php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81078 PEAR.php.net SSL error
Submitted: 2021-05-24 14:48 UTC Modified: 2021-05-31 13:36 UTC
Votes:6
Avg. Score:4.7 ± 0.5
Reproduced:6 of 6 (100.0%)
Same Version:5 (83.3%)
Same OS:3 (50.0%)
From: svetlozar at durial dot com Assigned:
Status: Re-Opened Package: Systems problem
PHP Version: Irrelevant OS: macOS Mojave
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2021-05-24 14:48 UTC] svetlozar at durial dot com
Description:
------------
The SSL certificate used by https://pear.php.net/ has expired and causes OpenSSL error messages.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-05-24 14:52 UTC] seana39223 at gmail dot com
This issue is having a massive impact for me.
 [2021-05-24 18:02 UTC] dansthunder at gmail dot com
RHEL 8.3 and 8.4 can't download php without doing a skip certificate check.  Did someone forget to include the CA? 

--2021-05-24 17:59:29--  https://www.php.net/distributions/php-8.0.6.tar.xz
Resolving www.php.net (www.php.net)... 2a02:cb40:200::1ad, 185.85.0.29
Connecting to www.php.net (www.php.net)|2a02:cb40:200::1ad|:443... connected.
ERROR: The certificate of ‘www.php.net’ is not trusted.
ERROR: The certificate of ‘www.php.net’ was signed using an insecure algorithm.
 [2021-05-25 08:15 UTC] d dot reade at reades dot uk
CentOS Linux release 7.9.2009 (Core)

Updating channel "doc.php.net"
Channel "doc.php.net" is not responding over http://, failed with message: Connection to `doc.php.net:80' failed: Connection refused
Trying channel "doc.php.net" over https:// instead
Cannot retrieve channel.xml for channel "doc.php.net" (Connection to `ssl://doc.php.net:443' failed: Connection refused)
 [2021-05-25 08:15 UTC] d dot reade at reades dot uk
CentOS Linux release 7.9.2009 (Core)

Updating channel "doc.php.net"
Channel "doc.php.net" is not responding over http://, failed with message: Connection to `doc.php.net:80' failed: Connection refused
Trying channel "doc.php.net" over https:// instead
Cannot retrieve channel.xml for channel "doc.php.net" (Connection to `ssl://doc.php.net:443' failed: Connection refused)
 [2021-05-25 11:55 UTC] cmb@php.net
-Status: Open +Status: Feedback -Package: Website problem +Package: Systems problem -Assigned To: +Assigned To: cmb
 [2021-05-25 11:55 UTC] cmb@php.net
It seems the cert has been updated, or does anyone still have
issues accessing the site?
 [2021-05-25 14:53 UTC] svetlozar at durial dot com
-Status: Feedback +Status: Assigned
 [2021-05-25 14:53 UTC] svetlozar at durial dot com
I can confirm that the issue with https://pear.php.net/ seems to have been resolved.

Given the other comments in this report that relate to other parts of the site I am not sure if I should close this issue or not, so I will leave that to you.

Kind regards,
Svet
 [2021-05-25 15:04 UTC] cmb@php.net
-Status: Assigned +Status: Feedback
 [2021-05-25 15:04 UTC] cmb@php.net
Thanks for the swift reply!  I think it's best to leave this "on
feedback" for now.
 [2021-05-25 19:28 UTC] null at mcnutnut dot com
This still seems to be an issue on CentOS 6/7/8,

[root]# pear list-upgrades
Connection to `ssl://pear.php.net:443' failed:

[root]# wget https://pear.php.net
--2021-05-25 12:14:45--  https://pear.php.net/
Resolving pear.php.net (pear.php.net)... 109.203.101.62
Connecting to pear.php.net (pear.php.net)|109.203.101.62|:443... connected.
ERROR: The certificate of ‘pear.php.net’ is not trusted.
ERROR: The certificate of ‘pear.php.net’ was signed using an insecure algorithm.
 [2021-05-25 19:29 UTC] null at mcnutnut dot com
CentOS 6 seems to give a little more details in the problem,

[root]# wget https://pear.php.net
--2021-05-25 12:16:25--  https://pear.php.net/
Resolving pear.php.net... 109.203.101.62
Connecting to pear.php.net|109.203.101.62|:443... connected.
ERROR: cannot verify pear.php.net’s certificate, issued by “/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Domain Validation CA SHA2”:
  Self-signed certificate encountered.
To connect to pear.php.net insecurely, use ‘--no-check-certificate’.
 [2021-05-25 19:56 UTC] rasmus@php.net
-Status: Feedback +Status: Closed
 [2021-05-25 19:56 UTC] rasmus@php.net
The cert is fine - https://www.ssllabs.com/ssltest/analyze.html?d=pear.php.net
Your ancient Centos 6 likely has outdated root certs.
 [2021-05-28 15:54 UTC] dansthunder at gmail dot com
The problem is the self signed CA cert included on *.php.net.  It's included in your CA chain.  Can you remove it?  

Connecting to www.php.net (www.php.net)|2a02:cb40:200::1ad|:443... connected.
ERROR: The certificate of ‘www.php.net’ is not trusted.
ERROR: The certificate of ‘www.php.net’ was signed using an insecure algorithm.
 [2021-05-28 16:42 UTC] cmb@php.net
Well, the root certificate is signed with the weak sha1RSA, but
that shouldn't have an impact on a root certificate.
 [2021-05-28 17:13 UTC] heiglandreas@php.net
There seem to be installations that do not have the Certrum CA root cert in their list of known root-certificates.

OhDear mentiones that in their SSL Checks as well. I do not yet know where they get their root-CA list from. Checking that currently...
 [2021-05-28 17:16 UTC] dansthunder at gmail dot com
Or we have to add Certum's self signed CA cert to Moizilla / RHELs CA:  

-----BEGIN CERTIFICATE-----
MIIDDDCCAfSgAwIBAgIDAQAgMA0GCSqGSIb3DQEBBQUAMD4xCzAJBgNVBAYTAlBMMRswGQYDVQQK
ExJVbml6ZXRvIFNwLiB6IG8uby4xEjAQBgNVBAMTCUNlcnR1bSBDQTAeFw0wMjA2MTExMDQ2Mzla
Fw0yNzA2MTExMDQ2MzlaMD4xCzAJBgNVBAYTAlBMMRswGQYDVQQKExJVbml6ZXRvIFNwLiB6IG8u
by4xEjAQBgNVBAMTCUNlcnR1bSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM6x
wS7TT3zNJc4YPk/EjG+AanPIW1H4m9LcuwBcsaD8dQPugfCI7iNS6eYVM42sLQnFdvkrOYCJ5JdL
kKWoePhzQ3ukYbDYWMzhbGZ+nPMJXlVjhNWo7/OxLjBos8Q82KxujZlakE403Daaj4GIULdtlkIJ
89eVgw1BS7Bqa/j8D35in2fE7SZfECYPCE/wpFcozo+47UX2bu4lXapuOb7kky/ZR6By6/qmW6/K
Uz/iDsaWVhFu9+lmqSbYf5VT7QqFiLpPKaVCjF62/IUgAKpoC6EahQGcxEZjgoi2IrHu/qpGWX7P
NSzVttpd90gzFFS269lvzs2I1qsb2pY7HVkCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkq
hkiG9w0BAQUFAAOCAQEAuI3O7+cUus/usESSbLQ5PqKEbq24IXfS1HeCh+YgQYHu4vgRt2PRFze+
GXYkHAQaTOs9qmdvLdTN/mUxcMUbpgIKumB7bVjCmkn+YzILa+M6wKyrO7Do0wlRjBCDxjTgxSvg
GrZgFCdsMneMvLJymM/NzD+5yCRCFNZX/OYmQ6kd5YCQzgNUKD73P9P4Te1qCjqTE5s7FCMTY5w/
0YcneeVMUeMBrYVdGjux1XMQpNPyvG5k9VpWkKjHDkx0Dy5xO/fIR/RpbxXyEV6DHpx8Uq79AtoS
qFlnGNu8cN2bsWntgM6JQEhqDjXKKWYVIZQs6GAqm4VKQPNriiTsBhYscw==
-----END CERTIFICATE-----
 [2021-05-28 17:22 UTC] dansthunder at gmail dot com
https://www.ssllabs.com/ssltest/analyze.html?d=www.php.net&s=185.85.0.29 Shows the multiple CA paths, and Certum's CA is in RHELs CA, just not the self signed one.  Adding the self signed CA, makes everything work.  Clicking the tabs in ssllabs certification paths, you'll see that in Mozilla's and Android, the self signed cert is not in the trust store.  I'm not sure why two sets of CAs are being sent down for *.php.net.  The one with the self signed cert is causing the issues.
 [2021-05-31 13:36 UTC] cmb@php.net
-Status: Closed +Status: Re-Opened -Assigned To: cmb +Assigned To:
 [2021-05-31 13:36 UTC] cmb@php.net
Hmm, might be a CDN issue.
 [2021-06-01 05:36 UTC] heiglandreas@php.net
From what I see in the trust paths is that the path using the third and fourth certificate sent by the server is the one causing issues. Would just sending the first two certificates in the server-response possibly resolve the issue as that will always resolve to a trusted root-ca?
 [2021-08-17 08:15 UTC] rtrtrtrtrt at dfdfdfdf dot dfd
this is also a problem on Fedora 33

besides "Grade B" on https://www.ssllabs.com/ssltest/analyze.html?d=www.php.net&s=185.85.0.29&hideResults=on you clearly see 

Certificates provided 	4 (5114 bytes)
Chain issues 	Contains anchor

#4
Subject 	Certum CA   Not in trust store
Fingerprint SHA256: d8e0febc1db2e38d00940f37d27d41344d993e734b99d5656d9778d4d8143624
Pin SHA256: lzasOyXRbEWkVBipZFeBVkgKjMQ0VB3cXdWSMyKYaN4=
Valid until 	Fri, 11 Jun 2027 10:46:39 UTC (expires in 5 years and 9 months)
Key 	RSA 2048 bits (e 65537)
Issuer 	Certum CA   Self-signed
Signature algorithm 	SHA1withRSA   Weak, but no impact on root certificate
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Thu Sep 16 17:03:37 2021 UTC