once and for all (well so far) I made a change to the default environment variables.

sudo nano /etc/environment 

I changed the https_proxy to https_proxy="127.0.0.1:3128"

I hope this helps someone.

Aaron

@KissDaniGH

This comment has been minimized.

Show comment
Hide comment
@KissDaniGH

KissDaniGH Nov 13, 2015

hi
open https://packagist.org in your browser.
Export all the certs.
copy them /usr/local/ca-certificares.
run update-ca-certifcates
check if new crt is added
if yes ur OK

KissDaniGH commented Nov 13, 2015

hi
open https://packagist.org in your browser.
Export all the certs.
copy them /usr/local/ca-certificares.
run update-ca-certifcates
check if new crt is added
if yes ur OK

@ilhnctn

This comment has been minimized.

Show comment
Hide comment
@ilhnctn

ilhnctn Nov 22, 2015

Your solution gave result. Thanks @vzool

ilhnctn commented Nov 22, 2015

Your solution gave result. Thanks @vzool

aait referenced this issue in PayEx/PayEx.WooCommerce Jan 13, 2016

@Seldaek

This comment has been minimized.

Show comment
Hide comment
@Seldaek

Seldaek Jan 25, 2016

Member

Closing as we now handle SSL quite a lot better.

Member

Seldaek commented Jan 25, 2016

Closing as we now handle SSL quite a lot better.

@Seldaek Seldaek closed this Jan 25, 2016

@Elnna

This comment has been minimized.

Show comment
Hide comment
@Elnna

Elnna Apr 13, 2016

@vzool, It work for me too. Thanks very much

Elnna commented Apr 13, 2016

@vzool, It work for me too. Thanks very much

@Vijaysinh

This comment has been minimized.

Show comment
Hide comment
@Vijaysinh

Vijaysinh May 19, 2016

I am using windows 7 - 32 bit.

I also updated php.ini file to this after downloading cacert.pem file and restart apache but still I am having issue. Can anyone please help me?

I am using PHP Version 5.5.30.

extension=php_openssl.dll
openssl.cafile = "C:\xampp\php\extras\openssl\cacert.pem"

Vijaysinh commented May 19, 2016

I am using windows 7 - 32 bit.

I also updated php.ini file to this after downloading cacert.pem file and restart apache but still I am having issue. Can anyone please help me?

I am using PHP Version 5.5.30.

extension=php_openssl.dll
openssl.cafile = "C:\xampp\php\extras\openssl\cacert.pem"

@psalami

This comment has been minimized.

Show comment
Hide comment
@psalami

psalami May 25, 2016

In my case, making sure that the correct cert.pem file exists was not sufficient. You need to also set your time zone in your php.ini to your actual time zone using the date.timezone key (in my case, I set it to America/Los Angeles). Otherwise, PHP will default to using UTC and your system clock will appear to be off. This solved the issue for me on Mac OS X El Capitan (10.11.2).

psalami commented May 25, 2016

In my case, making sure that the correct cert.pem file exists was not sufficient. You need to also set your time zone in your php.ini to your actual time zone using the date.timezone key (in my case, I set it to America/Los Angeles). Otherwise, PHP will default to using UTC and your system clock will appear to be off. This solved the issue for me on Mac OS X El Capitan (10.11.2).

@Vijaysinh

This comment has been minimized.

Show comment
Hide comment
@Vijaysinh

Vijaysinh May 25, 2016

@psalami I have updated date.timezone in php.ini but still getting same issue...

Vijaysinh commented May 25, 2016

@psalami I have updated date.timezone in php.ini but still getting same issue...

@binarious

This comment has been minimized.

Show comment
Hide comment
@binarious

binarious Jun 27, 2016

Same here. Updating the cert and putting it in default_cert_file didn't help. The date.timezone is set, too. I had to set openssl.cafile to the default_cert_file.

binarious commented Jun 27, 2016

Same here. Updating the cert and putting it in default_cert_file didn't help. The date.timezone is set, too. I had to set openssl.cafile to the default_cert_file.

@mrg123

This comment has been minimized.

Show comment
Hide comment
@parsibox

This comment has been minimized.

Show comment
Hide comment
@parsibox

parsibox Jul 31, 2016

only install this
yum install ca-certificates.noarch

parsibox commented Jul 31, 2016

only install this
yum install ca-certificates.noarch

@tuuna00

This comment has been minimized.

Show comment
Hide comment
@tuuna00

tuuna00 Aug 19, 2016

however,it didn't work in version PHP 7.0.8-0ubuntu0.16.04.2, I really wonder if you have tried this with a php version of 7.0.* or whether you have an another solution , looking forward to reply , I really appreciate it. @vzool

tuuna00 commented Aug 19, 2016

however,it didn't work in version PHP 7.0.8-0ubuntu0.16.04.2, I really wonder if you have tried this with a php version of 7.0.* or whether you have an another solution , looking forward to reply , I really appreciate it. @vzool

@parsibox

This comment has been minimized.

Show comment
Hide comment
@parsibox

parsibox Oct 27, 2016

yes is use php7 but in CENTOS 6 64bit

parsibox commented Oct 27, 2016

yes is use php7 but in CENTOS 6 64bit

@GwenWing

This comment has been minimized.

Show comment
Hide comment
@GwenWing

GwenWing Nov 4, 2016

On Debian 8.6, using php 5.6, there is a missing file /usr/lib/ssl/cert.pem

In order to fix it download CA certs :
wget http://curl.haxx.se/ca/cacert.pem

Then copy to /usr/lib/ssl/cert.pem, and you can use fsockopen with SSL.

Maybe an issue with openssl packaging or a missing dependency, but I couldn't find /usr/lib/ss/cert.pem in Deb packages

GwenWing commented Nov 4, 2016

On Debian 8.6, using php 5.6, there is a missing file /usr/lib/ssl/cert.pem

In order to fix it download CA certs :
wget http://curl.haxx.se/ca/cacert.pem

Then copy to /usr/lib/ssl/cert.pem, and you can use fsockopen with SSL.

Maybe an issue with openssl packaging or a missing dependency, but I couldn't find /usr/lib/ss/cert.pem in Deb packages

@LPugens

This comment has been minimized.

Show comment
Hide comment
@LPugens

LPugens Jan 4, 2017

Using Ubuntu 16.04 and php7, I could fix it by installing
apt-get install ca-certificates
And running
update-ca-certificates

LPugens commented Jan 4, 2017

Using Ubuntu 16.04 and php7, I could fix it by installing
apt-get install ca-certificates
And running
update-ca-certificates

@ademirdiniz

This comment has been minimized.

Show comment
Hide comment
@ademirdiniz

ademirdiniz Mar 9, 2017

Hi, all.

I've fixed this issue doing the follow:

1º: Download the certificate:

wget http://curl.haxx.se/ca/cacert.pem --no-check-certificate

2º: Export it:

export COMPOSER_CAFILE='/home/user/cacert.pem'

The path need to be the same where you've downloaded the certificate in firts step.

3º: Run composer:

composer install

It works for me! :D

ademirdiniz commented Mar 9, 2017

Hi, all.

I've fixed this issue doing the follow:

1º: Download the certificate:

wget http://curl.haxx.se/ca/cacert.pem --no-check-certificate

2º: Export it:

export COMPOSER_CAFILE='/home/user/cacert.pem'

The path need to be the same where you've downloaded the certificate in firts step.

3º: Run composer:

composer install

It works for me! :D

@AleksSv

This comment has been minimized.

Show comment
Hide comment
@AleksSv

AleksSv May 12, 2017

I don't think I saw this mentioned, but a possible trigger of this error could be incorrect permissions for ssl directories.

For me it turned out I had the default certs directory as 700 instead of 755 (remember this is certs not private).

Doing
sudo chmod 755 certs
Fixed the problem for me

AleksSv commented May 12, 2017

I don't think I saw this mentioned, but a possible trigger of this error could be incorrect permissions for ssl directories.

For me it turned out I had the default certs directory as 700 instead of 755 (remember this is certs not private).

Doing
sudo chmod 755 certs
Fixed the problem for me

@gavstah

This comment has been minimized.

Show comment
Hide comment
@gavstah

gavstah Feb 3, 2018

Exporting the COMPOSER_CAFILE variable worked like a charm for me. Until then, I'd been having a frustrating time having tried everything else in this thread.

gavstah commented Feb 3, 2018

Exporting the COMPOSER_CAFILE variable worked like a charm for me. Until then, I'd been having a frustrating time having tried everything else in this thread.

@scrummer

This comment has been minimized.

Show comment
Hide comment
@scrummer

scrummer Feb 12, 2018

@AleksSv Sweet fix, worked fine for me. Thx :)

scrummer commented Feb 12, 2018

@AleksSv Sweet fix, worked fine for me. Thx :)

@acccounttest

This comment has been minimized.

Show comment
Hide comment
@acccounttest

acccounttest Apr 20, 2018

FIXED USING A CWD IN POPEN(even if all is called :()

It worked exactly like that, replacing cert file BUT
I CANT HAVE THIS WORKING BECAUSE I USE IT IN POPEN(moving sames instruction lines from one php file to another, maybe i do it too much times, only one more) :((
so i retrieve errors about certificates like: failed RSET ...certificate verify failed...without being connected....

acccounttest commented Apr 20, 2018

FIXED USING A CWD IN POPEN(even if all is called :()

It worked exactly like that, replacing cert file BUT
I CANT HAVE THIS WORKING BECAUSE I USE IT IN POPEN(moving sames instruction lines from one php file to another, maybe i do it too much times, only one more) :((
so i retrieve errors about certificates like: failed RSET ...certificate verify failed...without being connected....

@mdolnik-eelzee

This comment has been minimized.

Show comment
Hide comment
@mdolnik-eelzee

mdolnik-eelzee Jun 11, 2018

I had the same issue and tried everything, including messing around with the certificate files.

Turned out to be Kapersky Antivirus...

Thanks to @marcovtwout on his comment on another thread

mdolnik-eelzee commented Jun 11, 2018

I had the same issue and tried everything, including messing around with the certificate files.

Turned out to be Kapersky Antivirus...

Thanks to @marcovtwout on his comment on another thread

@martynakruczek

This comment has been minimized.

Show comment
Hide comment
@martynakruczek

martynakruczek Aug 1, 2018

Thanks @mdolnik-eelzee !!
I was trying to find solution for 3 hours... and when I found your post about Kaspersky... it saved my life!!

martynakruczek commented Aug 1, 2018

Thanks @mdolnik-eelzee !!
I was trying to find solution for 3 hours... and when I found your post about Kaspersky... it saved my life!!

@creazy412

This comment has been minimized.

Show comment
Hide comment
@creazy412

creazy412 Aug 15, 2018

If you've tried many ways and haven't solved them, try the following:
Anywhere in the php.ini file
;cert.pem you can curl.haxx.se/ca/cacert.pem Download

openssl.cafile=/usr/lib/ssl/cert.pem**

creazy412 commented Aug 15, 2018

If you've tried many ways and haven't solved them, try the following:
Anywhere in the php.ini file
;cert.pem you can curl.haxx.se/ca/cacert.pem Download

openssl.cafile=/usr/lib/ssl/cert.pem**

@GregOriol

This comment has been minimized.

Show comment
Hide comment
@GregOriol

GregOriol Aug 22, 2018

One thing to check also is the date/time of your system: packagist uses letsencrypt certificates that are valid for 3 months and thus renewed every 3 months. If your system is out of sync by a few days, it could happen that the ssl certificate is not valid yet/not valid anymore. Just happened to me with a vagrant vm.

GregOriol commented Aug 22, 2018

One thing to check also is the date/time of your system: packagist uses letsencrypt certificates that are valid for 3 months and thus renewed every 3 months. If your system is out of sync by a few days, it could happen that the ssl certificate is not valid yet/not valid anymore. Just happened to me with a vagrant vm.

@VaNnOrus

This comment has been minimized.

Show comment
Hide comment
@VaNnOrus

VaNnOrus Aug 28, 2018

@mdolnik-eelzee OMAGAD really thanx, Im reinstalled xampp and composer and replaced certificates in configs at least 25 times, before Im found your comment...

VaNnOrus commented Aug 28, 2018

@mdolnik-eelzee OMAGAD really thanx, Im reinstalled xampp and composer and replaced certificates in configs at least 25 times, before Im found your comment...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment