I've created certificates for both servers using openssl.
I then added the certificate to the /etc/ssl/certs/ca-certificates.crt for both servers. This fixed the issue of me calling curl and getting a cert error. I thought everything would be working now, since I could manually call a sync and get a good status, but logged onto the mysql dabase and saw my queue was full. I then checked /var/log/syslog and saw the following error:
Jun 27 15:22:38 testval1 ykval[3982]: LOG_DEBUG:ykval-queue:synclib:handle indicated to be for https://testval2/wsapi/2.0/sync.
Jun 27 15:22:38 testval2 ykval[3982]: LOG_NOTICE:ykval-queue:synclib:Timeout. Stopping queue resync for server https://testval2/wsapi/2.0/sync
If i call curl directly using:
curl 'https://testval2/wsapi/2.0/sync?otp=<otpval>&modified=<mod_val>&yk_publicname=<public_id>yk_counter=5&yk_use=5&yk_high=229&yk_low=52183&nonce=<nonce>,local_counter=5&local_use=4'
The status comes back as OK.
Any help would be appreciated.
Update:
My current work around until I can get a better fix is to set verifypeer to false in the curl options:
Code:
$baseParams['__YKVAL_SYNC_CURL_OPTS__'] = array(
CURLOPT_SSL_VERIFYPEER => false
);
What I found was it appears I'm getting a CURLE_SSL_CACERT error from ykval-queue. I created a simple test.php to debug this with the following:
Code:
<?php
$urls = array(
"https://testval2/wsapi/2.0/verify?id=1&nonce=sopxxrlklguqquyvbkwwqthyvofukjzc&otp=llkddjeccccckgvidcnbhhjvbvuicbdjnhblitfhvlfr×tamp=1",
"http://testval2/wsapi/2.0/verify?id=1&nonce=sopxxrlklguqquyvbkwwqthyvofukjzd&otp=llkddjeccccckgvidcnbhhjvbvuicbdjnhblitfhvlfr×tamp=1"
);
$mh = curl_multi_init();
var_dump('start');
foreach ($urls as $i => $url) {
$conn[$i] = curl_init($url);
curl_setopt($conn[$i], CURLOPT_RETURNTRANSFER, 1);
// curl_setopt($conn[$i], CURLOPT_CAPATH, "/etc/ssl/certs/");
// curl_setopt($conn[$i], CURLOPT_CAINFO, "/etc/ssl/certs/ca-certificates.crt");
curl_setopt($conn[$i], CURLOPT_CAINFO, "/test/blah.pem");
// curl_setopt($conn[$i], CURLOPT_SSL_VERIFYPEER, 0);
curl_multi_add_handle($mh, $conn[$i]);
}
var_dump('doloop');
do {
$status = curl_multi_exec($mh, $active);
$info = curl_multi_info_read($mh);
if (false !== $info) {
var_dump($info);
}
} while ($status === CURLM_CALL_MULTI_PERFORM || $active);
var_dump('another loop');
foreach ($urls as $i => $url) {
$res[$i] = curl_multi_getcontent($conn[$i]);
curl_close($conn[$i]);
}
var_dump('enddump');
var_dump(curl_multi_info_read($mh));
?>
Which gives me the following:
Code:
string(5) "start"
string(6) "doloop"
array(3) {
["msg"]=>
int(1)
["result"]=>
int(60) <--- HERE IS THE CURLE_SSL_CACERT ERROR
["handle"]=>
resource(5) of type (curl)
}
array(3) {
["msg"]=>
int(1)
["result"]=>
int(0)
["handle"]=>
resource(6) of type (curl)
}
string(12) "another loop"
string(7) "enddump"
bool(false)
So my manual example is as follows, i moved my certificate out of the /etc/ssl/certs/ca-certificates.crt file to just a /test/blah.pem file, and get the following:
Code:
curl 'https://testval2/wsapi/2.0/verify?id=1&nonce=sopxxrlklguqquyvbkwwqthyvofukjzc&otp=llkddjeccccckgvidcnbhhjvbvuicbdjnhblitfhvlfr×tamp=1'
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
And pointing to the cert:
Code:
curl --cacert blah.pem 'https://testval2/wsapi/2.0/verify?id=1&nonce=sopxxrlklguqquyvbkwwqthyvofukjzc&otp=llkddjeccccckgvidcnbhhjvbvuicbdjnhblitfhvlfr×tamp=1'
h=RoeWTtwokPc0wbIQ17rOqHrGux8=
t=2017-06-29T15:15:08Z0971
otp=llkddjeccccckgvidcnbhhjvbvuicbdjnhblitfhvlfr
nonce=sopxxrlklguqquyvbkwwqthyvofukjzc
status=REPLAYED_OTP
For some reason calling curl from command line with the certificate in /etc/ssl/certs/ca-certificates.crt file has no issue. It will automatically pickup the cert, but the ykval-queue and test.php for some reason is having issues with the cert. I tried setting some curl_opts to specify the cert, but had no luck with those.
Again any help would be appreciated, as I don't think setting the verifypeer option to false is a great work around.Statistics: Posted by nitmpez715 — Tue Jun 27, 2017 9:32 pm
]]>