Ошибка ssl peer certificate or ssh remote key was not ok

I'm testing an API that uses curl_exec php function and a CA certificate but something is going wrong and I'm a little lost. I have configured SSL on my apache VirtualHost and looks ok ( opening h...

I’m testing an API that uses curl_exec php function and a CA certificate but something is going wrong and I’m a little lost.

I have configured SSL on my apache VirtualHost and looks ok ( opening https:://[myVHost]… works ).

However the API curl call give me back this message:

  • SSL peer certificate or SSH remote key was not OK

I’m not very experienced with SSL so I have few ideas about the cause of that.

UPDATE:

This is the code I’m using in my cURL request, I have commented 2 lines and changes their value (look at ‘TODO’ line ) and in this way it is working, however this is just a work arround …

$opts[CURLOPT_URL] = $url;
    $opts[CURLOPT_RETURNTRANSFER] = true;
    $opts[CURLOPT_CONNECTTIMEOUT] = 50;
    $opts[CURLOPT_TIMEOUT] = 100;
    $headers = array(
        'Accept: application/json',
        "User-Agent: APIXXX-PHP-Client");
    $opts[CURLOPT_HTTPHEADER] = $headers;
    $opts[CURLOPT_USERPWD] = $env->getApiKey() . ':';
    if (certificatePresent()) {

        //  $opts[CURLOPT_SSL_VERIFYPEER] = true;
        //  $opts[CURLOPT_SSL_VERIFYHOST] = 2;

        // TODO: SET IT BACK
        $opts[CURLOPT_SSL_VERIFYPEER] = 0;
        $opts[CURLOPT_SSL_VERIFYHOST] = 0;

        $opts[CURLOPT_CAINFO] = $path

      }

    curl_setopt_array($curl, $opts);

    $response = curl_exec($curl);

Caerulius's user avatar

asked Jan 7, 2013 at 9:11

WonderLand's user avatar

4

You are probably using self-signed SSL certifiacate, which will not pass when the CURLOPT_SSL_VERIFYPEER options is set.

There are two solutions:

  1. Set up valid SSL certificate.
  2. Disable SSL verification in Curl. (add —insecure option)

If you disable verification, you can’t be sure if you are really communicating with your host.
So it depends on level of security you need.

Ben Butterworth's user avatar

answered Dec 29, 2013 at 13:18

Daniel Milde's user avatar

Daniel MildeDaniel Milde

1,0461 gold badge12 silver badges15 bronze badges

0

Beside CURLOPT_SSL_VERIFYPEER there are two other settings which might be changed to false/0:

CURLOPT_SSL_VERIFYHOST
CURLOPT_SSL_VERIFYSTATUS

Beware that you should fix your SSL certificates & settings instead of disable security!

answered Sep 21, 2017 at 9:50

waibelp's user avatar

waibelpwaibelp

611 silver badge3 bronze badges

Although I am answering an old post, I think it will help the new viewers-

You can check the problem by adding

$opts[CURLOPT_VERBOSE] = 1

For self signed certificate your client may connect with the server using IP address, because the host name is not available in DNS cache. In that case the COMMON NAME(CN) of your server certificate needs to match with the Server IP (put IP address as common name when generating the server certificate). When you do it correctly, you can see this message:

common name: 192.168.0.1 (matched)

Here 192.168.0.1 is an example.

answered Mar 8, 2017 at 13:45

rrsuj's user avatar

rrsujrrsuj

4096 silver badges9 bronze badges

You’re right to want to enable SSL_VERIFYPEER if you are worried about man-in-the-middle attacks.

Is your $path set to point to the certificate (or certificate bundle) provided by the API owner? Is that certificate readable by the web server user? If so, have you verified that the certificate(s) is the same as when you visit the https address manually in a browser and inspect the certificate?

If you can’t get it to work, and the API you are connecting to has a SSL certificate that works in your normal browser without warnings, you should be able to set $path to your CA root bundle on your server.

answered May 19, 2014 at 4:10

Jhong's user avatar

JhongJhong

2,69421 silver badges19 bronze badges

You can build a valid SSL certificate and ensure that it is stored in the trusted folder.

Valid SSL certificate can be created by including the following command in the developer command prompt of VS2012. (This can be obtained by typing developer in the start)

The following command creates a self-signed certificate that can be used to test a web application that uses Secure Sockets Layer (SSL) on a web server whose URL is www.example.com. The OID defined by the -eku option identifies that certificate as an SSL server certificate. The certificate is stored in the my store and is available at the machine (rather than user) level. The certificate’s private key is exportable, and the certificate is valid from May 10, 2010 through December 22, 2011.

Makecert -r -pe -n CN=»www.example.com» -b 05/10/2010 -e 12/22/2011 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -sp «Microsoft RSA SChannel Cryptographic Provider» -sy 12

For more on how to create the SSL certificate

Now make sure that this certificate is trusted, this can be done by typing CERTMGR in the cmd..

now the cert created is in the PERSONAL folder.. copy it and paste it to the TRUSTED PEOPLE FOLDER.

This should do the trick. Let me know if that doesn’t work.

chriz's user avatar

chriz

1,3412 gold badges16 silver badges32 bronze badges

answered May 19, 2014 at 13:04

Abhishek's user avatar

AbhishekAbhishek

211 silver badge7 bronze badges

This error can also occur if you update packages on a linux server that has a self-signed certificate.

Solution:
Stop your existing Apache/nginx server.
Run certbot (if you are using lets encrypt)

Restart your Apache/nginx server.

Note: If you’re using Springboot, add System.setProperty(«https.protocols», «TLSv1,TLSv1.1,TLSv1.2,TLSv1.3»); to your application.properties file

Voila!

answered Jun 22, 2021 at 13:26

inspiredMichael's user avatar

I spent almost all day for this error, and problem was in using ipv6, and called api server does not support ipv6.
Solution:
curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_VERSION_IPV4);

answered Nov 18, 2021 at 11:19

Oleh Diachenko's user avatar

Oleh DiachenkoOleh Diachenko

5621 gold badge6 silver badges9 bronze badges

Published: 29 Apr 2014
Last Modified Date: 28 Sep 2022

Issue

When you try to sign in to Tableau Server from Tableau Desktop, the following error might occur: 

Cannot connect to Tableau Server. Please check the server name and port and try again.

Internet communication error: SSL peer certificate or SSH remote key was not OK <server name or IP>.

Environment

  • Tableau Server 
  • Tableau Desktop 
  • SSL

Resolution

Option 1

Verify that the Common Name defined in the SSL certificate matches the server name in the Tableau Server Sign In dialog box.

Option 2

If Tableau Server is configured for Mutual SSL:

  • Work with your IT Team to configure the proper client certificates on the computer running Tableau Desktop or
  • As a Tableau Server administrator, open the «Configure Tableau Server» menu, and disable the «Mutual SSL» option listed on the SSL tab.

Cause

The server name used in the Server field of the Tableau Desktop connection dialog box does not match the Common Name defined in the SSL certificate.
OR
If your Tableau Server administrator has enabled Mutual SSL, then Tableau Server is looking for a «client certificate» on your Tableau Desktop computer.  If that client certificate is missing or malformed, it will return the same «SSL peer certificate or SSH remote key was not OK» error.

Additional Information

  • Tableau Desktop cannot append domains in the URL when using SSL to connect to Tableau Server.  It will only use the common name as defined in the certificate to connect.
  • SSL Knowledge Base: What is the Common Name?




Product Version
Mediawiki 1.35.0
PHP 7.3.24
MariaDB 10.5.8
IIS 10
OS Windows Server 2019

Symptoms:

New installation of private MediaWiki 1.35 with Visual Editor. IIS configured to use Windows Authentication (to enable authentication with Windows AD). MW works as excepted, launching VE causes Curl error 60.

VisualEditor documentation states that with MediaWiki 1.35, you should not need to download anything to get VE working, private wiki may need some configuration but otherwise VE should work out of the box.

Many hours (days) and lots of research later I can say, that getting VE work with MediaWiki 1.35 on Windows environment wasn’t such an easy task. I found lots of suggestions how to get VE work after “Error contacting the Parsoid/RESTBase server: (Curl error: 60) SSL peer certificate or SSH remote key was not OK”, but none of them worked for me.


Workaround:

This is my solution (quite simple, actually), hope this helps someone to get things working without days of work and banging head to the wall.

1. Install MediaWiki 1.35 with extensions of your choice.

2. Make sure that everything is working like you want (except that stubborn VisualEditor that gives you Curl error 60)

3. Export CA-certificate and add reference to it in php.ini -conf (*

4. Modify authentication settings of rest.php -file in IIS (**

5. Add following lines to LocalSettings.php

if($_SERVER['REMOTE_ADDR'] == 'your_server_ip_address'){

$wgGroupPermissions['*']['edit'] = true;

$wgGroupPermissions['*']['read'] = true;

}

6. Make iisreset


(* If I get it right, the Curl 60 is generated when you click on modify in MediaWiki, which leads to connection attempt to VE through PHP that can’t verify the server certificate in use. To fix this error you need to export the CA-certificate and tell the PHP where it is found:

1. Open mmc → Add/Remove Snap-in → Certificates → Computer account

2. In certificates -console navigate to Trusted Root Certification Authorities → Certificates

3. Select your Root CA → Export → Base-64 encoded X.509 (.CER) (this is equivalent to .pem -certificate format) → Save to the wiki root -folder (same place where is your LocalSettings.php) with name “cacert.cer”

4. Go to your PHP install folder and find php.ini → find line ;curl.cainfo =

5. Remove ; and add absolute path to your exported cacert.cer -file, example: curl.cainfo = “c:WIKIcacert.cer”


Now the curl 60 should disappear, you can verify that by changing the IIS authentication settings to Anonymous Authentication and authenticating with log in form.


(** SSO wont work if you have Anonymous Authentication enabled in IIS and VE wont work if it is disabled. This is a problem if you use something else than username/password to authenticate users (you know what I mean if you have smart cards in use).

You can tackle the authentication problem by setting the Anonymous Authentication only to the rest.php -file (found in you wiki root) and everywhere else you can use Windows Authentication and keep the Anonymous Authentication disabled:

1. Navigate to your %windir%system32inetsrvconfig directory and modify applicationHost.config

2. Search <location path=”your_wiki_site”> … </location> section and add a new section below it:

<location path=”your_wiki_site/rest.php”>

<system.webServer>

<security>

<authentication>

<anonymousAuthentication enabled=”true” />

</authentication>

</security>

</system.webServer>

</location>

3. Save your changes to the config file and make an iisreset.


Now you should have working MediaWiki with Visual Editor.

89.166.216.113
(talkcontribs)

I could not import my certificate in the cert store, so I added the ignore option for curl to get it running:

edit includes/libs/http/MultiHttpClient.php

                $ch = curl_init();

+                curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);

+                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);

                curl_setopt( $ch, CURLOPT_PROXY, $req[‘proxy’] ?? $this->proxy );


Now curl does not check my certificate, but it works.

88.130.78.70
(talkcontribs)

After hours of search & try I finally found a solution for my private wiki.


Here are my steps and solution. Maybe they will help someone.

— See what is the problem:

curl --trace-ascii trace.txt wiki-adress/api.php

My curl.cainfo in the php.config was not used. In the trace.txt I found the path.


— The I added my SSL cert at the end of ca-certificates.crt

sudo nano /etc/ssl/certs/ca-certificates.crt

   -> add private cert at the end


— I use NGINX with htaccess protection. But now I got a 401 error. Thats why I disabled the auth*

-> remove auth_* in NGINX config

   server {

       auth_basic «Restricted»;

       auth_basic_user_file /etc/nginx/.htpasswd;

   }


— Now I got a 400 error. I added following line in NGINX config:

     location /rest.php/ {

           try_files $uri $uri/ /rest.php?$query_string;

       }

sudo nginx -t

sudo systemctl reload nginx


This finally worked for me.

Unfortunatelly I have no more htaccess protection.

KarelMike
(talkcontribs)

I have same error (Curl error: 60) with MW 1.35.2 working on the virtual server (Ubuntu 20.04, Apache2, PHP 7.4.3, MySQL 8.0.25). I have assumption that error arise from NGNIX — Apache bundle, where Apache works throwout 127.0.0.1 localhost.

I don’t knew, how to fix this. No one of presented here methods don’t work for me.

Lokeshwarans
(talkcontribs)

Thanks this is good! Do you face any issues with image uploads? I get a Could not open lock file for «mwstore://local-backend/local-public/ while uploading

Fokebox
(talkcontribs)

I have some wiki websites on different hosts and yesterday when using VE I faced with the same error: (Curl error: 60) SSL peer certificate or SSH remote key was not OK

What steps should be made to resolve this problem I really don’t know. Can someone help me?

95.57.117.162
(talkcontribs)

     location /rest.php/ {

           try_files $uri $uri/ /rest.php?$query_string;

       }


This worked for me, thanks!

2001:9E8:303B:7900:412F:8C5C:22AC:71D3
(talkcontribs)

How do I «Export CA-certificate»?

Thanks in advance!

Christian

VMware UMDS curl_easy_perform() failed: cURL Error: SSL peer certificate or SSH remote key was not OK, SSL certificate problem: unable to get local issuer certificate

May 24, 2020 04:09PM

After configuring VMWware UMDS (VMware Update Manager download service) in my environment, which downloads patches/update from online VMware repositories, I tried downloading patches/updates.but I was receiving below errors for multiple urls. (There are default 4 online VMware repositories from where UMDS tries download patches/fixes).

[root@centos01 bin]# ./usr/local/vmware-umds/bin/vmware-umds -D
Starting download of updates ...
INFO -   Executing download job {22727488}, url=https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
ERROR -   curl_easy_perform() failed: cURL Error: SSL peer certificate or SSH remote key was not OK, SSL certificate problem: unable to get local issuer certificate
ERROR -   [backtrace begin] product: VMware vSphere Update Manager Download Service, version: 7.0.0, build: build-15952383, tag: vmware-down loadService, cpu: x86_64, os: linux, buildType: release backtrace[00] libvmacore.so[0x002ECAC5] backtrace[01] libvmacore.so[0x0019D635]: Vma                  core::System::Stacktrace::CaptureFullWork(unsigned int) backtrace[02] libvmacore.so[0x0018F3A9]: Vmacore::System::SystemFactory::CreateBackt                  race(Vmacore::Ref&) backtrace[03] umds[0x00161D4B] backtrace[04] umds[0x001620CA] backtrace[05] umds[0x0016249C]                   backtrace[06] umds[0x0015DBC0] backtrace[07] umds[0x0015F8AF] backtrace[08] umds[0x0016052A] backtrace[09] libvmacore.so[0x0022C942] backtr                  ace[10] libvmacore.so[0x002319B6] backtrace[11] libvmacore.so[0x002AAB54] backtrace[12] libpthread.so.0[0x00007E65] backtrace[13] libc.so.6[                  0x000FE88D] backtrace[14] (no module) [backtrace end]
ERROR -   Executing download job {22727488} throws error: curl_easy_perform() failed: cURL Error: SSL peer certificate or SSH remote key was not OK, SSL certificate problem: unable to get local issuer certificate
INFO -   Download failed but destination file /tmp/vcioUNphO exists and is valid. Ignoring error
INFO -   Download job {22727488} finished, bytes downloaded = 0
*********************************************
Downloaded 0 updates, Download size: 0 MB
*********************************************

vmware-umds -D VMware Update Manager Download Service (UMDS) vsphere esxi ssl peer certificate or ssh remote key was not  curl_easyperfom() traceback download patch failed.png

To resolve this issue edit downloadconfig.xml UMDS configuration file, under /usr/local/vmware-umds/bin, and make all the HTTPS urls to HTTP. Save the file. Configuration looks like below. VMware Update Manager download service fails to download files from HTTPS repositories

usr local vmware-umds bin downloadConfig.xml proxy configuration port proxyport proxyserver esx4xupdateuril hostconfig contentsettings vmware update manager service lifecycle manager.png

Rerun command ./vmware-umds -D, download will start. Once updates download is completed it shows how many updates it downloaded and its size.

vmware-umds VMware Update Manager Download Service (UMDS) etc photon-release download patches info vmw-esxi metadata.zip embeddedesx intl download patch job lifecycle manager.png

As above updates download over HTTP protocol another way to resolve the issue is using below configuration. Another method is replacing the included libcurl.so.4 library module with symbolic link pointing to the one currently on the vCenter server appliance.
     $ mv /usr/local/vmware-umds/lib/libcurl.so.4 /usr/local/vmware-umds/lib/libcurl.so.4.backup
     $ ln -s /usr/lib64/libcurl.so.4 /usr/local/vmware-umds/lib/libcurl.so.4

Useful Articles
VMWARE VSPHERE UPDATE MANAGER (VUM) — IMPORTING ESXI ISO AND CREATE UPGRADE BASELINE 
VMWARE VSPHERE UPDATE MANAGER (VUM) — UPGRADE ESXI OS 
ESXi 6.0 update offline bundle via esxcli commandline: DependencyError VIB bootbank requires VSAN ImageProfile
ESXi 6.5 upgrade bundle via command line: No Space Left On Device Error

Go Back

Понравилась статья? Поделить с друзьями:
  • Ошибка sp3 на котле аристон что означает
  • Ошибка sp3 на котле chaffoteaux как исправить
  • Ошибка srv2 на планшете андроид мвд
  • Ошибка sp3 на газовом котле ariston
  • Ошибка srs хонда фит