Error using ssl cert with PHP
https://stackoverflow.com/questions/809682
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am new to php and I am getting this error trying to load a cert
jameys-macbookpro41:~ user$ php -f ~/Sites/providerService.php
Warning: stream_socket_client(): Unable to set local cert chain file `cert.pem'; Check that your cafile/capath settings include details of your certificate and its issuer in /Users/jamey/Sites/providerService.php on line 27
cert.pem is in the same folder as the php file. the file cert.pem was created in the Apple keychain tool
class pushNotifications {
...
private $sslPem = 'cert.pem';
...
function connectToAPNS(){
$streamContext = stream_context_create();
stream_context_set_option($streamContext, 'ssl',
'local_cert', $this->sslPem);
Thanks for any help!
Solution
You are getting an error because it's trying to find your cert.pem file in the directory you are running the script from, not the directory the script is in. In your example, it is your user directory "~".
Try changing your class to this, or something similar:
class pushNotifications {
...
private $sslPem = 'cert.pem';
...
function connectToAPNS(){
$streamContext = stream_context_create();
stream_context_set_option($streamContext, 'ssl', 'local_cert', dirname(__FILE__) . '/' . $this->sslPem);
OTHER TIPS
I was having this issue as well, it turns out that for some reason my private key didn't match the one associated with the aps_developer_identity.cer I had...
I ended up clearing all of my public and private keys from my 'login' keychain item, then I started the entire process over again (Generated the request)...I submitted the new request file on the program portal and generated a new certificate, downloaded, and installed it by double-clicking it (developer_identity.cer). Then, I reset the provisioning profiles to use the new Push SSL certs, downloaded those, and installed them by double-clicking (aps_developer_identity.cer). Finally, I reset the provisioning profile and downloaded the new one. I cleared out the old one in the Xcode Organizer, and installed the new one. Finally, I exported my 'private' key as key.p12 and my aps_developer_identity.cer as apsdi.p12, and ran the following commands against them:
openssl pkcs12 -clcerts -nokeys -out apsdi.pem -in apsdi.p12
openssl pkcs12 -nocerts -out key.pem -in key.p12
If you're okay using a passphrase (recommended for production):
cat apsdi.pem key.pem > cert.pem
If you wish to use a 'blank' passphrase, you'll need to unencrypt your private key first, using the password you specified when you converted it to pem format:
openssl rsa -in key.pem -out key.unencrypted.pem
And then cat the cert and unencrypted key into apns.pem (or whatever filename you have chosen):
cat apsdi.pem key.unencrypted.pem > apns.pem
It's very important that you export your aps_developer_identity certificate, not your developer_identity certificate as apsdi.pem.
If you can expand your developer_identity.cer and aps_developer_identity.cer entries in Keychain Access, and you see a 'private' key when you do, everything should work.
As a complementary tip, for anyone having the same issue: when exporting the private key from Apple's keychain access, and converting to .pem, SPECIFY A PASSWORD.
For some reason, it seems leaving a blank password in one of the exports removes the private key, thus the final .pem is not complete.
So put a dummy password, even if you later remove it using openssl.
Notes for the future (after having a big headache because of all of this): 1. if you get the handshake error - the pem file you created is probably wrong.
a. make sure the file is in the same directory as the php you are trying to run. b. export the certifcate p12 file AND the key under it in the keychain access utility.both of these files will be the SAME size, but they ARE different. c. do the above "openssl" commands in the macintosh terminal.
- currently, all I can do is run the php as sudo, because of the chmod 400 for ck.pem. something got to give...
btw, the message "Failed to enable crypto" will dissappear when the system runs correctly.
Just change the owner to www-data It will work :)
sudo chown www-data.www-data ck.pem
deafult user of apache www-data
