PHP CURL 和 SSL 证书(或证书链)
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/7130271/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
PHP CURL and SSL certificate (or cert chain)
提问by artvolk
Good day!
再会!
I've REST API which is accessible via SSL (https://). I'd like to put correct cert (or cert chain) along with my scripts written PHP and CURL to make request.
我有可通过 SSL (https://) 访问的 REST API。我想将正确的证书(或证书链)与我编写的 PHP 和 CURL 脚本一起放置以发出请求。
Here are how certs from my target (http://api.vkontakte.ru) look like in Firefox:
以下是来自我的目标 ( http://api.vkontakte.ru) 的证书在 Firefox 中的样子:
http://speedcap.net/img/bc687485819715c65d6fe1e4ca1fdc40/1a2be.png
http://speedcap.net/img/bc687485819715c65d6fe1e4ca1fdc40/1a2be.png
Here is a snippet from saved "cert chain X.509 in PEM format" from Firefox (described here: http://unitstep.net/blog/2009/05/05/using-curl-in-php-to-access-https-ssltls-protected-sites/):
这是 Firefox 中保存的“PEM 格式的证书链 X.509”的片段(此处描述:http: //unitstep.net/blog/2009/05/05/using-curl-in-php-to-access- https-ssltls-protected-sites/):
-----BEGIN CERTIFICATE-----
MIIFVzCCBD+gAwIBAgIHKx5Ov2FOejANBgkqhkiG9w0BAQUFADCByjELMAkGA1UE
[..skip...]
0npsf5fkvT8E13NgVY0PK6V/baMTlTgWXKQZ
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIE3jCCA8agAwIBAgICAwEwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCVVMx
[..skip...]
qDTMBqLdElrRhjZkAzVvb3du6/KFUJheqwNTrZEjYx8WnM25sgVjOuH0aBsXBTWV
U+4=
-----END CERTIFICATE-----
Here is code example of CURL init:
这是 CURL init 的代码示例:
$this->ch = curl_init();
curl_setopt_array($this->ch, array(
CURLOPT_TIMEOUT => 30,
CURLOPT_RETURNTRANSFER => TRUE,
CURLOPT_AUTOREFERER => TRUE,
CURLOPT_FOLLOWLOCATION => TRUE,
CURLOPT_SSL_VERIFYPEER => TRUE,
CURLOPT_SSL_VERIFYHOST => 2,
CURLOPT_CAINFO => <path to my cert>,
));
I've got CURL error 60 (CURLE_SSL_CACERT) complaining about wron cert.
我有 CURL 错误 60 ( CURLE_SSL_CACERT) 抱怨错误的证书。
What I've tried:
我试过的:
I've verified that my cert file is used, because when I specify wrong path it complains that it can't find cert (error 70)
I've checked with Facebook SDK and their cert chain that my CURL works with such setup
I've tried to export different chains (including or excluding) last cert in chain
Tried
CURLOPT_SSL_VERIFYHOST => 1.
我已经验证我的证书文件已被使用,因为当我指定错误的路径时,它会抱怨它找不到证书(错误 70)
我已经检查了 Facebook SDK 和他们的证书链,我的 CURL 可以使用这样的设置
我试图导出不同的链(包括或排除)链中的最后一个证书
试过了
CURLOPT_SSL_VERIFYHOST => 1。
Any ideas are welcome!
欢迎任何想法!
回答by msangel
Vkontakte moved from vkontakte.ru domain to vk.com few years ago. And they change their api handler url too. This is my solution:
几年前,Vkontakte 从 vkontakte.ru 域名转移到了 vk.com。他们也更改了他们的 api 处理程序 url。这是我的解决方案:
- Open https://vk.com/in firefox
- Export cert chain as X.509 for this site
- Change target url from http://api.vkontakte.ruto https://api.vk.com/
- 在 Firefox 中打开https://vk.com/
- 将此站点的证书链导出为 X.509
- 将目标网址从http://api.vkontakte.ru更改为https://api.vk.com/
This is my code with curl options:
这是我的带有 curl 选项的代码:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_CAINFO, getcwd() ."/ffchainvk.crt"); // ok
Where ffchainvk.crtis file with exported cert chain.
ffchainvk.crt导出证书链的文件在哪里。
回答by memnoch_proxy
Curl uses CA certificates in a separate location on the server than what the rest of the system, like a desktop would. I have had to install CA certificates into the filesystem before. PHP libcurl will use the libraries that the command line utility uses as well. Please see http://curl.haxx.se/docs/sslcerts.html.
Curl 在服务器上的一个单独位置使用 CA 证书,而不是系统的其余部分,就像桌面一样。我之前不得不将 CA 证书安装到文件系统中。PHP libcurl 也将使用命令行实用程序使用的库。请参阅http://curl.haxx.se/docs/sslcerts.html。
回答by Frank Forte
These are the steps that appear to work:
这些是似乎有效的步骤:
- Visit the https url in firefox
- Click the green bar, click the arrow, then "more information"
- Click "View Certificate" then click "details" tab at the top
Then click each level and export everycertificate:
Root CA
Server CAand
example-website.invalid.
You should save all three files to your computer. Copy all three files into a single file, e.g.
custom_name_cert.pem
- 在 Firefox 中访问 https url
- 单击绿色栏,单击箭头,然后单击“更多信息”
- 单击“查看证书”,然后单击顶部的“详细信息”选项卡
然后单击每个级别并导出每个证书:
根CA
服务器 CA和
示例-website.invalid。
您应该将所有三个文件都保存到您的计算机上。将所有三个文件复制到一个文件中,例如
custom_name_cert.pem
Copy that pem file into a directory that is accessible with PHP, ideally the file has permissions 644. You might even go for 444 to prevent tampering, and change it to 644 when you need to update it.
将该 pem 文件复制到 PHP 可访问的目录中,理想情况下该文件的权限为 644。您甚至可以选择 444 以防止篡改,并在需要更新时将其更改为 644。
Then update the path in your code, for example:
然后更新代码中的路径,例如:
CURLOPT_CAINFO => '/var/www/certs/custom_name_cert.pem'
CURLOPT_CAINFO => '/var/www/certs/custom_name_cert.pem'
WARNING:When the website updates their SSL certificates, the above file may become out of date, and the HTTPS cURL calls may fail, breaking your application. Hopefully someone will answer here with a good way to automate updates to this file.
警告:当网站更新其 SSL 证书时,上述文件可能会过期,并且 HTTPS cURL 调用可能会失败,从而破坏您的应用程序。希望有人会在这里回答一个自动更新此文件的好方法。
