I’ve searched for issues with this error but I’m baffled on what may have happened between a number of my own servers that have started to display this error:
Warning: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed in /var/www/html/file_get.php on line 7
Line 7 is the file_get_contents command.
These are (Debian) servers under my control so I know nothing has (to my knowledge) happened/changed or updated/upgraded.
I know I can use the solution of including the below, but I’m keen to understand what has happened first (plus I have many, many files I’d need to update). I also really need to understand which server is the one that has the potential issue.
I have 3 servers, all of which access another 4th server with file_get_contents requests. 2 of the servers have suddenly (today a few hours ago) started to fail with the above error, the third one seems to still work fine.
I suspect the issue is with the two servers that display the issue rather than the 4th one they are all trying to access.
If I implement this code, it works, but I’d rather find the root cause:
$arrContextOptions=array(
"ssl"=>array(
"verify_peer"=>false,
"verify_peer_name"=>false,
),
);
and modify the file_get_contents to the following:
file_get_contents($input, false, stream_context_create($arrContextOptions)));
But as mentioned, I have hundreds of files that would need changing.
All servers are Debian and use Lets Encrypt certs 9which are valid).
I have tried adding the following to the php.ini:
openssl.cafile=/etc/letsencrypt/live/myserver.com/cert.pem
But this has not worked (the same error remains).
The openssl version of the server taht still works is OpenSSL 1.1.0f 25 May 2017 (Library: OpenSSL 1.1.0l 10 Sep 2019), the two that display the error are OpenSSL 1.1.0l 10 Sep 2019 not sure if this is relevant.
Any help would be appreciated.
UPDATE
So I have been able to resolve this so far. After a lot of test and trial I’m honestly not quite sure what resolved the problem for sure to get it working again, but I did all of the below:
apt upgradeapt update- I removed the old
certbot-auto - Installed
certbot(newer version) - Removed
mozilla/DST_Root_CA_X3.crtfrom/etc/ca-certificates.conf - Ran
update-ca-certificates
Again, not sure which of the above (or the combination of the above) resolved the problem, but it’s working for me now.
3
Answers
I’ve got the same issue today,
ok in webbrowser, SSL error in postman and some programming language call.
My error was due to the root let’s encrypt certificate expiration
see announce here
using ssllab.com we found that it exists two chains of certifications for my certificate,
one going up to ISRG Root X1 which was ok
another one going up to DST Root CA X3 Self-signed the expired certificate (on Sept the 30th à 14:00 gmt)
To solved this issue, I update certbot to the last version (1.19) through snapd. the one in the packet manager of my ubuntu 20.04 was not the last one. (ref certbot doc)
Then I renew the certificate using option :
--preferred-chain 'ISRG Root X1'note: looking to OP update, this is probably the default in the new release of certbot
and restart the service. since then everything is ok.
too confirm this is your issue,
certification chain can be viewed through online tools like ssllabs.com
exemple of failing cert :
The similar issue I was face with Ubuntu 16.04.7, In my case I was getting SSL Error: Certificate expired message while try GET / POST using Postman.
Here is the solution:
/etc/ca-certificates.conffind themozilla/DST_Root_CA_x3.crt!sing at the start of the line i.e.!mozilla/DST_Root_CA_x3.crtsudo update-ca-certificatesBefore The Solution
After The Solution
Same issue I was faced with CentOS 7.
My solution is:
sudo yum update ca-certificatesgrep DST_Root_CA_x3 /etc/ssl/certs/ca-bundle.crt