Hi friends, I have a PHP script running on my cPanel server (v98.0.8, CENTOS 7.9). My PHP script makes a nightly HTTPS request to a Windows server. The Windows server uses a LetsEncrypt certificate. All has run fine for years but just now, my PHP requests are failing with:
SplFileObject::__construct(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
I have hundreds of LetsEncrypt certs on my Windows server and I tried many of them, and they're all now failing in this way when PHP requests them. However, having PHP request another website like Google will work fine. (Oddly, I use these same LetsEncrypt certs as my master certs in cPanel, and that has worked fine.)
I suspect that maybe the upcoming Sept 30 expiration of the old LetsEncrypt root cert might be involved? (Although we're still 7 days away from that.) Is there any way to further debug this, or update PHP or openssl or the list of root CA's?
Here's what I've tried without working:
* renewed my SSL cert on my Windows machine
* updated my LetsEncrypt infrastructure there to latest (winacme) and regenerated certs
* did ssl-labs test against my Windows website (A ranking, plus I have heavy traffic with no problem reports)
* from PHP, requested a different SSL website Google (worked ok!)
* on cPanel server, rebooted
* ran: sudo yum update (nothing)
* ran: sudo yum update ca-certificates (already updated)
* ran: EasyApache4 (Apache 2.4 and PHP 7.4)
* inspected php.ini (all default settings for curl, openssl)
Maybe PHP has its own built-in list of root CA's and I need to find them & update?
Here's my test code, and when I use curl() with CURLOPT_SSL_VERIFYHOST I get the same error behaviour:
<?php
echo( 'hello world' );
try {
$url = 'Limited-Access
##$url = 'https://www.google.com/';
$fh_r = new SplFileObject( $url, 'rb' );
$bytes = 0;
if ($fh_r) {
while (!$fh_r->eof()) {
$bytes += strlen( $fh_r->fgets() );
}
}
echo( "I read $bytes bytes" );
}
catch (Exception $e) {
echo( "Error: " . $e->getMessage() );
}
?>
SplFileObject::__construct(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
I have hundreds of LetsEncrypt certs on my Windows server and I tried many of them, and they're all now failing in this way when PHP requests them. However, having PHP request another website like Google will work fine. (Oddly, I use these same LetsEncrypt certs as my master certs in cPanel, and that has worked fine.)
I suspect that maybe the upcoming Sept 30 expiration of the old LetsEncrypt root cert might be involved? (Although we're still 7 days away from that.) Is there any way to further debug this, or update PHP or openssl or the list of root CA's?
Here's what I've tried without working:
* renewed my SSL cert on my Windows machine
* updated my LetsEncrypt infrastructure there to latest (winacme) and regenerated certs
* did ssl-labs test against my Windows website (A ranking, plus I have heavy traffic with no problem reports)
* from PHP, requested a different SSL website Google (worked ok!)
* on cPanel server, rebooted
* ran: sudo yum update (nothing)
* ran: sudo yum update ca-certificates (already updated)
* ran: EasyApache4 (Apache 2.4 and PHP 7.4)
* inspected php.ini (all default settings for curl, openssl)
Maybe PHP has its own built-in list of root CA's and I need to find them & update?
Here's my test code, and when I use curl() with CURLOPT_SSL_VERIFYHOST I get the same error behaviour:
<?php
echo( 'hello world' );
try {
$url = 'Limited-Access
##$url = 'https://www.google.com/';
$fh_r = new SplFileObject( $url, 'rb' );
$bytes = 0;
if ($fh_r) {
while (!$fh_r->eof()) {
$bytes += strlen( $fh_r->fgets() );
}
}
echo( "I read $bytes bytes" );
}
catch (Exception $e) {
echo( "Error: " . $e->getMessage() );
}
?>
Last edited by a moderator: