0884094

Member
Nov 14, 2013
17
7
53
cPanel Access Level
Root Administrator
Hi friends, I have a PHP script running on my cPanel server (v98.0.8, CENTOS 7.9). My PHP script makes a nightly HTTPS request to a Windows server. The Windows server uses a LetsEncrypt certificate. All has run fine for years but just now, my PHP requests are failing with:

SplFileObject::__construct(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

I have hundreds of LetsEncrypt certs on my Windows server and I tried many of them, and they're all now failing in this way when PHP requests them. However, having PHP request another website like Google will work fine. (Oddly, I use these same LetsEncrypt certs as my master certs in cPanel, and that has worked fine.)

I suspect that maybe the upcoming Sept 30 expiration of the old LetsEncrypt root cert might be involved? (Although we're still 7 days away from that.) Is there any way to further debug this, or update PHP or openssl or the list of root CA's?

Here's what I've tried without working:

* renewed my SSL cert on my Windows machine
* updated my LetsEncrypt infrastructure there to latest (winacme) and regenerated certs
* did ssl-labs test against my Windows website (A ranking, plus I have heavy traffic with no problem reports)
* from PHP, requested a different SSL website Google (worked ok!)
* on cPanel server, rebooted
* ran: sudo yum update (nothing)
* ran: sudo yum update ca-certificates (already updated)
* ran: EasyApache4 (Apache 2.4 and PHP 7.4)
* inspected php.ini (all default settings for curl, openssl)

Maybe PHP has its own built-in list of root CA's and I need to find them & update?

Here's my test code, and when I use curl() with CURLOPT_SSL_VERIFYHOST I get the same error behaviour:

<?php
echo( 'hello world' );
try {
$url = 'Limited-Access
##$url = 'https://www.google.com/';
$fh_r = new SplFileObject( $url, 'rb' );
$bytes = 0;
if ($fh_r) {
while (!$fh_r->eof()) {
$bytes += strlen( $fh_r->fgets() );
}
}
echo( "I read $bytes bytes" );
}
catch (Exception $e) {
echo( "Error: " . $e->getMessage() );
}
?>
 
Last edited by a moderator:

0884094

Member
Nov 14, 2013
17
7
53
cPanel Access Level
Root Administrator
Thanks, cPRex!! I can confirm that just running curl on command line repros the problem.

curl Google (works ok)
curl Limited-Access
fails with:
curl: (60) Peer's Certificate issuer is not recognized.
More details here: curl - SSL CA Certificates

I can see from this link ( RHEL/CentOS 7 Fix for Let’s Encrypt Change ) that there's a known issue with Centos v7 + OpenSSL 1.0.2k + LetsEncrypt. The link says they fixed it on Sept 24, which matches the timestamp of my ca-bundle in /etc/ssl/certs, but for me the problem started around that time, rather than was fixed. I guess since it is all so new & the powers-that-be are pushing fixes out, I'll just wait a little while.

I expect that this command will fix it once they finesse the ca-bundle:
sudo yum reinstall ca-certificates