Ubuntu PHP日志中的SSL证书问题

Common SSL Certificate Issues in Ubuntu PHP Logs
When PHP applications on Ubuntu encounter SSL certificate problems, the logs often highlight errors related to certificate validation failures. The most frequent issues include:

• Unable to Get Local Issuer Certificate: This error occurs when PHP/cURL cannot verify the server’s SSL certificate because it lacks access to a trusted Certificate Authority (CA) certificate bundle.
• Certificate Verify Failed: This indicates that the server’s certificate could not be validated against the local CA store, often due to an expired, self-signed, or incomplete certificate chain.
• Self-Signed Certificate Warnings: If the server uses a self-signed certificate (not issued by a trusted CA), PHP rejects it by default, as self-signed certificates are not inherently trustworthy.

These errors prevent secure HTTPS connections, causing PHP scripts (e.g., API calls, Composer operations) to fail.

Root Causes of SSL Certificate Problems
The errors stem from misconfigurations or missing components in the SSL/TLS ecosystem:

• Missing CA Certificate Bundle: PHP relies on a trusted CA bundle (e.g., cacert.pem) to validate server certificates. If this bundle is missing, outdated, or not configured, verification fails.
• Outdated CA Certificates: CA certificates expire periodically. Using an old bundle means PHP cannot trust newer certificates issued by those CAs.
• Self-Signed Certificates: Servers using self-signed certificates (common in development) are not recognized by default, as they lack endorsement from a trusted CA.
• Incomplete Certificate Chain: Servers must provide the full certificate chain (leaf certificate + intermediate certificates). Missing intermediates break the trust path from the leaf to a trusted root CA.
• System Time Mismatch: SSL certificates are time-sensitive. If the server or client system time is incorrect (e.g., out of sync with NTP), the certificate’s validity period cannot be verified.
• Incorrect PHP Configuration: Misconfigured php.ini settings (e.g., wrong paths to CA files, disabled verification) can disable or misdirect certificate validation.

Step-by-Step Solutions for Ubuntu PHP SSL Issues
To resolve these errors, follow these structured steps:

1. Install/Update the CA Certificate Bundle

Ubuntu provides a pre-installed CA bundle via the ca-certificates package. Ensure it’s up to date:

sudo apt update
sudo apt install --reinstall ca-certificates
sudo update-ca-certificates

This installs the latest trusted CA certificates to /etc/ssl/certs/ca-certificates.crt, which PHP uses by default.

2. Configure PHP to Use the CA Bundle

Verify and update your php.ini file to point to the correct CA certificate path. For PHP running under Apache or PHP-FPM:

sudo nano /etc/php/<version>/apache2/php.ini  # For Apache
sudo nano /etc/php/<version>/fpm/php.ini     # For PHP-FPM

Find (or add) these lines and ensure they point to the installed CA bundle:

curl.cainfo = /etc/ssl/certs/ca-certificates.crt
openssl.cafile = /etc/ssl/certs/ca-certificates.crt

Replace <version> with your PHP version (e.g., 8.1). Save the file and restart the web server:

sudo systemctl restart apache2  # For Apache
sudo systemctl restart php<version>-fpm  # For PHP-FPM
sudo systemctl restart nginx    # For Nginx (if used)

3. Handle Self-Signed Certificates (Development Only)

For development environments using self-signed certificates, you can temporarily disable SSL verification (not recommended for production):

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://self-signed.example.com');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // Disable peer verification
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); // Disable host verification
$response = curl_exec($ch);
if ($response === false) {
    echo 'Curl error: ' . curl_error($ch);
}
curl_close($ch);

Important: This exposes your application to man-in-the-middle (MITM) attacks. For production, always use certificates from a trusted CA.

4. Ensure Complete Certificate Chains

Servers must provide the full certificate chain (leaf + intermediates). For example, if using Let’s Encrypt, ensure your web server configuration includes the fullchain.pem (which contains the leaf certificate and intermediates):

• Nginx:

  ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
  

• Apache:

  SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem
  

This ensures clients (like PHP) can validate the entire certificate chain.

5. Verify System Time Synchronization

Ensure your Ubuntu server’s system time is accurate. Install and enable ntp (Network Time Protocol) to sync time automatically:

sudo apt install ntp
sudo systemctl enable ntp
sudo systemctl start ntp

Check the current time with date and compare it to a reliable time source (e.g., time.google.com). Incorrect time can cause SSL validation failures.

6. Test SSL Configuration

Use curl to test SSL connections from the command line. For example:

curl -v https://yourdomain.com

Look for lines indicating successful verification (e.g., * SSL certificate verify ok.). If you see errors, revisit the above steps to troubleshoot further.

By following these steps, you can resolve common SSL certificate issues in Ubuntu PHP logs and ensure secure communication between your PHP applications and remote servers.