Let's Encrypt works fine, only not with file_get_contents()

Discussion in 'Installation/Configuration' started by Jigal van Hemert, Jan 9, 2020.

Tags:
  1. Jigal van Hemert

    Jigal van Hemert New Member

    Some data:
    - ISPConfig Version: 3.1.15p2
    - Ubuntu 16.04 (up-to-date) (php 7.0.33-0ubuntu0.16.04.7)
    - Set up with the Perfect Server tutorial (thanks for that!)
    - site configuration:
    SuExec on, Own Error-Documents on, Auto-Subdomain www, SSL on, Let's Encrypt SSL on, PHP: Fast-CGI, PHP version default

    This works fine in browsers. There is a PHP script on the server that tries to access its own frontend using file_get_contents(). This produces some errors:
    Core: Error handler (BE): PHP Warning: file_get_contents(http://www.bordercollies.nl/index.php?id=71&L=0): failed to open stream: operation failed in /web/typo3conf/ext/solr/Classes/IndexQueue/PageIndexerRequest.php line 407
    Core: Error handler (BE): PHP Warning: file_get_contents(): Failed to enable crypto in /web/typo3conf/ext/solr/Classes/IndexQueue/PageIndexerRequest.php line 407
    Core: Error handler (BE): PHP Warning: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed in /web/typo3conf/ext/solr/Classes/IndexQueue/PageIndexerRequest.php line 407

    These errors are produced consistently with various URLs. If I request the same URLs with wget the contents are retrieved without errors.
    Next, verification with openssl:
    # openssl s_client -servername bordercollies.nl -connect bordercollies.nl:443 </dev/null
    CONNECTED(00000003)
    depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
    verify return:1
    depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    verify return:1
    depth=0 CN = bordercollies.nl
    verify return:1
    ---
    Certificate chain
    0 s:/CN=bordercollies.nl
    i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    i:/O=Digital Signature Trust Co./CN=DST Root CA X3
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIGbzCCBVegAwIBAgISA/wKd40IDqAURGDiioe5EWV9MA0GCSqGSIb3DQEBCwUA
    [...]
    9WvUob9WTyXWEOqbVpHxSMhYqA==
    -----END CERTIFICATE-----
    subject=/CN=bordercollies.nl
    issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    ---
    No client certificate CA names sent
    Peer signing digest: SHA512
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 3795 bytes and written 456 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Server public key is 4096 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
    Protocol : TLSv1.2
    Cipher : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: ACBE3B84C3DF889D54[...]9EDCA649C560E6247EF7
    Session-ID-ctx:
    Master-Key: E653B6F7239041BE93[...]F5DF7D9FF09DFFC9CAF
    Key-Arg : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 6d b0 ea 67 66 72 aa 10-b8 d1 4e b7 05 9d 49 f1 m..gfr....N...I.
    [...]
    00c0 - 6d 32 78 bc 65 38 2e 93-dd 49 89 bd f0 d0 83 12 m2x.e8...I......

    Start Time: 1578525021
    Timeout : 300 (sec)
    Verify return code: 0 (ok)
    ---
    DONE

    Let's Encrypt certificate seems fine, but somehow PHP doesn't accept it. Is there something missing in the PHP configuration?

    Thanks for any ideas to solve this!

    Regards, Jigal.
     
    Jigal van Hemert, Jan 9, 2020
    #1

Share This Page