Failed to get local issuer certificate / SOAP -ERROR: WSDL parsing: Failed to load from
ZenLoadBalancer is in front of my web servers (Debian). SSL load balancing bands. This works great in the browser. However, when connecting via SOAP or Curl, I got a problem.
I used a curl test from another SO post to see if the problem is SSL related:
$_h = curl_init(); curl_setopt($_h, CURLOPT_HEADER, 1); curl_setopt($_h, CURLOPT_RETURNTRANSFER, 1); curl_setopt($_h, CURLOPT_HTTPGET, 1); curl_setopt($_h, CURLOPT_URL, 'https://mydomain.ca/webservice/soap/server.php?wsdl' ); curl_setopt($_h, CURLOPT_DNS_USE_GLOBAL_CACHE, false ); curl_setopt($_h, CURLOPT_DNS_CACHE_TIMEOUT, 2 ); //curl_setopt($_h, CURLOPT_SSL_VERIFYPEER, false); var_dump(curl_exec($_h)); var_dump(curl_getinfo($_h)); var_dump(curl_error($_h));
string(63) "SSL certificate problem: unable to get local issuer certificate"
If I uncomment CURLOPT_SSL_VERIFYPEER, I return the XML as expected.
So here's the real problem ... when I try to make a SOAP call:
PHP Fatal error: SOAP-ERROR: Parsing WSDL: Couldn't load from 'https://mydomain.ca/webservice/soap/server.php?wsdl' : failed to load external entity "https://mydomain.ca/webservice/soap/server.php?wsdl"
If I pick a load balancer from the equation (and configure ssl virtualhosts, etc.) the soap service works fine. Its the only one when I add to the load balancer that I get this problem.
I am under the impression that the problem is that it is precisely the answer from Curl that says "Failed to get the local issuer certificate." However, I tried to install ca-certificates by specifying PEM files, etc. and so on, but nothing works.
I think the problem is with the load balancer side, but I've tested things on the web server side just in case it goes through the load balancer.
On the web server, I can:
openssl s_client -connect mydomain.ca:443
This returns the certificate.
I confirmed that the server is listening on ports 443/8080/80 .. so that should be fine too (disabled iptables just in case). I checked ports.conf and everyone is listening for this purpose.
Hope someone on SO can help point me in a different direction. b / c. I'm not really sure what to look in bing / google at this point. Any help would be appreciated.
source to share
Finally figured it out. The key to understanding this was the final decision:
# openssl verify domain.pem
which should answer:
Before this was fixed, the answer was:
unable to get local issuer certificate
Now, the fix ... well, the problem ... it was because when I created the PEM file, I was using the wrong intermediate certificate. Oddly enough, browsers (IE / Chrome / FF) had no problem with this .. only when using Curl / SOAP I got an error.
To fix this in my case, I got the proper intermediate certificate from my ssl provider (found on their support page), rebuilt my PEM file with their intermediate certificate, tested the pem with "openssl verify" and got the expected response ... "OK ". After that, I reconfigured the load balancer to use this new PEM file and it worked. SOAP was able to connect!
Anyway, hope this can help someone in the future so they don't burn 6 hours like I did ugh.
source to share