php Paypal Access - SSL 证书:无法获得本地发行人证书
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/17478283/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Paypal Access - SSL certificate: unable to get local issuer certificate
提问by Luca Pennisi
I'm working with cUrl and PHP to make a request to a server (for paypal access)
我正在使用 cUrl 和 PHP 向服务器发出请求(用于 paypal 访问)
Paypal developer website does never mention that an SSL certificate is required to use PayPal access API, however the code that I use to request the token is the following:
Paypal 开发者网站从未提及使用 PayPal 访问 API 需要 SSL 证书,但是我用来请求令牌的代码如下:
$options = array(
CURLOPT_URL => $url,
CURLOPT_POST => 1,
CURLOPT_VERBOSE => 1,
CURLOPT_POSTFIELDS => $postvals,
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_SSLVERSION => 3
);
curl_setopt_array($ch, $options);
$response = curl_exec($ch);
echo curl_error($ch);
This echo outputs the following error:
此回声输出以下错误:
SSL certificate problem: unable to get local issuer certificate
My questions are:
我的问题是:
1) do I need SSL to use paypal access if I need only to get the user email?
1) 如果我只需要获取用户电子邮件,我是否需要 SSL 才能使用贝宝访问?
2) if I do not need SSL why this error occours?
2) 如果我不需要 SSL 为什么会出现此错误?
PS: the endpoint is the following: https://www.sandbox.paypal.com/webapps/auth/protocol/openidconnect/v1/tokenservice
PS:端点如下:https: //www.sandbox.paypal.com/webapps/auth/protocol/openidconnect/v1/tokenservice
回答by oori
The correctsolution is to fix your PHP setup.. setting CURLOPT_SSL_VERIFYPEER to false is a quick hack, but it's wrong as you disable the certificate validation by it's certificate authority. This exposes you to a man-in-the-middle attack.
在正确的解决方法是修复你的PHP设置..设置CURLOPT_SSL_VERIFYPEER为false是一个快速的黑客攻击,但它是错的,你通过它的认证机构禁止证书验证。这使您面临中间人攻击。
It's easy to fix (php 5.3.7 or higher) -
Downloada list file with an up-to-date certificate authorities, and add this setting to your php.inicurl.cainfo=<path-to>cacert.pem
很容易修复(php 5.3.7 或更高版本) -
下载具有最新证书颁发机构的列表文件,并将此设置添加到您的php.inicurl.cainfo=<path-to>cacert.pem
Restart your web server, and it'll work !
重新启动您的网络服务器,它会工作!
回答by Marcin Orlowski
You may disable SSL verification (which is enabled by default as of cURL 7.10), by adding this:
您可以通过添加以下内容来禁用 SSL 验证(从 cURL 7.10 开始默认启用):
CURLOPT_SSL_VERIFYPEER, false
to your $options, howeverthe proper way is to keep validation enabled.
到您的$options,但是正确的方法是保持启用验证。
SECURITY NOTICE
安全通告
If remote site uses certificate issued by known CA but validation still fails, then most likely certificate is incorrectly set up on the remote server (lack of intermediate certificates etc.). Alternatively your system got no idea about used Certificate Authority that signed target's certificate. In such case yo should use php.ini's curl.cainfo(documentation) to point to valid PEM file with all supported CAs - that would make your setup properly validate issuer chain.
如果远程站点使用已知 CA 颁发的证书但验证仍然失败,则很可能是远程服务器上的证书设置不正确(缺少中间证书等)。或者,您的系统不知道使用了签署目标证书的证书颁发机构。在这种情况下,您应该使用php.ini's curl.cainfo(文档)指向具有所有受支持 CA 的有效 PEM 文件 - 这将使您的设置正确验证发行者链。
Please be aware that by setting CURLOPT_SSL_VERIFYPEERto falseyou are NOTsolving the issue! You are working it around. This is all about security so it's fine to do that for a while, but deploying that on production is not wise, politely speaking, as you will become open to Man In The Middle Attack. You have been warned.
请注意,设置CURLOPT_SSL_VERIFYPEER为false您并不能解决问题!你正在解决它。这完全是为了安全,所以暂时这样做是可以的,但是在生产中部署它是不明智的,礼貌地说,因为您将对中间人攻击持开放态度。你被警告了。
回答by Truchainz
I had the same exact problem
我有同样的问题
Can't connect to PayPal to validate IPN message: SSL certificate: unable to get local issuer certificate
I used the code samples generated on paypal's github found here (I used PHP): https://github.com/paypal/ipn-code-samples
我使用了在这里找到的 paypal github 上生成的代码示例(我使用了 PHP):https: //github.com/paypal/ipn-code-samples
I downloaded both certs and tried testing both from curl: http://curl.haxx.se/docs/caextract.html
我下载了两个证书并尝试从 curl 测试两者:http: //curl.haxx.se/docs/caextract.html
After about 2 hours of testing (using paypal's ipn simulator) and googling, found that paypal ipn cannot be tested on localhost, so i pushed the code live and tried testing, but still got the same error (even with permissions set to 777).
经过大约 2 小时的测试(使用 paypal 的 ipn 模拟器)和谷歌搜索,发现无法测试 paypal ipn localhost,所以我实时推送代码并尝试测试,但仍然出现相同的错误(即使权限设置为 777)。
When I set CURLOPT_SSL_VERIFYPEER, false, it worked but this would defeat the purpose of having an ssl certificate.
当我设置时CURLOPT_SSL_VERIFYPEER, false,它起作用了,但这会破坏拥有 ssl 证书的目的。
After snooping around on my server's files, I found a curl-ca-bundle.crtfile in my PHP folder. I decided to hardcode the CURLOPT_CAINFOin my paypal ipn script to that path. It finally worked!
在窥探我服务器的文件后,我curl-ca-bundle.crt在我的 PHP 文件夹中找到了一个文件。我决定将CURLOPT_CAINFO我的 paypal ipn 脚本中的硬编码到该路径。它终于奏效了!
I noticed this older .crt file included some certificates that weren't on the latest .crt file from the curl website. It was a bunch of certificates from verisign class 1, verisign class 2, verisign class 3 and verisign class 4.
我注意到这个较旧的 .crt 文件包含一些不在 curl 网站上的最新 .crt 文件中的证书。这是一堆来自verisign class 1, verisign class 2, verisign class 3 and verisign class 4.
Here's the complete list of the certificate names I added to curl's .crt file:
这是我添加到 curl 的 .crt 文件的证书名称的完整列表:
- Verisign Class 1 Public Primary Certification Authority
- Verisign Class 1 Public Primary Certification Authority - G2
- Verisign Class 1 Public Primary Certification Authority - G3
- Verisign Class 2 Public Primary Certification Authority - G2
- Verisign Class 2 Public Primary Certification Authority - G3
- Verisign Class 3 Public Primary Certification Authority
- Verisign Class 4 Public Primary Certification Authority - G2
- 威瑞信 1 类公共主要认证机构
- 威瑞信 1 类公共主要证书颁发机构 - G2
- 威瑞信 1 类公共主要证书颁发机构 - G3
- 威瑞信 Class 2 公共主要证书颁发机构 - G2
- 威瑞信 2 类公共主要证书颁发机构 - G3
- 威瑞信 3 类公共主要认证机构
- 威瑞信 Class 4 公共主要证书颁发机构 - G2
This may have something to do with what @Andomar was saying - paypal's verisign certificate is not included in the default (by default I mean curl's default) list of safe certificates.
这可能与@Andomar 所说的有关 - paypal 的 verisign 证书未包含在默认(默认情况下,我指的是 curl 的默认)安全证书列表中。
I didn't have the time to debug and figure out exactly which certificate is needed so I just included all of them.
我没有时间调试并确定需要哪个证书,所以我只包含了所有证书。
For anyone who experiences this problem in the future, I would suggest to get the latest certs from curl and add one by one the certificates in the list above until the error is gone.
对于将来遇到此问题的任何人,我建议从 curl 获取最新的证书,并将上面列表中的证书一一添加,直到错误消失。
Here's a link for some of those verisign certificates (you may need to google for the others not listed): www.symantec.com/page.jsp?id=roots
这是其中一些 verisign 证书的链接(您可能需要在谷歌上搜索未列出的其他证书):www.symantec.com/page.jsp?id=roots
Note*: To view paypal's current certificates you can run this command in terminal:
注意*:要查看贝宝的当前证书,您可以在终端中运行此命令:
openssl s_client -connect paypal.com:443 -showcerts
If anyone has further insight to this issue, please comment as I spent hours to figure all of the above out.
如果有人对这个问题有进一步的了解,请发表评论,因为我花了几个小时来弄清楚上述所有问题。
回答by Andomar
SSL certificate problem: unable to get local issuer certificate
SSL 证书问题:无法获取本地颁发者证书
Means that cUrl doesn't trust Verisign, the certificate authority that vouches for PayPal. As Marc B comments, cUrl no longer ships with trust for any certificate authority.
意味着 cUrl 不信任 Verisign,即为 PayPal 提供担保的证书颁发机构。正如 Marc B 评论的那样,cUrl 不再附带对任何证书颁发机构的信任。
You can bypass the certificate chain validation with the option:
您可以使用以下选项绕过证书链验证:
CURLOPT_SSL_VERIFYPEER => 0
To read how to configure cUrl so that it trusts Verisign, read the cUrl documentation.
要了解如何配置 cUrl 以使其信任 Verisign,请阅读cUrl 文档。
