July 30, 2016 at 9:05 pm #3636
Hi guys – I’m running 2.6.5 on the Bitnami stack. When I attempt to email an invoice I receive the following error:-
stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
I have attempted to download the latest cacert.pem from http://curl.haxx.se/ca/cacert.pem and then pointing to openssl.cafile=/opt/bitnami/common/openssl/certs/cacert.pem in php.ini. After restarting the stack the same issue persists.
I’ve read around on the issue, and it seems that PHP 5.6+ enable verify_peer as default and there is no way of setting this option in php.ini anymore. Any ideas where I can modify the mailer code to allow me to fix this?
P.S – This issue does not appear to be related to my installed signed certificates for Apache2, as I have tested the certificate chain and it checks out fine.
ThanksJuly 30, 2016 at 9:08 pm #3637
Sorry, you’ll need to trace through the code.
In the past the two changes you’ve suggested have worked to solve the problem.July 30, 2016 at 9:21 pm #3638
How is verify_peer configured in PHP 5.6? I’m looking to just set it to falseJuly 30, 2016 at 9:26 pm #3639
I believe you need to se it in the .ini fileJuly 30, 2016 at 9:28 pm #3640
Just did a grep for ‘verify_peer’ – Is this the file I should be modifying for the mailer function?
ThanksJuly 30, 2016 at 9:31 pm #3641
I’m sorry, I’m not familiar with our third party code.July 30, 2016 at 9:37 pm #3642
I don’t see any option in my php.ini file in PHP 5.6 for disabling peer verification.July 30, 2016 at 9:40 pm #3643
Maybe this will help…July 30, 2016 at 10:41 pm #3645
Thanks – I’ve had a dig around, but I’m not competent enough with PHP to really know which file to modify. :/
I guess I could rollback to PHP 5.5 where the issue apparently doesn’t exist. I’d rather not however..July 31, 2016 at 2:05 am #3646
have you tried verifying your certificates with the openssl verify commands to verify your certificate. It will also verify you CSR.
Verify your Certificate file: openssl verify -CAfile fileName
If file failed verification message would look something like this: server.pem: /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
error 24 at 1 depth lookup:invalid CA certificate
But it would at least let you know if the Certificate isn’t corruptJuly 31, 2016 at 4:16 pm #3649
I switched my mail configuration settings across to a different provider (Gmail) and I was able to email invoices again. Previously I was using our Exchange 2013 server with a receive connector setup.
Oddly this setup worked without issues on a previous version of PHP. The Exchange SAN certificate checks out fine when performing tests on SSLLabs (chain is correct etc)
Not quire sure what openssl isn’t happy about with respect to my signed certificates from a trusted authority on Exchange 2013, I’ll have to do some more digging.
I’m pretty sure the cacert.pem isn’t corrupt as it’s a fresh download from http://curl.haxx.se/ca/.
ThanksJuly 31, 2016 at 4:43 pm #3650
Thanks for sharing your solution.October 17, 2019 at 12:31 am #22198
This might not be exactly relevant to the previous case, but I found the issue was caused by SMTP Restrictions having been accidentally activated in WHM. As soon as this was disabled I was able to send again.
Hope that helps
You must be logged in to reply to this topic.