Problem after updating to 1.2.0 version about ca-bundle HOT 19 CLOSED

We had a similar issue on debian

cURL error (77): error setting certificate verify locations:
  CAfile: /usr/lib/ssl/certs
  CApath: /etc/ssl/certs

And I can confirm, that v1.2.3 fixed it for us.

Thank you all! :)

from ca-bundle.

We are facing the same problem after upgrading to version 1.2.0:

{"0":"Warning: is_file(): open_basedir restriction in effect. File(/etc/pki/tls/cert.pem) is not within the allowed path(s): (/data/var/www/vhosts/***/) in /data/var/www/vhosts/***/vendor/composer/ca-bundle/src/CaBundle.php on line 309","1":"<pre>#1 is_file() called at [vendor/composer/ca-bundle/src/CaBundle.php:309]

Downgrading to version 1.1.4 everything is back to work.

A temporary fix, instead of downgrading, is to add:
"config" {
     "disable-tls": true,
}
to the composer.json of the project.

from ca-bundle.

Same here: open_basedir restriction in effect. File(/usr/lib/ssl/certs) is not within the allowed path(s)

from ca-bundle.

I will get a pr up for this tomorrow

from ca-bundle.

In fact or is up now #45

from ca-bundle.

Fixed by #45 - I'll tag 1.2.1 in a minute

from ca-bundle.

I'm still experiencing certificate related issues (through cURL) on both 1.2.0 and 1.2.1, which are resolved by downgrading back to 1.1.4.

cURL error (77): error setting certificate verify locations:
  CAfile: /usr/lib/ssl/certs
  CApath: /etc/ssl/certs

from ca-bundle.

Do both of them exist ? What does cat /usr/lib/ssl/certs show ?

from ca-bundle.

I'm also running ca-bundle 1.2.1 on Ubuntu 16.04 and am experiencing the same cURL error(77)

from ca-bundle.

@dwightwatson @lfjeff please try again with 1.2.2 to see if it helps..

from ca-bundle.

I've tried again on 1.2.2 but I still appear to have the same issue.

from ca-bundle.

In that case do we remove the openssl default location ? My system defaults to that rather than the paths hard coded ?

Either that or move the openssl location to be below the hard coded paths but before the final fall back of the bundle ?

from ca-bundle.

It looks like the default dir is being used, and the default file is not being overwritten. Previously the default file would have been set.

For some reason the file suggested by openssl_get_cert_locations doesnt actually exist (even on my OS this doesnt exist, the default before hand is used and works kinda by accident.

I think the openssl_get_cert_locations command needs to be removed if it cant be trusted to give a correct path to file ? I have opened a PR if everyone agress to ignore its input and just look it up the classic way

from ca-bundle.

openssl/openssl#4708 could be related.

from ca-bundle.

Same error with 1.2.2 on Ubuntu 16.04

cURL error (77): error setting certificate verify locations:
  CAfile: /usr/lib/ssl/certs
  CApath: /etc/ssl/certs

Downgrading to 1.1.4 helped me

from ca-bundle.

Can you confirm this file doesn't exist

ls -l /usr/lib/ssl/certs

Thanks

from ca-bundle.

user@server:~/$ ls -l /usr/lib/ssl/certs
lrwxrwxrwx 1 root root 14 May 19  2017 /usr/lib/ssl/certs -> /etc/ssl/certs

from ca-bundle.

Yeah same thing :( Ok looks like that confirms the info from openssl_get_cert_locations can't be trusted to give a correct path.

So #48 removes it. The CA Dir works fine, but capath needs to be set to a valid PEM cert for it to fall back to using the cadir from testing it.

Can test from command line like so

strace -f curl -vvv --cacert /tmp/certs/DigiCert_Global_Root_CA.pem --capath /tmp/certs https://google.com/ 2>&1 | grep open

Googles root CA is global sign, which is picked up correctly from the --capath , to make it to there though cacert needs to be a correct file.

/tmp/certs here is a directory zipped and sent to me from someone having this issue. The certs are fine in there

from ca-bundle.

v1.2.3 is out with the latest fix which removes openssl_get_cert_locations() completely.. hopefully back to normal for everyone.

from ca-bundle.