Ошибка ssl peer certificate or ssh remote key was not ok

I’m testing an API that uses curl_exec php function and a CA certificate but something is going wrong and I’m a little lost.

I have configured SSL on my apache VirtualHost and looks ok ( opening https:://[myVHost]… works ).

However the API curl call give me back this message:

• SSL peer certificate or SSH remote key was not OK

I’m not very experienced with SSL so I have few ideas about the cause of that.

UPDATE:

This is the code I’m using in my cURL request, I have commented 2 lines and changes their value (look at ‘TODO’ line ) and in this way it is working, however this is just a work arround …

$opts[CURLOPT_URL] = $url;
    $opts[CURLOPT_RETURNTRANSFER] = true;
    $opts[CURLOPT_CONNECTTIMEOUT] = 50;
    $opts[CURLOPT_TIMEOUT] = 100;
    $headers = array(
        'Accept: application/json',
        "User-Agent: APIXXX-PHP-Client");
    $opts[CURLOPT_HTTPHEADER] = $headers;
    $opts[CURLOPT_USERPWD] = $env->getApiKey() . ':';
    if (certificatePresent()) {

        //  $opts[CURLOPT_SSL_VERIFYPEER] = true;
        //  $opts[CURLOPT_SSL_VERIFYHOST] = 2;

        // TODO: SET IT BACK
        $opts[CURLOPT_SSL_VERIFYPEER] = 0;
        $opts[CURLOPT_SSL_VERIFYHOST] = 0;

        $opts[CURLOPT_CAINFO] = $path

      }

    curl_setopt_array($curl, $opts);

    $response = curl_exec($curl);

Beside CURLOPT_SSL_VERIFYPEER there are two other settings which might be changed to false/0:

CURLOPT_SSL_VERIFYHOST
CURLOPT_SSL_VERIFYSTATUS

Beware that you should fix your SSL certificates & settings instead of disable security!

answered Sep 21, 2017 at 9:50

Although I am answering an old post, I think it will help the new viewers-

You can check the problem by adding

$opts[CURLOPT_VERBOSE] = 1

For self signed certificate your client may connect with the server using IP address, because the host name is not available in DNS cache. In that case the COMMON NAME(CN) of your server certificate needs to match with the Server IP (put IP address as common name when generating the server certificate). When you do it correctly, you can see this message:

common name: 192.168.0.1 (matched)

Here 192.168.0.1 is an example.

answered Mar 8, 2017 at 13:45

You’re right to want to enable SSL_VERIFYPEER if you are worried about man-in-the-middle attacks.

Is your $path set to point to the certificate (or certificate bundle) provided by the API owner? Is that certificate readable by the web server user? If so, have you verified that the certificate(s) is the same as when you visit the https address manually in a browser and inspect the certificate?

If you can’t get it to work, and the API you are connecting to has a SSL certificate that works in your normal browser without warnings, you should be able to set $path to your CA root bundle on your server.

answered May 19, 2014 at 4:10

You can build a valid SSL certificate and ensure that it is stored in the trusted folder.

Valid SSL certificate can be created by including the following command in the developer command prompt of VS2012. (This can be obtained by typing developer in the start)

The following command creates a self-signed certificate that can be used to test a web application that uses Secure Sockets Layer (SSL) on a web server whose URL is www.example.com. The OID defined by the -eku option identifies that certificate as an SSL server certificate. The certificate is stored in the my store and is available at the machine (rather than user) level. The certificate’s private key is exportable, and the certificate is valid from May 10, 2010 through December 22, 2011.

Makecert -r -pe -n CN=»www.example.com» -b 05/10/2010 -e 12/22/2011 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -sp «Microsoft RSA SChannel Cryptographic Provider» -sy 12

For more on how to create the SSL certificate

Now make sure that this certificate is trusted, this can be done by typing CERTMGR in the cmd..

now the cert created is in the PERSONAL folder.. copy it and paste it to the TRUSTED PEOPLE FOLDER.

This should do the trick. Let me know if that doesn’t work.

This error can also occur if you update packages on a linux server that has a self-signed certificate.

Solution:
Stop your existing Apache/nginx server.
Run certbot (if you are using lets encrypt)

Restart your Apache/nginx server.

Note: If you’re using Springboot, add System.setProperty(«https.protocols», «TLSv1,TLSv1.1,TLSv1.2,TLSv1.3»); to your application.properties file

Voila!

answered Jun 22, 2021 at 13:26

answered Nov 18, 2021 at 11:19

I’m testing an API that uses curl_exec php function and a CA certificate but something is going wrong and I’m a little lost.

I have configured SSL on my apache VirtualHost and looks ok ( opening https:://[myVHost]… works ).

However the API curl call give me back this message:

• SSL peer certificate or SSH remote key was not OK

I’m not very experienced with SSL so I have few ideas about the cause of that.

UPDATE:

This is the code I’m using in my cURL request, I have commented 2 lines and changes their value (look at ‘TODO’ line ) and in this way it is working, however this is just a work arround …

$opts[CURLOPT_URL] = $url;
    $opts[CURLOPT_RETURNTRANSFER] = true;
    $opts[CURLOPT_CONNECTTIMEOUT] = 50;
    $opts[CURLOPT_TIMEOUT] = 100;
    $headers = array(
        'Accept: application/json',
        "User-Agent: APIXXX-PHP-Client");
    $opts[CURLOPT_HTTPHEADER] = $headers;
    $opts[CURLOPT_USERPWD] = $env->getApiKey() . ':';
    if (certificatePresent()) {

        //  $opts[CURLOPT_SSL_VERIFYPEER] = true;
        //  $opts[CURLOPT_SSL_VERIFYHOST] = 2;

        // TODO: SET IT BACK
        $opts[CURLOPT_SSL_VERIFYPEER] = 0;
        $opts[CURLOPT_SSL_VERIFYHOST] = 0;

        $opts[CURLOPT_CAINFO] = $path

      }

    curl_setopt_array($curl, $opts);

    $response = curl_exec($curl);

Beside CURLOPT_SSL_VERIFYPEER there are two other settings which might be changed to false/0:

CURLOPT_SSL_VERIFYHOST
CURLOPT_SSL_VERIFYSTATUS

Beware that you should fix your SSL certificates & settings instead of disable security!

answered Sep 21, 2017 at 9:50

Although I am answering an old post, I think it will help the new viewers-

You can check the problem by adding

$opts[CURLOPT_VERBOSE] = 1

For self signed certificate your client may connect with the server using IP address, because the host name is not available in DNS cache. In that case the COMMON NAME(CN) of your server certificate needs to match with the Server IP (put IP address as common name when generating the server certificate). When you do it correctly, you can see this message:

common name: 192.168.0.1 (matched)

Here 192.168.0.1 is an example.

answered Mar 8, 2017 at 13:45

You’re right to want to enable SSL_VERIFYPEER if you are worried about man-in-the-middle attacks.

Is your $path set to point to the certificate (or certificate bundle) provided by the API owner? Is that certificate readable by the web server user? If so, have you verified that the certificate(s) is the same as when you visit the https address manually in a browser and inspect the certificate?

If you can’t get it to work, and the API you are connecting to has a SSL certificate that works in your normal browser without warnings, you should be able to set $path to your CA root bundle on your server.

answered May 19, 2014 at 4:10

You can build a valid SSL certificate and ensure that it is stored in the trusted folder.

Valid SSL certificate can be created by including the following command in the developer command prompt of VS2012. (This can be obtained by typing developer in the start)

The following command creates a self-signed certificate that can be used to test a web application that uses Secure Sockets Layer (SSL) on a web server whose URL is www.example.com. The OID defined by the -eku option identifies that certificate as an SSL server certificate. The certificate is stored in the my store and is available at the machine (rather than user) level. The certificate’s private key is exportable, and the certificate is valid from May 10, 2010 through December 22, 2011.

Makecert -r -pe -n CN=»www.example.com» -b 05/10/2010 -e 12/22/2011 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -sp «Microsoft RSA SChannel Cryptographic Provider» -sy 12

For more on how to create the SSL certificate

Now make sure that this certificate is trusted, this can be done by typing CERTMGR in the cmd..

now the cert created is in the PERSONAL folder.. copy it and paste it to the TRUSTED PEOPLE FOLDER.

This should do the trick. Let me know if that doesn’t work.

This error can also occur if you update packages on a linux server that has a self-signed certificate.

Solution:
Stop your existing Apache/nginx server.
Run certbot (if you are using lets encrypt)

Restart your Apache/nginx server.

Note: If you’re using Springboot, add System.setProperty(«https.protocols», «TLSv1,TLSv1.1,TLSv1.2,TLSv1.3»); to your application.properties file

Voila!

answered Jun 22, 2021 at 13:26

answered Nov 18, 2021 at 11:19

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and
privacy statement. We’ll occasionally send you account related emails.

Already on GitHub?
Sign in
to your account

CEHitchens opened this issue

Oct 2, 2021

· 16 comments