SSL operation failed with code 1

General discussion on Zend Server for IBM System i
Post Reply
eric6141
Posts: 5
Joined: Mon Jul 06, 2015 4:42 pm

SSL operation failed with code 1

Post by eric6141 » Mon Feb 22, 2016 10:28 pm

We are running Zend Server for i at version 8.5.3 (PHP 5.6), and we are having trouble with SSL connections. In the examples below I purposely added spaces in the URLS addresses so the post go through.

If we run this command from the PASE environment we get an error. php-cli -r 'ini_set("display_errors", 1);file_get_contents("http s://ww w.google.c om/");'

We then followed the steps found here. http s://support.zend. com/hc/en-us/articles/205679027-Add-a-trusted-certificate-authority-to-IBM-i-for-PHP-5-6

We only imported Google's cert to test, and when we run the same command in the PASE environment it still fails with the following.

Warning: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in Command line code on line 1

Warning: file_get_contents(): Failed to enable crypto in Command line code on line 1

Warning: file_get_contents(http s://ww w.google.c om/): failed to open stream: operation failed in Command line code on line 1

Any thoughts on what is needed for these SSL requests to work properly?

eric6141
Posts: 5
Joined: Mon Jul 06, 2015 4:42 pm

Re: SSL operation failed with code 1

Post by eric6141 » Tue Feb 23, 2016 7:32 pm

Got the answer from the great support folks at Zend. Just going to paste the answer here below. Again I need to add some spaces to the URLs so I can let the post go through.

In testing here, I am finding two problems with the Knowledge Base article. The first is that the curl.ha xx. se site has converted the page to SSL, so we can't directly do the readfile() to get the pem file, because we don't already have the pem file (Catch 22).

I did find a workaround for this first issue that is pretty easy. Using Chrome, browse to htt p://curl.ha xx. se/ca/cacert.pem . You will notice when you get there that the http has changed to https. In your Chrome browser, you will see the contents of the pem file. Just copy the whole page (ctrl-a, ctrl-c) and paste into the empty /usr/local/openssl-1.0.1k/ssl/cert.pem file that gets created when you try to do the readfile() into it. This gives you a valid trusted CA that works well for most sites.

Unfortunately, it does not work well for Google. I think this article from Google tells why:
http s://pki.go ogle. com/faq.html

So, I changed our article to use zend. com to check the success of the installation (I still need to update it to show how to copy from Chrome). After loading the cert.pem file, I can successfully do this:

php-cli -r 'ini_set("display_errors", 1);file_get_contents("http s://www.ze nd. com/");'
I can even do this for the trustwave site Google mentions in their faq:

php-cli -r 'ini_set("display_errors", 1);file_get_contents("http s://www.trust wave. com/");'
I can also even download the pem file and display it (now that I have it installed):

php-cli -r 'ini_set("display_errors", 1);readfile("http://curl.ha xx. se/ca/cacert.pem");'

What I cannot do is this:
php-cli -r 'ini_set("display_errors", 1);file_get_contents("http s://www.go ogle. com/");'

I still get all the errors.
At this point, I do not yet know what, if anything, we can do about the way Google is updating their certs. This might be something that has to be managed in OpenSSL, which is provided by IBM on the IBM i. Or there might be some other solution, or possibly there is no solution, at least in the short term. Do you need specifically to use Google in your application, or were you just using it for testing? Are you able to successfully resolve your issue by copying the cert.pem file using copy-paste from Chrome?

Post Reply