selfoss
selfoss copied to clipboard
error loading feed content: cURL error 60: SSL certificate problem: unable to get local issuer certificate
There are already some older issues regarding this topic "error loading feed content: cURL error 60: SSL certificate problem: unable to get local issuer certificate" and https://github.com/SSilence/selfoss/pull/505#issuecomment-39122258 was marked as solution, but unfortunately I'm on shared webhosting and therefore I do not have access to php.ini.
Is there anything I could do right within selfoss?
Since we switched to Guzzle in development builds, you can set the verify
flag to a certificate file in https://github.com/SSilence/selfoss/blob/66b08f81f4271eb50e9fb62c2e1de1db24f6ee3b/helpers/WebClient.php#L40. We could support changing it in config.
The issue still persists with Twitter spout, which doesn't use Guzzle yet.
Hi @jtojnar , thanks for fast reply! I've downloaded latest development build and updated Webclient.php:
$httpClient = new GuzzleHttp\Client([
'headers' => [
'User-Agent' => self::getUserAgent(),
],
'handler' => $stack,
'verify' => '/var/www/vhosts/path/to/my/site/cacert.pem',
]);
I'm using cacert.pem from https://curl.haxx.se/docs/caextract.html as linked in above 505 comment. Error Message is error loading feed content: cURL error 60: SSL certificate problem: unable to get local issuer certificate (see http://curl.haxx.se/libcurl/c/libcurl-errors.html) Did I add it wrong?
Ah, maybe I just have a wrong path? if I set verify = false (for testing only of course), error message disappears.....
You can try \F3::get('BASEDIR') . '/data/ca-bundle.crt'
and download the file Guzzle links to https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt. Not sure why cacert.pem
does not work.
Edit: hmm, that file is the same as http://curl.haxx.se/ca/cacert.pem
No problem, @jtojnar . The page I tried to add resulted (with verify = false) in error is invalid XML, likely due to invalid characters. XML error: Undeclared entity error at line 39, column 55 so it doesn't work anyway, but that's not the problem of selfoss. Probably it would be nice to have this setting in the config so I don't know whether I should close this issue. Feel free to close! And thanks a lot for your support!! 👍
Let’s keep this open until we add the config option.
Actually, we might want selfoss to obtain the cacert.pem
file. But then the issue becomes how do we verify that the download itself was not MITMed.