selfoss icon indicating copy to clipboard operation
selfoss copied to clipboard

Published 20 hours ago verified publisher icon fossar

error loading feed content: cURL error 60: SSL certificate problem: unable to get local issuer certificate

Open K232 opened this issue 5 years ago • 7 comments

There are already some older issues regarding this topic "error loading feed content: cURL error 60: SSL certificate problem: unable to get local issuer certificate" and https://github.com/SSilence/selfoss/pull/505#issuecomment-39122258 was marked as solution, but unfortunately I'm on shared webhosting and therefore I do not have access to php.ini.

Is there anything I could do right within selfoss?

K232 avatar Mar 27 '19 10:03 K232

Since we switched to Guzzle in development builds, you can set the verify flag to a certificate file in https://github.com/SSilence/selfoss/blob/66b08f81f4271eb50e9fb62c2e1de1db24f6ee3b/helpers/WebClient.php#L40. We could support changing it in config.

The issue still persists with Twitter spout, which doesn't use Guzzle yet.

jtojnar avatar Mar 27 '19 11:03 jtojnar

Hi @jtojnar , thanks for fast reply! I've downloaded latest development build and updated Webclient.php:

            $httpClient = new GuzzleHttp\Client([
                'headers' => [
                    'User-Agent' => self::getUserAgent(),
                ],
                'handler' => $stack,
		'verify' => '/var/www/vhosts/path/to/my/site/cacert.pem',
            ]);

I'm using cacert.pem from https://curl.haxx.se/docs/caextract.html as linked in above 505 comment. Error Message is error loading feed content: cURL error 60: SSL certificate problem: unable to get local issuer certificate (see http://curl.haxx.se/libcurl/c/libcurl-errors.html) Did I add it wrong?

K232 avatar Mar 28 '19 16:03 K232

Ah, maybe I just have a wrong path? if I set verify = false (for testing only of course), error message disappears.....

K232 avatar Mar 28 '19 16:03 K232

You can try \F3::get('BASEDIR') . '/data/ca-bundle.crt' and download the file Guzzle links to https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt. Not sure why cacert.pem does not work.

Edit: hmm, that file is the same as http://curl.haxx.se/ca/cacert.pem

jtojnar avatar Mar 28 '19 16:03 jtojnar

No problem, @jtojnar . The page I tried to add resulted (with verify = false) in error is invalid XML, likely due to invalid characters. XML error: Undeclared entity error at line 39, column 55 so it doesn't work anyway, but that's not the problem of selfoss. Probably it would be nice to have this setting in the config so I don't know whether I should close this issue. Feel free to close! And thanks a lot for your support!! 👍

K232 avatar Mar 29 '19 06:03 K232

Let’s keep this open until we add the config option.

jtojnar avatar Mar 29 '19 11:03 jtojnar

Actually, we might want selfoss to obtain the cacert.pem file. But then the issue becomes how do we verify that the download itself was not MITMed.

jtojnar avatar Mar 29 '19 11:03 jtojnar