How to avoid certificate generated from win-acme (i guess it is created by OpenSSL) being treated as self signed?
I'm getting "self signed certificate in certificate chain" while using cURL to communicate with orther organization's API. My research shows the workaround is to turn off CURLOPT_SSL_VERIFYPEER but it seems like this is not a secure approach.
Sounds like the problem is with the other organization's configuration (not yours).
Perhaps you could provide the name/IP/URL... (anything that we might be able to help/test/confirm with).
Thanks for prompt reply. The following is the URL to I'm trying to access.
Hi @Jimwong266
that server sends the self signed root certificate, that's wrong.
One certificate too much.
But that's something the webmaster of api.na.bambora.com has to fix.
Thanks a lot. I thought that message indicates my certificate is self signed. So I shouldn't be turning off CURLOPT_SSL_VERIFYPEER.
That site doesn't have a Let's Encrypt certificate. I'm not seeing any relationship with your win-acme.
Also, as far as I know it's not recommended to send the self signed root certificate in the chain, but it isn't an error too.. So I'm not sure why cURL would complain about that? Do you have a screenshot? And perhaps try openssl s_client -connect ${hostname}:443 where ${hostname} is the hostname of the URL you're trying to connect to?
Sorry, did you mean https://api.na.bambora.com/v1/payments or mine doesn't have Let's Encrypt certificate installed? I don't have OpenSSL installed on my server.
If I understand correctly from he previous two posts, the message I got is caused from he destination site. Am I right?
The api.na.bambora.com doesn't have Let's Encrypt installed. That's the site you're trying to connect to, right?
That's what you're telling us. Screenshots might be helpful.
Does PHPs cURL library need the CURLOPT_CAPATH set? Or is it set to a proper setting by default?
Also, this is not Let's Encrypt related.
Is there any way we can tell if the destination side is using a self signed certificate? Since I just started to use Let's Encrypt, so my first response to the error message is may be the certificate generated from my end is a self signed.
I appreciated for all the replies.
Yes, easily.
See: SSL Server Test: api.na.bambora.com (Powered by Qualys SSL Labs)
Note the "chain issues" "contains anchor"
Well technically YES. But all root certs have to be self-signed [they are the root].
It is sending the cert, and the intermediate, and the root.
[root certs should never be sent by any system claiming to be trusted by the root cert being sent]
But it's not a reason to fail a connection either!
Also, never is a bit strong.. It only increases the handshake size and therefore latency/speed. Nothing more, nothing less..
I still think the cURL PHP library has difficulty accessing the system root store to verify the chain up to a trusted root, resulting in the error about a self signed cert in the chain, which is sort of true. If the root wasn't sent, cURL would probably complain about an untrusted chain/verify error altogether.
Thanks a lot for all the information. I guess I first need rule out self signed isn't referred to certificate installed on my box. And next is to see if there is anything I need to do on PHP cURL side.
Presuming the root cert being sent is legitimate.
I do think the client should just ignore any such certs received.
So the issue is that you get a error when talking to a remote API (that you don't control) using Curl in PHP. I'm surprised you have to set all those options just to get an https request to work(?).
Do you go through a proxy for your outgoing internet connection? Have you used fiddler anywhere as a debugging proxy?
You mentioned win-acme but I'm deducing from that your own website certificate is managed by win-acme and Let's Encrypt, so this issue doesn't really involve win-acme or Let's Encrypt, it's basically how do you make an https request using php? If so, we have a couple of PHP wizards on the forum and I'm sure they can get to the bottom of it.
As I said, I just started to use Let's Encrypt and also my first time using cURL in PHP so I thought the message indicates the certificate I have installed is self signed.
Based on the replies in this forum, I agree there is nothing to do with win-acme or Let's Encrypt.
Would you mind provide me more about the PHP wizards you mentioned?
@Jimwong266 It is possible that updating your cURL and/or whichever TLS implementation is being used by cURL will help. Newer versions of OpenSSL for example should know that if they see a certificate they don't need sent by the server, they can just ignore it safely and press on, not complain (as it seems yours does).
As others have said the problem is that this Bambora server is presenting an extra certificate it should not be sending. But much modern software (e.g. popular web browsers) will ignore that useless certificate, and I believe newer cURL builds, when paired with newer TLS libraries ought to be able to do the same, it works here. Of course it may be that Bambora are responsive and able to fix the problem, but if not updating cURL (and maybe OpenSSL or other TLS libraries) could be just the trick.
