阅读背景:

AWS SSL安全性错误:[curl] 60:SSL证书概率...:无法获得本地颁发者证书

来源:互联网 

I am trying to connect Amazon's S3 files from my (localhost) Windows 8 machine running AppServ 2.5.10 (which includes Apache 2.2.8, php 5.2.6, mysql 5.0.51b and phpMyAdmin 2.10.3) using Amazon SDK for php.

我正在尝试使用Amazon SDK for php从运行AppServ 2.5.10(包括Apache 2.2.8,php 5.2.6,mysql 5.0.51b和phpMyAdmin 2.10.3)的我的(localhost)Windows 8机器连接Amazon的S3文件。

In order to be compatible with Amazon SDK's namespace feature, I replaced php with version 5.3.28 by downloading its zipped file and unzipped it.

为了与Amazon SDK的命名空间功能兼容,我通过下载压缩文件并将其解压缩,将php替换为版本5.3.28。

My php code works fine to access S3 file in Amazon EC2 but it failed in my Windows local host.

我的PHP代码可以正常访问Amazon EC2中的S3文件,但在我的Windows本地主机中失败了。

However when I run the php srcipt to read Amazon S3 bucket file in Windows local host machine, I got SSL error as following:

但是当我运行php srcipt来读取Windows本地主机中的Amazon S3存储桶文件时,我收到如下SSL错误:

Fatal error: Uncaught exception 'Guzzle\Http\Exception\CurlException' with message '[curl] 60: SSL certificate problem: unable to get local issuer certificate [url] https://images-st.s3.amazonaws.com/us/123977_sale_red_car.png' in C:\AppServ\www\ecity\vendor\guzzle\guzzle\src\Guzzle\Http\Curl\CurlMulti.php:342 Stack trace:

致命错误:未捕获异常'Guzzle \ Http \ Exception \ CurlException',消息'[curl] 60:SSL证书问题:无法获取本地颁发者证书[url] https://images-st.s3.amazonaws.com/us / 123977_sale_red_car.png'在C:\ AppServ \ www \ ecity \ vendor \ guzzle \ guzzle \ src \ Guzzle \ Http \ Curl \ CurlMulti.php:342堆栈跟踪:

#0 C:\AppServ\www\ecity\vendor\guzzle\guzzle\src\Guzzle\Http\Curl\CurlMulti.php(283): Guzzle\Http\Curl\CurlMulti->isCurlException(Object(Guzzle\Http\Message\Request), Object(Guzzle\Http\Curl\CurlHandle), Array)

#0 C:\ AppServ \ www \ ecity \ vendor \ guzzle \ guzzle \ src \ Guzzle \ Http \ Curl \ CurlMulti.php(283):Guzzle \ Http \ Curl \ CurlMulti-> isCurlException(Object(Guzzle \ Http \ Message) \ Request),Object(Guzzle \ Http \ Curl \ CurlHandle),Array)

#1 C:\AppServ\www\ecity\vendor\guzzle\guzzle\src\Guzzle\Http\Curl\CurlMulti.php(248): Guzzle\Http\Curl\CurlMulti->processResponse(Object(Guzzle\Http\Message\Request), Object(Guzzle\Http\Curl\CurlHandle), Array)

#1 C:\ AppServ \ www \ ecity \ vendor \ guzzle \ guzzle \ src \ Guzzle \ Http \ Curl \ CurlMulti.php(248):Guzzle \ Http \ Curl \ CurlMulti-> processResponse(Object(Guzzle \ Http \ Message) \ Request),Object(Guzzle \ Http \ Curl \ CurlHandle),Array)

#2 C:\AppServ\www\ecity\vendor\guzzle\guzzle\src\Guzzle\Http\Curl\CurlMulti.php(231): Guzzle\Http\Curl\CurlMulti->processMessages()

#2 C:\ AppServ \ www \ ecity \ vendor \ guzzle \ guzzle \ src \ Guzzle \ Http \ Curl \ CurlMulti.php(231):Guzzle \ Http \ Curl \ CurlMulti-> processMessages()

#3 C:\AppServ\www\ecity\vendor\guzzle\guzzle\src\Guzzle\Http\Curl\CurlMulti.php(215): Guzzle\Http\Curl\CurlMulti->executeHandles()

#3 C:\ AppServ \ www \ ecity \ vendor \ guzzle \ guzzle \ src \ Guzzle \ Http \ Curl \ CurlMulti.php(215):Guzzle \ Http \ Curl \ CurlMulti-> executeHandles()

#4 C:\AppServ\www\ecity\ven in C:\AppServ\www\ecity\vendor\aws\aws-sdk-php\src\Aws\Common\Client\AbstractClient.php on line 288

第288行的C:\ AppServ \ www \ ecity \ vendor \ aws \ aws-sdk-php \ src \ Aws \ Common \ Client \ AbstractClient.php中的#4 C:\ AppServ \ www \ ecity \ ven

I download the certifate from https://curl.haxx.se/ca/cacert.pem and define it in php.ini as following:

我从https://curl.haxx.se/ca/cacert.pem下载证书,并在php.ini中定义如下:

curl.cainfo = "C:\AppServ\cacert.pem"

but I still got the same error. It seems php doesn't honor the curl.cainfo defined in php.ini.

但我仍然有同样的错误。似乎php不尊重php.ini中定义的curl.cainfo。

My php version is 5.3.28 according to localhost/phpinfo.php.

根据localhost / phpinfo.php,我的php版本是5.3.28。

I also checked the cainfo parameter to be correct as C:\AppServ\cacert.pem using

我还检查了cainfo参数是否正确为C:\ AppServ \ cacert.pem使用

echo ini_get( "curl.cainfo" ) ; 

in the php script.

在PHP脚本中。

Php version higher than 5.3 shall support curl.cainfo in php.ini.

高于5.3的Php版本应支持php.ini中的curl.cainfo。

In Windows' command line, I check curl behavior and it seems work fine.

在Windows的命令行中,我检查卷曲行为,它似乎工作正常。

C:\Users\Jordan>curl  https://s3-us-west-2.amazonaws.com/images-st/aaa.txt
   curl: (60) SSL certificate problem: unable to get local issuer certificate
   ......

C:\Users\Jordan>curl --cacert C:\AppServ\cacert.crt  https://s3-us-west-2.amazonaws.com/images-st/aaa.txt
  This is aaa.txt file.
  Stored in Amazon S3 bucket.

Is it because I used Apache in Windows which doesn't match php 5.3.28 zip file I downloaded from https://windows.php.net/download/ VC9 x86 Thread Safe (2014-Jun-11 01:09:56) zip version.

是因为我在Windows中使用的Apache与我从https://windows.php.net/download/下载的php 5.3.28 zip文件不匹配.VC9 x86线程安全(2014年6月11日01:09:56)拉链版。

In my apache's httpd-ssl.conf file, I have the following setting even I use from local host in Windows 8.

在我的apache的httpd-ssl.conf文件中,即使我在Windows 8中使用本地主机,我也有以下设置。

<VirtualHost _default_:443>

DocumentRoot "C:/AppServ/www"
ServerName localhost:443
ServerAdmin [email protected]
ErrorLog "C:/AppServ/Apache2.2/logs/error.log"
TransferLog "C:/AppServ/Apache2.2/logs/access.log"

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "C:/AppServ/Apache2.2/conf/mydomain.cert"
SSLCertificateKeyFile "C:/AppServ/Apache2.2/conf/mydomain.key"

<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "C:/Apache2.2/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch ".*MSIE.*" \
     nokeepalive ssl-unclean-shutdown \
     downgrade-1.0 force-response-1.0

CustomLog "C:/AppServ/Apache2.2/logs/ssl_request.log" \
      "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>                                  

Now I am wondering what is the problem and how to connect to Amazon S3 bucket files and RDS database without producing these curl cannot get local issuer certificate problems from my Windows 8 local host.

现在我想知道是什么问题以及如何连接到Amazon S3存储桶文件和RDS数据库而不产生这些卷曲无法从我的Windows 8本地主机获得本地颁发者证书问题。

Any advice?

任何建议?

3 个解决方案

#1


28  

As mentioned by Jeremy Lindblom in the comments, the solution for AWS SDK v2 is to set the ssl.certificate_authority option when instantiating the SDK:

正如Jeremy Lindblom在评论中所提到的,AWS SDK v2的解决方案是在实例化SDK时设置ssl.certificate_authority选项:

$aws = Aws\Common\Aws::factory(array(
    'region' => 'us-west-2',
    'ssl.certificate_authority' => '/path/to/updated/cacert.pem'
));

https://docs.aws.amazon.com/aws-sdk-php/guide/latest/faq.html#what-do-i-do-about-a-curl-ssl-certificate-error

https://docs.aws.amazon.com/aws-sdk-php/guide/latest/faq.html#what-do-i-do-about-a-curl-ssl-certificate-error


I'll add that this was changed in the AWS SDK v3, here is the new method:

我将在AWS SDK v3中添加更改,这是新方法:

$client = new DynamoDbClient([
    'region'  => 'us-west-2',
    'version' => 'latest',
    'http'    => [
        'verify' => '/path/to/my/cert.pem'
    ]
]);

https://docs.aws.amazon.com/aws-sdk-php/v3/guide/guide/configuration.html#verify

https://docs.aws.amazon.com/aws-sdk-php/v3/guide/guide/configuration.html#verify

#2


5  

I was getting the same error If you want to use http then you can use below solution:

我得到了同样的错误如果你想使用http,那么你可以使用以下解决方案:

 Error executing "PutObject" on "https://s3-ap-southeast-2.amazonaws.com/mybucketname/TestBanner1_e1d8d74e41"; AWS HTTP error: cURL error 60: SSL certificate problem: unable to get local issuer certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html)

I have resolved it by using http method this is not secure to use secure way enter _ curl.cainfo = "/path/to/file.cacert.pem"_ in php.ini file :

我已经通过使用http方法解决了这个问题,使用安全的方法输入_ curl.cainfo =“/ path / to / file.cacert.pem”_在php.ini文件中是不安全的:

Solution:

解:

'options' => [
'scheme' => 'http',
],

Complete Example code:

完整示例代码:

 // ...
's3bucket' => [
'class' => \frostealth\yii2\aws\s3\Storage::className(),
'region' => 'ap-southeast-2',
'credentials' => [ // Aws\Credentials\CredentialsInterface|array|callable
'key' => 'JGUTEHCDE.............OSHS',
'secret' => 'SJEUC-----------jzy1-----rrT',
],
'bucket' => 'yours3bucket',
//'cdnHostname' => 'https://example.cloudfront.net',
'defaultAcl' => \frostealth\yii2\aws\s3\Storage::ACL_PUBLIC_READ,
'debug' => false, // bool|array
'options' => [
'scheme' => 'http',
],

],
// ...

#3


1  

For those using WampServer, open the php.ini file then scroll down to the bottom and add the following:

对于那些使用WampServer的人,打开php.ini文件,然后向下滚动到底部并添加以下内容:

curl.cainfo = "C:\wamp\bin\php\php7.2.3\cacert.pem"

curl.cainfo =“C:\ wamp \ bin \ php \ php7.2.3 \ cacert.pem”

Make sure you have the cacert.pem file in the folder of the current php version you are using. In my case, I have it in the php7.2.3 folder.

确保您使用的当前php版本的文件夹中有cacert.pem文件。在我的情况下,我有它在php7.2.3文件夹中。


分享到: