Hi all at Ning !
I am currently developing (and debugging) with php and I'm using the Ning API PHP library available on github
When I make a call to the "get" function, it raises the following exception: "cURL error: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed".
To work around this error (to avoid to verify the CA cert), I added the following line just after the curl_init() call (in the "call" function) :
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
This is fine for debugging, but this method is indeed a real security hole! I think a real solution should be implemented in the future version of the Ning API PHP library...
Do you plan to fix this in future versions, and if so can you tell me when?
Best regards, and thanks again for all the work you do.
The "certificate verify failed" cURL error is usually an issue with the local PHP configuration, not the library itself.
Make sure you have CA certificates installed and that they are accessible from PHP's cURL extension. You can also try using the CURLOPT_CAPATH or CURLOPT_CAINFO options to point to a specific directory or file that contains the certificates.
Yes, Devin, you're right :
I can put the CA cert on my server, and modifying NingApi.php like this :
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_CAINFO, getcwd() . "/CAcerts/xxx.crt");
But if I do that, I'm modifying the NingApi.php. And I've understood this "Ning API PHP library" as a reference that it was better to not change.
Let me explain. I am currently developing a Drupal module that I intend to distribute by the conventional method (drupal.org svn). I planned to distribute this "Ning API PHP library" as is, with my module. When you publish a new version of "Ning API PHP library", I publish a new version of my module packaged with your new "Ning API PHP library".
But obviously, I made a mistake : if i correctly understand, I should consider this "Ning API PHP library" as a starting point for my development and not as an official library. Am I correct?
1) I must follow new versions of your "Ning API PHP library" and integrate it in my own product and
2) I should distribute your CA cert packaged with my module. Is it legaly possible?
Thanks in advance for your help.
The Ning cert is signed by a trusted CA. This means that as long as libcurl has been configured and installed correctly on the system, you don't need to manually specify the location of a CA cert bundle.
I ran into this issue myself. I use MAMP for local development of PHP applications on my machine. I had to follow these instructions to get my local development sever working because MAMP doesn't ship with a CA cert bundle. However, when I deployed to a production server I didn't need to do anything special because libcurl had already been installed property with a CA cert bundle.
I don't recommend shipping your code with a CA bundle since 99% of the servers it will be used on will be configured properly.
What development environment are you using?
Hehe, you're right, I'm using MAMP too ...and i've never have this problem. I will try to fix my local development environment first ;-)
It's a great news that it's a local issue...
Thanks for your help.