Certificate verify location error with POST request

[georgobermayr]

Describe the bug
I have a custom route that does a POST request, e.g. to a Slack webhook like this:

return [
  'pattern' => 'myRoute',
  'action'  => function () {

  // …

  Remote::post($slackBot, [
       'data' => json_encode($notification),
     ]);
  }
];

When I access this route, I get the CURL error 77 with error setting certificate verify locations:\n CAfile: 1\n CApath: /usr/local/etc/openssl@1.1/certs".

Kirby Version
Kirby 3.4

Desktop (please complete the following information):

• OS: macOS Catalina 10.15.6
• PHP 7.4
• Environment: Laravel Valet, the website is accessed with the my-folder.test domain of Valet. The Valet site is not secured, so accessed with HTTP, but the error remains the same, when securing the site.

[bastianallgeier]

@lukasbestle that's related to the new cert file and ssl check in the Remote class, right?

[lukasbestle]

Yes, there was a discussion about this in Slack already and I asked Georg to open an issue. I will take a look at this.

[afbora]

Quoted, maybe it will help;

There is usually no CA certificate bundle on OS X, because SSL libraries typically use Apple's Security Framework internally and obtain certificates from Keychain.

You can create your own bundle from Keychain certificates, though: Open Keychain, navigate to the “Certificates” category in the “System Roots” keychain, and press Command+Shift+E (“Export items”), to save all certificates. I think that Python can handle the PEM format, so be sure to select that.

Alternatively, on OS X 10.6 and newer, the system Python is build against an OpenSSL version which always looks into Keychain as well. Hence, you can create a dummy bundle that only contains a dummy self-signed certification, and use that in your configuration to make OfflineIMAP shut up. It'll look into the Keychain certificates anyway.

See https://www.mercurial-scm.org/wiki/CACertificates#Mac_OS_X_10.6_and_higher for details.

[lukasbestle]

I don't have access to a Valet setup, but as far as I remember, it uses Homebrew PHP internally, doesn't it? I tried to reproduce the issue with my local installation of Homebrew PHP 7.4.8 on Catalina, but it works just fine for me.

What's especially weird about the error message is the CAfile: 1 value. Normally that would be an absolute path to a PEM file like the one that ships with Kirby.

@georgobermayr Could you please test the following to track this down further:

• Have you tried different destination hosts? One test destination that would be easy to reproduce for us all without credentials would be https://getkirby.com/security.json:

var_dump(Remote::get('https://getkirby.com/security.json'));

• Do you have any of the new remote options set in your config?
• Can you reproduce this with the Plainkit with just the example code above in the site/templates/default.php?

---

Quoted, maybe it will help;

There is usually no CA certificate bundle on OS X, because SSL libraries typically use Apple's Security Framework internally and obtain certificates from Keychain.

Since Kirby 3.4.0, Kirby ships with its own CA bundle that is used by default if no other bundle is configured by the user. So I don't think this can be the issue. However it's likely that cURL can't find or doesn't accept our CA bundle on @georgobermayr's machine.

BTW: The reason why there wasn't any error before Kirby 3.4.0 is that we have enabled TLS certificate verification for Remote requests in 3.4.0, so older versions didn't need the CA cert at all.

It is possible to disable verification completely in the config to go back to the pre-3.4.0 behavior, but that's obviously not recommended.

[georgobermayr]

Yes, this uses Homebrew PHP.

Have you tried different destination hosts? One test destination that would be easy to reproduce for us all without credentials would be https://getkirby.com/security.json:

I tried that at first in my initial project setup, this trows an exception immediately, no matter the destination host:

{
    "status": "error",
    "exception": "Exception",
    "code": 77,
    "message": "error setting certificate verify locations:\n  CAfile: 1\n  CApath: /usr/local/etc/openssl@1.1/certs",
    "details": null,
    "file": "vendor/getkirby/cms/src/Http/Remote.php",
    "line": 276
}

Do you have any of the new remote options set in your config?

No, there is nothing set here.

Can you reproduce this with the Plainkit with just the example code above in the site/templates/default.php?

Sadly not. With the Plankit I get this output, when dumping a GET request to https://getkirby.com/security.json:

Kirby\Http\Remote Object
(
    [content] => {"latest":"3.4.0","latestUrl":"https://github.com/getkirby/kirby/releases/tag/3.4.0","supported":{"3.4.0":"Latest Kirby release, actively supported","3.3.6+":"No known security issues","2.5.13+":"Security support until 31.12.2020, no active development","1.*":"Not supported"},"incidents":[{"affected":"<=3.3.5","description":"Registration block: .dev domains and some reverse proxy setups were treated as local","fixed":"3.3.6","id":"0","severity":"minor"}]}
    [curl] => Resource id #8
    [curlopt] => Array
        (
            [10002] => https://getkirby.com/security.json
            [10102] => utf-8
            [78] => 10
            [13] => 10
            [58] => 1
            [19913] => 1
            [52] => 1
            [68] => 10
            [42] => 
            [20079] => Closure Object
                (
                    [this] => Kirby\Http\Remote Object
 *RECURSION*
                    [parameter] => Array
                        (
                            [$curl] => 
                            [$header] => 
                        )

                )

            [64] => 1
            [10065] => /Users/georgobermayr/Downloads/plainkit-master/kirby/cacert.pem
        )

    [errorCode] => 0
    [errorMessage] => 
    [headers] => Array
        (
            [Server] => nginx/1.14.0 (Ubuntu)
            [Date] => Sun, 02 Aug 2020 13:37:51 GMT
            [Content-Type] => application/json; charset=UTF-8
            [Transfer-Encoding] => chunked
            [Connection] => keep-alive
            [Vary] => Accept-Encoding
        )

    [info] => Array
        (
            [url] => https://getkirby.com/security.json
            [content_type] => application/json; charset=UTF-8
            [http_code] => 200
            [header_size] => 209
            [request_size] => 88
            [filetime] => -1
            [ssl_verify_result] => 0
            [redirect_count] => 0
            [total_time] => 0.147753
            [namelookup_time] => 0.037466
            [connect_time] => 0.059308
            [pretransfer_time] => 0.1184
            [size_upload] => 0
            [size_download] => 459
            [speed_download] => 3122
            [speed_upload] => 0
            [download_content_length] => -1
            [upload_content_length] => -1
            [starttransfer_time] => 0.147694
            [redirect_time] => 0
            [redirect_url] => 
            [primary_ip] => 85.90.245.237
            [certinfo] => Array
                (
                )

            [primary_port] => 443
            [local_ip] => 192.168.178.36
            [local_port] => 59638
            [http_version] => 2
            [protocol] => 2
            [ssl_verifyresult] => 0
            [scheme] => HTTPS
            [appconnect_time_us] => 118330
            [connect_time_us] => 59308
            [namelookup_time_us] => 37466
            [pretransfer_time_us] => 118400
            [redirect_time_us] => 0
            [starttransfer_time_us] => 147694
            [total_time_us] => 147753
        )

    [options] => Array
        (
            [agent] => 
            [basicAuth] => 
            [body] => 1
            [ca] => 1
            [data] => Array
                (
                )

            [encoding] => utf-8
            [file] => 
            [headers] => Array
                (
                )

            [method] => GET
            [progress] => 
            [test] => 
            [timeout] => 10
            [url] => https://getkirby.com/security.json
        )

)

So this seems to work and works as well mit my original host and the POST request that I was working with.

Just an idea: In the project where I have the issue, I'm working with a custom CMS installation path in Composer: "kirby-cms-path": "vendor/getkirby/cms". The cacert.pem is there, but could this be related to the issue in my original installation?

[lukasbestle]

Thanks for the additional details! It's actually great that it works with the Plainkit because that means that we now only need to find the difference between your site setup and the Plainkit.

I have tried to set up a Starterkit with a custom Composer installation path, but unfortunately that works on my machine, so I still cannot reproduce the issue.

Would it be possible for you to send me a reduced version of your site code (i.e. with the content removed and the code reduced so it barely still reproduces the issue with our getkirby.com test URL)? If so, please send me a link to a ZIP file via email to lukas at getkirby. I will treat any code you send me as confidential and won't share it with anyone else.

If that's not possible, we need a different way of tracking down the difference between the two sites.

[georgobermayr]

@lukasbestle Thank you, you've got mail ;-)

[lukasbestle]

With @georgobermayr's test site I was able to reproduce the error. The fix for this is in #2756.

[bastianallgeier]

✅