Homebrew OS X certificates are not loaded.

Question

Homebrew OS X certificates are not loaded.

jmalloc opened this issue 8 years ago · 4 comments

When using Homebrew's distro of OpenSSL, certificates are loaded from the certs.pem file (as addressed by #5), but they can also be placed in the /usr/local/etc/openssl/certs directory. It seems that using the latter method does not work with Composer.

I'm attempting to access a private Composer repository (built with Satis) secured via TLS with a certificate issued by a self-signed CA.

The error message I receive is:

The "https://<redacted>/packages.json" file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Failed to enable crypto
failed to open stream: operation failed
https://<redacted> could not be fully loaded, package information was loaded from the local cache and may be out of date

Please forgive my naivety on the subject. I'm not sure exactly which project should be responsible for loading these certificates, but I believe the problem to be localised to composer/ca-bundle as I'm able to fetch the package.json file with file_get_contents() successfully using the same PHP binary.

Setting SSL_CERT_DIR to /usr/local/etc/openssl/certs, does solve this particular problem, but then the regular certs.pem file is not loaded, so the certificate for packagist.org can no longer be verified.

Answer 1 · 2017-03-30T08:03:14.000Z

Yeah I don't think yuo can have both a file and a dir, if the certs.pem file is not within that given dir..

One option would be to append your cert to the certs.pem it finds?

Answer 2 · 2017-03-30T08:04:08.000Z

Another option is to use letsencrypt or so to get a trusted cert instead of self-signed.. Or like use Private Packagist for private repos which comes with valid SSL out of the box ;)

Answer 3 · 2017-03-31T04:52:06.000Z

We actually do have a on-premises installation of Private Packagist being setup right now :) So this will become a non-issue for me because it will be using a different certificate, but I figured it's still worth mentioning because it deviates from the behaviour of Brew's openssl package. We use the same certificate for all of our development environments and so far it's only Composer that can't load it from the certs subfolder.

Curiously, I did try appending it to the end of certs.pem but that didn't work, though I'm confident that was something I messed up, as obviously Composer loads the rest of those certificates just fine.

Answer 4 · 2017-05-16T21:14:40.000Z

Closing as not sure what we can do here..