SSL cURL error on localhost

travis8 · May 20, 2020, 4:00pm

Hi there, any assistance here would be great. I’m running into an issue with SSL where a site cannot communicate with itself or other sites on the same server via SSL. Specifically, a cURL request to an https url fails with "string(69) “SSL certificate problem: self signed certificate in certificate chain”.

I would love to correct this security hole as it is important.

My current setup is that I have my SSL set to Full (Strict) and the Origin Server Certificate installed correctly as the site functions generally perfectly with SSL.

I’ve setup examples to replicate the issue:
https://api.sketchad-development.com/secure-curl-local-open.php - Functions correctly using http (gets a response)
https://api.sketchad-development.com/secure-curl-local-secure.php - RETURNS AN ERROR [ string(69) “SSL certificate problem: self signed certificate in certificate chain” ]

I find this baffling. Does the origin certificate not work if it asks itself for a resource? Or is this a server specific issue?

sandro · May 20, 2020, 4:18pm

I’d generally stay away from such implementations. Whatever is local should be done via any local means and not via HTTP.

travis8 · May 20, 2020, 4:33pm

But in this case the site that needs to use the API provided data is on the same WHM / cPanel server. Which is why I setup these simple examples.

sandro · May 20, 2020, 4:34pm

And you have no way to make these calls locally, like any regular function call?

travis8 · May 20, 2020, 4:38pm

Well, the generally accepted way to get information out of a database environment is through a secure API. The end game is multiple sites and apps will query the API for information. In this particular case the site that needs the information happens to sit on the same server. Which is rejecting the SSL.

sandro · May 20, 2020, 4:39pm

My point is you should use something that is local, not an HTTP request. Why is that not possible?

travis8 · May 20, 2020, 4:43pm

Because essentially the sites are isolated from one another as per having different accounts on WHM. And that the correct way of pulling information out of a DB and into a site would generally be via an API / JSON in this case.

sandro · May 20, 2020, 4:45pm

Agreed, but they should provide a local API for that. An HTTP URL is not really a replacement for that.

Anyhow, you are on Full strict, right? So you do have a valid certificate, right? Is that an Origin certificate or a public one?

travis8 · May 20, 2020, 4:48pm

Full (strict) is correct. With an origin cert provided by CloudFlare

sandro · May 20, 2020, 4:49pm

In that case cURL wont trust the certificate. You need to add Cloudflare’s root certificate to your trust store.

Or you simply stick to an HTTP call.

OliverGrant · May 20, 2020, 5:40pm

@travis8,

A Cloudflare origin cert is issued/trusted by Cloudflare and meant to be used behind Cloudflare. So unless the local machine (or any machine accessing the site directly) trusts that cert it would generate an error.

— OG

travis8 · May 20, 2020, 5:56pm

Just to dig a bit deeper / expand I created an account on a different WHM / cPanel server called test.sketchad-development.com, put the same files in there, installed the same CloudFlare Origin Certificate and it functions correctly. I get a correct response.

Can be seen here: https://test.sketchad-development.com/secure-curl-local-secure.php

So now we’ve got conflicting replies. Because cURL can seem to trust the cert because of the response above and it isn’t directly behind CloudFlare. It’s the same system (WHM / cPanel) and setup as the original server: https://api.sketchad-development.com/secure-curl-local-secure.php

sandro · May 20, 2020, 5:58pm

You were not connecting to the public hostname but to localhost. The former is actually even worse architecture-wise but will get you a proper certificate.

Again, I strongly advise against that setup but if you insist on doing it that way you should - as I already explained - either use HTTP or add the root certificate to the trust store.

travis8 · May 20, 2020, 6:02pm

I was connecting to the fully qualified hostname in the curl. In both examples.

$url = “https://test.sketchad-development.com/secure-api.php”;
$ch = curl_init($url);

sandro · May 21, 2020, 4:15pm

In that case you shouldnt have received that error message. You might have some DNS resolution issue. Unfortunately that is somewhat beyond the forum’s scope however.

travis8 · May 20, 2020, 6:04pm

Are there clear instructions on how to add the root certificate into the trust store? I’m willing to try anything at this stage.

sandro · May 20, 2020, 6:04pm

If you didnt connect directly but via Cloudflare, the root certificate wont help. You need to debug your cURL connection, StackExchange might be help in this case.

system · June 19, 2020, 4:00pm

This topic was automatically closed after 30 days. New replies are no longer allowed.