Moving Curl client ssl to Guzzle

Question

I'm using Guzzle v3.9.2 with both php 5.3 and php 5.5.

I have the following working curl code that uses an ssl client certificate:

$url = "https://example.com/";
$cert_file = '/path/to/certificate.pem';

$ch = curl_init();
$options = array(
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_FOLLOWLOCATION => true,
  CURLOPT_URL => $url ,
  CURLOPT_SSLCERT => $cert_file ,
);

curl_setopt_array($ch , $options);
$output = curl_exec($ch);

if (!$output) {
  echo "Curl Error : " . curl_error($ch);
}
else {
  echo htmlentities($output);
}

I have tried to move it to Guzzle:

require '/var/www/vendor/autoload.php';
use Guzzle\Http\Client;
$client = new Client();
$request = $client->get($url, array('cert' => $cert_file));
$response = $client->send($request);
echo $response . PHP_EOL;
print 'HI' . PHP_EOL;

When I run it using curl I get a 200 response. When I use Guzzle I get a 403.

Answer 1

try like this:

 $client = new Client();
 $response = $client->get($url, array(), array('cert' => $cert_file));

and for check add this line:

 $this->assertEquals($cert_file, $request->getCurlOptions()->get(CURLOPT_SSLCERT));

or use this:

 $client = new Client();
 $request = $client->createRequest('GET', $url);
 $request->getCurlOptions()->set(CURLOPT_SSLCERT, $cert_file);
 $response = $client->send($request);

if you use self singed certificate set this options :

$request->getCurlOptions()->set(CURLOPT_SSL_VERIFYHOST, false);
$request->getCurlOptions()->set(CURLOPT_SSL_VERIFYPEER, false);

set this line before send request :

$request = $client->get( .... )
.
.
.
$request->setResponse(new Response(200), true);
$request->send();

check your url and enter it compelete like this :

$url = 'https://example.com/index.php';

and you can add default options like your curl code :

$request->getCurlOptions()->set(CURLOPT_RETURNTRANSFER , true);
$request->getCurlOptions()->set(CURLOPT_FOLLOWLOCATION , true);

Answer 2

If you are using private key then you have to use ssl_key option it will not 
work with cert.You can use **cert** options only with client certificate.

This error occurs because of three reason.

1. Correct certificate path is not provided. Hence not able to read & pass the certificate information to server.
2. The server failed to authenticate the request because of invalid certificate.
3. Php curl is not able to read the certificate file because of file owner/permission issue.

How Guzzle set ssl curl path:

• Guzzle use CURLOPT_CAINFO for file & CURLOPT_CAPATH for multiple certificates in directory
• Default certificate path is vendor/Http/Resources/cacert.pem.
• If you don't use phar in require_once then you can replace existing certificate file with your new certificate because it initialize SSL on every request. This will work without changing the code.
• Guzzle uses ssl.certificate_authority parameter to set the curl ssl certification. It supports values as false,true or file path

• You can set the file path while class initialization as below-

  $cert_file = '/var/www/stack/25924147/cert/example.pem'; #Use absolute path as relative path will not work
  $client = new Client();
  $client->setDefaultOption('verify',true); #pass it for self-signed certificate
  $client->setSslVerification($cert_file,true,2);  #Last Verify Option states default value is 2. When the verify value is 0, the connection succeeds regardless of the names in the certificate. Use that ability with caution!. When the verify value is 1, curl_easy_setopt will return an error
  try{
      $request = $client->get($url);
      $options = $request->getCurlOptions(); #used to check curl options is set properly.
      var_dump($options); 
      $response = $client->send($request);
      echo $response . PHP_EOL;
      print 'HI' . PHP_EOL;
  }catch( Guzzle\Http\Exception\CurlException $e){
      print_r($e->getResponse());
      echo "\n Curl Error \n";
  }catch(Guzzle\Http\Exception\ClientErrorResponseException $e){
     print_r($e->getResponse());
     echo "\n Response Error \n";
  }catch( Guzzle\Http\Exception\RequestException $e){
    print_r($e->getResponse());
    echo "\n REquest Error \n";
  }
  

OR If you wants to pass certificate on every request try below code

   $cert_file = '/var/www/stack/25924147/cert/example.pem'; #Use absolute path as relative path will not work
   $client = new Client();
   $request = $client->get('https://www.example.com', array(), array(

      'ssl_key' => array('/etc/pki/private_key.pem')

  )


With Passoword - 
 $request = $client->get('https://www.example.com', array(), array(

     'ssl_key' => array('/etc/pki/private_key.pem', 's3cr3tp455w0rd')

 )

For Guzzle Http client Doc check - The Guzzle HTTP client

Answer 3

First, because this lead to some confusion, there are two versions of Guzzle available on Gihub:

• Guzzle3 (the old version, you are using)
• Guzzle (the new, rewritten version)

Here comes two (tested working) examples one for each version of Guzzle:

For the recent versions of Guzzle (not the so called older version Guzzle3) it should be:

use GuzzleHttp\Client;

$client = new Client();
$response = $client->get($url, array('cert' => $cert_file));

var_dump($response);

Make sure the client certificate is stored in PEM format. If the certificate is protected by a password, you'll need to specify it like this:

$response = $client->get($url, 
    array('cert' => array($cert_file, 'password' => '****'));

!! Note the above code to provide the password is described in the manual but didn't worked in the recent version.

For the old version Guzzle3 (you are using)

use Guzzle\Http\Client;

// Create a client and provide a base URL
$client = new Client();

$request = $client->get($url, array(), array(
    'cert' => $cert_file
));

// You must send a request in order for the transfer to occur
$response = $request->send();

var_dump($response);