Microsoft Azure Open Source Development Support Team Blog

Support for Open Source Technologies on Microsoft Azure App Service

Verify Peer Certificate from PHP cURL for Azure Apps

When you use PHP cURL extension, be aware that CURLOPT_SSL_VERIFYPEER option is set to TRUE by default as of cURL version 7.10 (Azure has cURL 7.40 installed).

Common error messages related to SSL_VERIFYPEER option could be:

SSL certificate problem, verify that the CA cert is OK
SSL certificate problem: unable to get local issuer certificate

The error is usually caused by missing or having invalid SSL certificate in cURL option. If you see these messages, consider to validate SSL certificate, and check the path to CA certificate file. CA certificate must be in PEM format, for more detail about CA extract, visit http://curl.haxx.se/docs/caextract.html

Do not turn off CURLOPT_SSL_VERIFYPEER  unless your cURL connect to non certificate protected server.

 

There are two ways that you can specify certificate info for cURL in PHP environment.

1. Specify CURLOPT_CAINFO in cURL option: (sample code)

curl_setopt($ch, CURLOPT_CAINFO, getcwd() . “\cert\ca-bundle.crt”);

Note: getcwd() . “\cert\ca-bundle.crt” returns absolute path of your ca-bundle.crt. Make sure ca-bundle is installed at correct path.

 

2. Set curl.cainfo path in php.ini

Since curl.cainfo is PHP_INI_SYSTEM directive, the value cannot be set in “.user.ini”. You can change the setting with PHP_INI_SCAN_DIR, follow the steps:

– Add an App Setting to your Web App with the key PHP_INI_SCAN_DIR and value d:\home\site\ini

– Create an settings.ini file using Kudu Console (http://<site-name>.scm.azurewebsite.net) in the d:\home\site\ini directory.

– Set CA path in settings.ini:

; Example Settings

       curl.cainfo=“%ProgramFiles(x86)%\Git\usr\ssl\certs\ca-bundle.crt”

 

Refer to this blog for PHP configuration on Azure,  https://azure.microsoft.com/en-us/documentation/articles/web-sites-php-configure/

 

CURLOPT_SSL_VERIFYHOST option is used along with verify peer, default value of this option is 2, to check the existence of a common name and also verify that it matches the hostname provided (more detail at http://php.net/manual/en/function.curl-setopt.php)