openssl_pkey_new throws error configuration file routines:NCONF_get_string:no value

Question

I have found couple of posts with this problem but I have not solved my problem using their solution.

This is my test script:

<?php
echo "\n*** Errors before calling openssl_pkey_new\n";
// no errors
while (($e = openssl_error_string()) !== false) {
    var_dump($e);
}

$config = [
    'config' => '/etc/ssl/openssl.cnf',
    "digest_alg" => "sha1",
    "private_key_bits" => 4096,
    "private_key_type" => OPENSSL_KEYTYPE_RSA,
];
var_dump(openssl_pkey_new($config));

echo "\n*** Errors after calling openssl_pkey_new\n";
while (($e = openssl_error_string()) !== false) {
    echo "<pre>";print_r($e);echo "</pre>";
}

Tried also sha256 and sha512.

cnf file:

ls /etc/ssl/openssl.cnf
-rw-r--r-- 1 root root 10835 Jun 20  2014 /etc/ssl/openssl.cnf

Errors:

error:0E06D06C:configuration file routines:NCONF_get_string:no value</pre><pre>error:0E06D06C:configuration file routines:NCONF_get_string:no value</pre><pre>error:0E06D06C:configuration file routines:NCONF_get_string:no value

I have also tried to set OPENSSL_CONF on the top of script but without success:

putenv('OPENSSL_CONF=/etc/ssl/openssl.cnf');

I have also tried to use custom openssl.cnf but also without any success:

cat /var/www/openssl.cnf 
distinguished_name  = req_distinguished_name
[req_distinguished_name]
[v3_req]
[v3_ca]

What could be a problem?

Is it safe to ignore this errors and clear them out after using openssl_pkey_new or there is a solution?

Thank you in advance

Answer 1

Here is a bare minimum config that you can use on top of your default config to eliminate all these warnings:

#PHP shim for an otherwise beautiful openssl.cnf
RANDFILE    = /dev/null #PHP warns if this doesn't exist
oid_file    = /dev/null #PHP warns if this doesn't exist
#PHP warns if oid_section isn't in the default section
#PHP warns if oid_section is used in another section (only on initialization)
oid_section = php_oids  #set an empty OID section
.include /etc/ssl/openssl.cnf    #include our working conf
[ req ]
  #differs from attr format
  attributes         = php_attr #openssl_csr_new()
  #not set in include
  encrypt_rsa_key    = yes #encrypt_key
  #uncomment to override include
  #req_extensions     = php_req_extension #req_extensions
  #x509_extensions    = php_x509_extension #x509_extensions
  #default_bits       = 4096          #private_key_bits
  #default_md         = sha512        #digest_alg
  #string_mask        = utf8only      #string_mask
  #distinguished_name = php_distinguished_name #openssl_csr_new()
[ php_attr ] #empty attributes section (supports callengePassword,unstructuredName)
[ php_oids ] #empty OID section
[ php_distinguished_name ] #empty DN section (supports both DN conf formats)
[ php_x509_extension ] #empty x509 extension section
  subjectKeyIdentifier   = hash #at least one value required
[ php_req_extension ] #empty req extension section
  subjectKeyIdentifier   = hash #at least one value required

Answer 2

I have faced this issue on my system after updating Mojave on mac.

Solution

I have uncommented the below value in my openssl.cnf file which fixed the issue

default_bits        = 2048

Answer 3

Analysis of the problem

Looking at the openssl_pkey_new() documentation, it mentions:

See openssl_csr_new() for more information about configargs.

It turns out that the openssl_pkey_new() and openssl_csr_new() implementation share the code for reading the configuration. You can see its invocation in the PHP source code here via a symbol PHP_SSL_REQ_PARSE which expands to php_openssl_parse_config. Its first parameter is a x509_request type. (CSR stands for Certificate Signing Request, for more information see the OpenSSL req app documentation)

Sifting through the implementation of php_openssl_parse_config, there turn out to be a lot of attempts to read configuration parameters that are relevant for CSRs, but not for just key generation. Many of those fail and generate that same error that you have indicated.

To make life easier, I have instrumented the OpenSSL crypto lib directly to print information about any failed configuration string lookup. Running your script with that setup resulted in the following (on Ubuntu 18.04, using the configuration found in /etc/ssl/openssl.cnf):

$ php conftest.php 
_CONF_get_string failed for section "(null)", name "openssl_conf"

*** Errors before calling openssl_pkey_new
_CONF_get_string failed for section "(null)", name "oid_file"
_CONF_get_string failed for section "req", name "default_md"
_CONF_get_string failed for section "req", name "req_extensions"
_CONF_get_string failed for section "req", name "encrypt_rsa_key"
_CONF_get_string failed for section "req", name "encrypt_key"
_CONF_get_string failed for section "req", name "default_md"
resource(4) of type (OpenSSL key)

*** Errors after calling openssl_pkey_new
<pre>error:0E06D06C:configuration file routines:NCONF_get_string:no value</pre><pre>error:0E06D06C:configuration file routines:NCONF_get_string:no value</pre><pre>error:0E06D06C:configuration file routines:NCONF_get_string:no value</pre><pre>error:0E06D06C:configuration file routines:NCONF_get_string:no value</pre><pre>error:0E06D06C:configuration file routines:NCONF_get_string:no value</pre><pre>error:0E06D06C:configuration file routines:NCONF_get_string:no value</pre>

---

A solution

From the analysis, it looks like adding values for the settings oid_file in the main section and default_md, req_extensions and encrypt_rsa_key in the [req] section of openssl.cnf should resolve the errors. Indeed, after doing that, the result is as follows.

$ php conftest.php 

*** Errors before calling openssl_pkey_new
resource(4) of type (OpenSSL key)

*** Errors after calling openssl_pkey_new

---

Conclusion

I think you can safely ignore PHP's erroneous invocation of irrelevant configuration settings.