Hi there, any assistance here would be great. I’m running into an issue with SSL where a site cannot communicate with itself or other sites on the same server via SSL. Specifically, a cURL request to an https url fails with "string(69) “SSL certificate problem: self signed certificate in certificate chain”.

I would love to correct this security hole as it is important.

My current setup is that I have my SSL set to Full (Strict) and the Origin Server Certificate installed correctly as the site functions generally perfectly with SSL.

I’ve setup examples to replicate the issue:
https://api.sketchad-development.com/secure-curl-local-open.php - Functions correctly using http (gets a response)
https://api.sketchad-development.com/secure-curl-local-secure.php - RETURNS AN ERROR [ string(69) “SSL certificate problem: self signed certificate in certificate chain” ]

I find this baffling. Does the origin certificate not work if it asks itself for a resource? Or is this a server specific issue?

I’d generally stay away from such implementations. Whatever is local should be done via any local means and not via HTTP.

But in this case the site that needs to use the API provided data is on the same WHM / cPanel server. Which is why I setup these simple examples.

And you have no way to make these calls locally, like any regular function call?

Well, the generally accepted way to get information out of a database environment is through a secure API. The end game is multiple sites and apps will query the API for information. In this particular case the site that needs the information happens to sit on the same server. Which is rejecting the SSL.

My point is you should use something that is local, not an HTTP request. Why is that not possible?

Because essentially the sites are isolated from one another as per having different accounts on WHM. And that the correct way of pulling information out of a DB and into a site would generally be via an API / JSON in this case.

Agreed, but they should provide a local API for that. An HTTP URL is not really a replacement for that.

Anyhow, you are on Full strict, right? So you do have a valid certificate, right? Is that an Origin certificate or a public one?

Full (strict) is correct. With an origin cert provided by CloudFlare

In that case cURL wont trust the certificate. You need to add Cloudflare’s root certificate to your trust store.

Or you simply stick to an HTTP call.

@travis8,

A Cloudflare origin cert is issued/trusted by Cloudflare and meant to be used behind Cloudflare. So unless the local machine (or any machine accessing the site directly) trusts that cert it would generate an error.

— OG

Just to dig a bit deeper / expand I created an account on a different WHM / cPanel server called test.sketchad-development.com, put the same files in there, installed the same CloudFlare Origin Certificate and it functions correctly. I get a correct response.

Can be seen here: https://test.sketchad-development.com/secure-curl-local-secure.php

So now we’ve got conflicting replies. Because cURL can seem to trust the cert because of the response above and it isn’t directly behind CloudFlare. It’s the same system (WHM / cPanel) and setup as the original server: https://api.sketchad-development.com/secure-curl-local-secure.php

You were not connecting to the public hostname but to localhost. The former is actually even worse architecture-wise but will get you a proper certificate.

Again, I strongly advise against that setup but if you insist on doing it that way you should - as I already explained - either use HTTP or add the root certificate to the trust store.

I was connecting to the fully qualified hostname in the curl. In both examples.

$url = “https://test.sketchad-development.com/secure-api.php”;
$ch = curl_init($url);

In that case you shouldnt have received that error message. You might have some DNS resolution issue. Unfortunately that is somewhat beyond the forum’s scope however.

Are there clear instructions on how to add the root certificate into the trust store? I’m willing to try anything at this stage.

If you didnt connect directly but via Cloudflare, the root certificate wont help. You need to debug your cURL connection, StackExchange might be help in this case.

This topic was automatically closed after 30 days. New replies are no longer allowed.