AWS SSL安全性错误:[curl] 60:SSL证书问题...:无法获得本地颁发者证书

Question

我想亚马逊的S3文件从运行我的(本地主机)的Windows 8设备连接AppServ 2.5.10(包括Apache 2.2.8,php 5.2.6,mysql 5.0.51b和phpMyAdmin 2.10.3)使用Amazon SDK的PHP.

为了与Amazon SDK's命名空间功能兼容,我5.3.28通过下载其压缩文件并解压缩,将php替换为版本.

我的PHP代码可以正常访问S3文件,Amazon EC2但在我的Windows本地主机中失败了.

但是当我运行php srcipt来读取Amazon S3Windows本地主机中的存储桶文件时,我收到了如下SSL错误:

致命错误:未捕获异常'Guzzle\Http\Exception\CurlException',消息'[curl] 60:SSL证书问题:无法获取本地颁发者证书[url] https://images-st.s3.amazonaws.com/us/123977_sale_red_car.png '在C:\ AppServ\www\ecity\vendor\guzzle\guzzle\src\Guzzle\Http\Curl\CurlMulti.php:342堆栈跟踪:

#0 C:\ AppServ\www\ecity\vendor\guzzle\guzzle\src\Guzzle\Http\Curl\CurlMulti.php(283):Guzzle\Http\Curl\CurlMulti-> isCurlException(Object(Guzzle\Http\Message)\Request),Object(Guzzle\Http\Curl\CurlHandle),Array)

#1 C:\ AppServ\www\ecity\vendor\guzzle\guzzle\src\Guzzle\Http\Curl\CurlMulti.php(248):Guzzle\Http\Curl\CurlMulti-> processResponse(Object(Guzzle\Http\Message)\Request),Object(Guzzle\Http\Curl\CurlHandle),Array)

#2 C:\ AppServ\www\ecity\vendor\guzzle\guzzle\src\Guzzle\Http\Curl\CurlMulti.php(231):Guzzle\Http\Curl\CurlMulti-> processMessages()

#3 C:\ AppServ\www\ecity\vendor\guzzle\guzzle\src\Guzzle\Http\Curl\CurlMulti.php(215):Guzzle\Http\Curl\CurlMulti-> executeHandles()

#4 C:用C \的appserv\WWW\ecity\VEN:\的appserv\WWW\ecity \厂商\ AWS\AWS-SDK-PHP中\ SRC\AWS \共同\客户\ AbstractClient.php上线288

我从http://curl.haxx.se/ca/cacert.pem下载证书,并在php.ini中定义如下:

curl.cainfo = "C:\AppServ\cacert.pem"

但我仍然有同样的错误.似乎php不尊重curl.cainfo定义的php.ini.

我的php版本是5.3.28根据的localhost/phpinfo.php.

我还检查cainfo参数是否正确C:\AppServ\cacert.pem 使用

echo ini_get( "curl.cainfo" ) ; 

在PHP脚本中.

PHP版本高于5.3应支持curl.cainfo在php.ini.

在Windows的命令行中,我检查卷曲行为,它似乎工作正常.

C:\Users\Jordan>curl  https://s3-us-west-2.amazonaws.com/images-st/aaa.txt
   curl: (60) SSL certificate problem: unable to get local issuer certificate
   ......

C:\Users\Jordan>curl --cacert C:\AppServ\cacert.crt  https://s3-us-west-2.amazonaws.com/images-st/aaa.txt
  This is aaa.txt file.
  Stored in Amazon S3 bucket.

是因为我在Windows中使用的Apache与5.3.28我从http://windows.php.net/download/ VC9 x86 Thread Safe(2014年6月11日01:09:56)zip版本下载的php zip文件不匹配.

在我的apache的httpd-ssl.conf文件中,即使我在Windows 8中使用本地主机,我也有以下设置.

<VirtualHost _default_:443>

DocumentRoot "C:/AppServ/www"
ServerName localhost:443
ServerAdmin webmaster@localhost.com
ErrorLog "C:/AppServ/Apache2.2/logs/error.log"
TransferLog "C:/AppServ/Apache2.2/logs/access.log"

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "C:/AppServ/Apache2.2/conf/mydomain.cert"
SSLCertificateKeyFile "C:/AppServ/Apache2.2/conf/mydomain.key"

<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "C:/Apache2.2/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch ".*MSIE.*" \
     nokeepalive ssl-unclean-shutdown \
     downgrade-1.0 force-response-1.0

CustomLog "C:/AppServ/Apache2.2/logs/ssl_request.log" \
      "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>                                  

现在我想知道是什么问题以及如何连接到Amazon S3存储桶文件和RDS数据库而不产生这些curl不能从我的Windows 8本地主机获得本地颁发者证书问题.

有什么建议？

Answer 1

正如Jeremy Lindblom在评论中所提到的,AWS SDK v2的解决方案是ssl.certificate_authority在实例化SDK时设置选项:

$aws = Aws\Common\Aws::factory(array(
    'region' => 'us-west-2',
    'ssl.certificate_authority' => '/path/to/updated/cacert.pem'
));

http://docs.aws.amazon.com/aws-sdk-php/guide/latest/faq.html#what-do-i-do-about-a-curl-ssl-certificate-error

我将在AWS SDK v3中添加更改,这是新方法:

$client = new DynamoDbClient([
    'region'  => 'us-west-2',
    'version' => 'latest',
    'http'    => [
        'verify' => '/path/to/my/cert.pem'
    ]
]);

http://docs.aws.amazon.com/aws-sdk-php/v3/guide/guide/configuration.html#verify

Answer 2

对于使用WampServer的用户，请打开php.ini文件，然后向下滚动至底部并添加以下内容：

curl.cainfo = "C:\wamp\bin\php\php7.2.3\cacert.pem"

确保您的cacert.pem文件位于当前使用的php版本的文件夹中。就我而言，我在php7.2.3文件夹中。

Answer 3

$s3 = new S3Client
         ([
            'version' => 'latest',
            'scheme' =>'http',
            'region'  => $this->config->item('s3_region'),
            'credentials' => [
                'key'    => $this->config->item('s3_access_key'),
                'secret' => $this->config->item('s3_secret_key')
            ],
        ]);

如果您的协议是 Http，请将 Scheme 添加到 http

Answer 4

我也遇到过同样的问题，但经过研究，我找到了适用于 AWS S3 存储桶的 Laravel 本机解决方案。

第 1 步：转到config/filesystems.php

第 2 步：添加“s3”'scheme' => 'http'数组，如下所示：

's3' => [
            'driver' => 's3',
            'key' => env('AWS_ACCESS_KEY_ID'),
            'secret' => env('AWS_SECRET_ACCESS_KEY'),
            'region' => env('AWS_DEFAULT_REGION'),
            'bucket' => env('AWS_BUCKET'),
            'url' => env('AWS_URL'),
            'endpoint' => env('AWS_ENDPOINT'),
            'use_path_style_endpoint' => env('AWS_USE_PATH_STYLE_ENDPOINT', false,
            'scheme'  => 'http'
        ],

就是这样。现在，您可以运行您的应用程序并对其进行测试。

将 Web 应用程序移动到实时服务器上后，如果您的 Web 应用程序通过https协议运行，则需要删除此属性

Answer 5

我得到了同样的错误如果你想使用http,那么你可以使用以下解决方案:

 Error executing "PutObject" on "https://s3-ap-southeast-2.amazonaws.com/mybucketname/TestBanner1_e1d8d74e41"; AWS HTTP error: cURL error 60: SSL certificate problem: unable to get local issuer certificate (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)

我已经通过使用http方法解决了这个问题,使用安全的方法输入_ curl.cainfo ="/ path/to/file.cacert.pem"_在php.ini文件中是不安全的:

方案:

'options' => [
'scheme' => 'http',
],

完整示例代码:

 // ...
's3bucket' => [
'class' => \frostealth\yii2\aws\s3\Storage::className(),
'region' => 'ap-southeast-2',
'credentials' => [ // Aws\Credentials\CredentialsInterface|array|callable
'key' => 'JGUTEHCDE.............OSHS',
'secret' => 'SJEUC-----------jzy1-----rrT',
],
'bucket' => 'yours3bucket',
//'cdnHostname' => 'http://example.cloudfront.net',
'defaultAcl' => \frostealth\yii2\aws\s3\Storage::ACL_PUBLIC_READ,
'debug' => false, // bool|array
'options' => [
'scheme' => 'http',
],

],
// ...