当前位置:theitroad>php SSL 对等证书或 SSH 远程密钥不正确

php SSL 对等证书或 SSH 远程密钥不正确

声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow 原文地址: http://stackoverflow.com/questions/14192837/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me): StackOverFlow

提示:将鼠标放在中文语句上可以显示对应的英文。显示中英文
时间:2020-08-25 06:49:49  来源:igfitidea点击:

SSL peer certificate or SSH remote key was not OK

phpapachesslcurl

提问by WonderLand

I'm testing an API that uses curl_execphp function and a CA certificate but something is going wrong and I'm a little lost.

我正在测试一个使用curl_execphp 函数和 CA 证书的 API,但出了点问题,我有点迷茫。

I have configured SSL on my apache VirtualHost and looks ok ( opening https:://[myVHost]... works ).

我已经在我的 apache VirtualHost 上配置了 SSL 并且看起来没问题(打开https:://[myVHost]......工作)。

However the API curl call give me back this message:

但是 API curl 调用给了我这条消息:

  • SSL peer certificate or SSH remote key was not OK
  • SSL peer certificate or SSH remote key was not OK

I'm not very experienced with SSL so I have few ideas about the cause of that.

我对 SSL 不是很有经验,所以我对它的原因知之甚少。

UPDATE:

更新:

This is the code I'm using in my cURL request, I have commented 2 lines and changes their value (look at 'TODO' line ) and in this way it is working, however this is just a work arround ...

这是我在 cURL 请求中使用的代码,我注释了 2 行并更改了它们的值(查看“TODO”行),这样它就可以工作,但这只是一个工作...

$opts[CURLOPT_URL] = $url;
    $opts[CURLOPT_RETURNTRANSFER] = true;
    $opts[CURLOPT_CONNECTTIMEOUT] = 50;
    $opts[CURLOPT_TIMEOUT] = 100;
    $headers = array(
        'Accept: application/json',
        "User-Agent: APIXXX-PHP-Client");
    $opts[CURLOPT_HTTPHEADER] = $headers;
    $opts[CURLOPT_USERPWD] = $env->getApiKey() . ':';
    if (certificatePresent()) {

        //  $opts[CURLOPT_SSL_VERIFYPEER] = true;
        //  $opts[CURLOPT_SSL_VERIFYHOST] = 2;

        // TODO: SET IT BACK
        $opts[CURLOPT_SSL_VERIFYPEER] = 0;
        $opts[CURLOPT_SSL_VERIFYHOST] = 0;

        $opts[CURLOPT_CAINFO] = $path

      }

    curl_setopt_array($curl, $opts);

    $response = curl_exec($curl);

采纳答案by Daniel Milde

You are probably using self-signed SSL certifiacate, which will not pass when the CURLOPT_SSL_VERIFYPEER options is set.

您可能正在使用自签名 SSL 证书,当设置 CURLOPT_SSL_VERIFYPEER 选项时,它不会通过。

There are two solutions:

有两种解决方案:

  1. Buy valid SSL certificate.
  2. Disable SSL verification in Curl. (add --insecure option)
  1. 购买有效的 SSL 证书。
  2. 在 Curl 中禁用 SSL 验证。(添加 --insecure 选项

If you disable verification, you can't be sure if you are really communicating with your host. So it depends on level of security you need.

如果您禁用验证,则无法确定您是否真的在与您的主机通信。因此,这取决于您需要的安全级别。

回答by waibelp

Beside CURLOPT_SSL_VERIFYPEERthere are two other settings which might be changed to false/0:

除了CURLOPT_SSL_VERIFYPEER其他两个设置可能会更改为false/ 0

CURLOPT_SSL_VERIFYHOST
CURLOPT_SSL_VERIFYSTATUS

Beware that you should fix your SSL certificates & settings instead of disable security!

请注意,您应该修复 SSL 证书和设置,而不是禁用安全性!

回答by rrsuj

Although I am answering an old post, I think it will help the new viewers-

虽然我在回答一个旧帖子,但我认为它会对新观众有所帮助-

You can check the problem by adding

您可以通过添加来检查问题

$opts[CURLOPT_VERBOSE] = 1

For self signed certificate your client may connect with the server using IP address, because the host name is not available in DNS cache. In that case the COMMON NAME(CN) of your server certificate needs to match with the Server IP (put IP address as common name when generating the server certificate). When you do it correctly, you can see this message:

对于自签名证书,您的客户端可能会使用 IP 地址与服务器连接,因为主机名在 DNS 缓存中不可用。在这种情况下,您的服务器证书的 COMMON NAME(CN) 需要与服务器 IP 匹配(在生成服务器证书时将 IP 地址作为通用名称)。当您正确执行此操作时,您可以看到此消息:

common name: 192.168.0.1 (matched)

通用名称:192.168.0.1(匹配)

Here 192.168.0.1 is an example.

这里 192.168.0.1 是一个例子。

回答by Jhong

You're right to want to enable SSL_VERIFYPEERif you are worried about man-in-the-middle attacks.

SSL_VERIFYPEER如果您担心中间人攻击,那么您想要启用是正确的。

Is your $pathset to point to the certificate (or certificate bundle) provided by the API owner? Is that certificate readable by the web server user? If so, have you verified that the certificate(s) is the same as when you visit the https address manually in a browser and inspect the certificate?

您是否$path设置为指向 API 所有者提供的证书(或证书包)?Web 服务器用户可以读取该证书吗?如果是这样,您是否确认证书与您在浏览器中手动访问 https 地址并检查证书时相同?

If you can't get it to work, and the API you are connecting to has a SSL certificate that works in your normal browser without warnings, you should be able to set $pathto your CA root bundle on your server.

如果你不能让它工作,并且你连接的 API 有一个 SSL 证书,可以在你的普通浏览器中正常工作而没有警告,你应该能够$path在你的服务器上设置你的 CA 根包。

回答by Abhishek

You can build a valid SSL certificate and ensure that it is stored in the trusted folder.

您可以构建有效的 SSL 证书并确保它存储在受信任的文件夹中。

Valid SSL certificate can be created by including the following command in the developer command prompt of VS2012. (This can be obtained by typing developer in the start)

可以通过在 的开发人员命令提示符中包含以下命令来创建有效的 SSL 证书VS2012。(这可以通过在开始输入 developer 来获得)

The following command creates a self-signed certificate that can be used to test a web application that uses Secure Sockets Layer (SSL) on a web server whose URL is www.example.com. The OID defined by the -ekuoption identifies that certificate as an SSL server certificate. The certificate is stored in the my store and is available at the machine (rather than user) level. The certificate's private key is exportable, and the certificate is valid from May 10, 2010 through December 22, 2011.

以下命令创建一个自签名证书,该证书可用于测试在 URL 为 的 Web 服务器上使用安全套接字层 (SSL) 的 Web 应用程序www.example.com。该-eku选项定义的 OID将该证书标识为SSL server certificate. 证书存储在 my store 中,可在机器(而不是用户)级别使用。证书的私钥是可导出的,并且证书的有效期从May 10, 2010 through December 22, 2011.

Makecert -r -pe -n CN="www.example.com" -b 05/10/2010 -e 12/22/2011 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

Makecert -r -pe -n CN="www.example.com" -b 05/10/2010 -e 12/22/2011 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -sp "Microsoft RSA SChannel 加密提供程序" -sy 12

For more on how to create the SSL certificate

有关如何创建SSL 证书的更多信息

Now make sure that this certificate is trusted, this can be done by typing CERTMGRin the cmd..

现在确保这个证书是可信的,这可以通过输入CERTMGRcmd..

now the cert created is in the PERSONAL folder.. copy it and paste it to the TRUSTED PEOPLE FOLDER.

现在创建的证书位于 PERSONAL 文件夹中。将其复制并粘贴到受信任的人文件夹中。

This should do the trick. Let me know if that doesn't work.

这应该可以解决问题。如果这不起作用,请告诉我。

回答by Andrew

I had the same issue. I follow the instruction here: http://siteber.com/download-failed-ssl-peer-certificate-or-ssh-remote-key-was-not-ok/and it fixed mine.

我遇到过同样的问题。我按照这里的说明进行操作:http: //siteber.com/download-failed-ssl-peer-certificate-or-ssh-remote-key-was-not-ok/它修复了我的。

basically I went to /etc/resolv.conf

基本上我去了/etc/resolv.conf

and Replace any

并替换任何

OpenDNS server:

OpenDNS 服务器:

208.67.222.222

208.67.222.222

208.67.220.220

208.67.220.220

With

Google's public DNS servers:

Google 的公共 DNS 服务器:

nameserver 8.8.8.8 nameserver 8.8.4.4

名称服务器 8.8.8.8 名称服务器 8.8.4.4

相关推荐

如何在 php 中为 unix 时间戳添加 24 小时?

如何在 php 中为 unix 时间戳添加 24 小时?

php 导出到 csv wordpress

php 导出到 csv wordpress

php strtolower 函数的问题

php strtolower 函数的问题

php 如何从codeigniter中的另一个控制器加载控制器?

php 如何从codeigniter中的另一个控制器加载控制器?