CODEWITHSUNDEEP
symfonysslhttpslocalhost
colincclark
colincclark

Reputation: 174

SSL error from Symfony2 controller

How do I call an https (SSL) url from my Symfony2 controller on localhost? I am using the Debril RssAtomBundle bundle to call the Google Blogger API which is only on https, and am not sure how to achieve this from localhost. My Google Blogger API call definitely works as the URL returns the expected blog content in the browser. I want to make sure the code is secure too.

The error I get when calling the URL is:

SSL certificate problem, verify that the CA cert is OK

Upvotes: 2

Views: 378

Answers (1)

jww
jww

Reputation: 102444

The error I get when calling the URL is:

SSL certificate problem, verify that the CA cert is OK

It sounds like you need to use Google Internet Authority G2 as a trust anchor. In the case of *.blogger.com, it looks like Google's CA is also signed by GeoTrust Global CA:

$ openssl s_client -connect blogger.com:443
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.blogger.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
 ...

Start Time: 1407035752
Timeout   : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)

Once you use the Google CA as a trust anchor, it will verify OK (notice the addition of -CAfile option):

$ openssl s_client -connect blogger.com:443 -CAfile GIAG2.pem 
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = *.blogger.com
verify return:1
...

Start Time: 1407035642
Timeout   : 300 (sec)
Verify return code: 0 (ok)

Hint: after you download GIAG2.crt, you will need to convert it from ASN.1/DER to PEM with openssl x509 -in GIAG2.crt -inform DER -out GIAG2.pem -outform PEM.

Upvotes: 1

Related Questions