在 PHP 中使用 ssl 证书时出错
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/809682/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Error using ssl cert with PHP
提问by Jamey McElveen
I am new to php and I am getting this error trying to load a cert
我是 php 新手,在尝试加载证书时遇到此错误
jameys-macbookpro41:~ user$ php -f ~/Sites/providerService.php
Warning: stream_socket_client(): Unable to set local cert chain file `cert.pem'; Check that your cafile/capath settings include details of your certificate and its issuer in /Users/jamey/Sites/providerService.php on line 27
警告:stream_socket_client():无法设置本地证书链文件“cert.pem”;检查您的 cafile/capath 设置是否在第 27 行的 /Users/jamey/Sites/providerService.php 中包含您的证书及其颁发者的详细信息
cert.pem is in the same folder as the php file. the file cert.pem was created in the Apple keychain tool
cert.pem 与 php 文件位于同一文件夹中。文件 cert.pem 是在 Apple 钥匙串工具中创建的
class pushNotifications {
...
private $sslPem = 'cert.pem';
...
function connectToAPNS(){
$streamContext = stream_context_create();
stream_context_set_option($streamContext, 'ssl',
'local_cert', $this->sslPem);
Thanks for any help!
谢谢你的帮助!
回答by Jordan S. Jones
You are getting an error because it's trying to find your cert.pem file in the directory you are running the script from, not the directory the script is in. In your example, it is your user directory "~".
您收到错误,因为它试图在您运行脚本的目录中找到您的 cert.pem 文件,而不是脚本所在的目录。在您的示例中,它是您的用户目录“~”。
Try changing your class to this, or something similar:
尝试将您的课程更改为此,或类似的内容:
class pushNotifications {
...
private $sslPem = 'cert.pem';
...
function connectToAPNS(){
$streamContext = stream_context_create();
stream_context_set_option($streamContext, 'ssl', 'local_cert', dirname(__FILE__) . '/' . $this->sslPem);
回答by sluther
I was having this issue as well, it turns out that for some reason my private key didn't match the one associated with the aps_developer_identity.cer I had...
我也遇到了这个问题,结果证明由于某种原因我的私钥与我拥有的 aps_developer_identity.cer 关联的那个不匹配...
I ended up clearing allof my public and private keys from my 'login' keychain item, then I started the entire process over again (Generated the request)...I submitted the new request file on the program portal and generated a new certificate, downloaded, and installed it by double-clicking it (developer_identity.cer). Then, I reset the provisioning profiles to use the new Push SSL certs, downloaded those, and installed them by double-clicking (aps_developer_identity.cer). Finally, I reset the provisioning profile and downloaded the new one. I cleared out the old one in the Xcode Organizer, and installed the new one. Finally, I exported my 'private' key as key.p12 and my aps_developer_identity.cer as apsdi.p12, and ran the following commands against them:
我最终从我的“登录”钥匙串项目中清除了我所有的公钥和私钥,然后我重新开始了整个过程(生成请求)......我在程序门户上提交了新的请求文件并生成了一个新证书,下载并双击它(developer_identity.cer)进行安装。然后,我重置配置文件以使用新的 Push SSL 证书,下载这些证书,并通过双击 (aps_developer_identity.cer) 进行安装。最后,我重置了配置文件并下载了新的配置文件。我在 Xcode Organizer 中清除了旧的,并安装了新的。最后,我将我的“私有”密钥导出为 key.p12,将 aps_developer_identity.cer 导出为 apsdi.p12,并针对它们运行以下命令:
openssl pkcs12 -clcerts -nokeys -out apsdi.pem -in apsdi.p12
openssl pkcs12 -nocerts -out key.pem -in key.p12
If you're okay using a passphrase (recommended for production):
如果您可以使用密码短语(推荐用于生产):
cat apsdi.pem key.pem > cert.pem
If you wish to use a 'blank' passphrase, you'll need to unencrypt your private key first, using the password you specified when you converted it to pem format:
如果您希望使用“空白”密码,则需要先使用您在将其转换为 pem 格式时指定的密码解密您的私钥:
openssl rsa -in key.pem -out key.unencrypted.pem
And then cat the cert and unencrypted key into apns.pem (or whatever filename you have chosen):
然后将证书和未加密的密钥放入 apns.pem(或您选择的任何文件名):
cat apsdi.pem key.unencrypted.pem > apns.pem
It's very important that you export your aps_developer_identity certificate, notyour developer_identity certificate as apsdi.pem.
将 aps_developer_identity 证书而不是developer_identity 证书导出为 apsdi.pem 非常重要。
If you can expand your developer_identity.cer and aps_developer_identity.cer entries in Keychain Access, and you see a 'private' key when you do, everything should work.
如果您可以在 Keychain Access 中展开您的 developer_identity.cer 和 aps_developer_identity.cer 条目,并且您在执行此操作时会看到一个“私有”密钥,那么一切都应该可以正常工作。
回答by Noone
As a complementary tip, for anyone having the same issue: when exporting the private key from Apple's keychain access, and converting to .pem, SPECIFY A PASSWORD.
作为补充提示,对于遇到相同问题的任何人:从 Apple 的钥匙串访问导出私钥并转换为 .pem 时,请指定密码。
For some reason, it seems leaving a blank password in one of the exports removes the private key, thus the final .pem is not complete.
出于某种原因,似乎在其中一个导出中留下空白密码会删除私钥,因此最终的 .pem 是不完整的。
So put a dummy password, even if you later remove it using openssl.
所以输入一个虚拟密码,即使你稍后使用 openssl 删除它。
回答by kotresh kumar
Just change the owner to www-data It will work :)
只需将所有者更改为 www-data 就可以了:)
sudo chown www-data.www-data ck.pem
须藤 chown www-data.www-data ck.pem
deafult user of apache www-data
apache www-data 的默认用户
回答by shul
Notes for the future (after having a big headache because of all of this): 1. if you get the handshake error - the pem file you created is probably wrong.
未来注意事项(因为所有这些而头痛之后): 1. 如果您收到握手错误 - 您创建的 pem 文件可能是错误的。
a. make sure the file is in the same directory as the php you are trying to run. b. export the certifcate p12 file AND the key under it in the keychain access utility.both of these files will be the SAME size, but they ARE different. c. do the above "openssl" commands in the macintosh terminal.
一种。确保该文件与您尝试运行的 php 位于同一目录中。湾 在钥匙串访问实用程序中导出证书 p12 文件及其下的密钥。这两个文件的大小相同,但它们是不同的。C。在 macintosh 终端中执行上述“openssl”命令。
- currently, all I can do is run the php as sudo, because of the chmod 400 for ck.pem. something got to give...
- 目前,我所能做的就是以 sudo 身份运行 php,因为 ck.pem 的 chmod 400。必须要给...
btw, the message "Failed to enable crypto" will dissappear when the system runs correctly.
顺便说一句,当系统正常运行时,“无法启用加密”消息将消失。
