SSL certificate problem for Facebook

[Groucho]

I get "SSL certificate problem, verify that the CA cert is OK.
Details: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed" when I
try to connect with Facebook.

I have read the old thread regarding Beta 2, but I am using Beta 5 and
I am wondering if this is going to be a problem in the future that
will still depend on which host one is using? I have no way of
controlling the configuration of the host that I am using.

Is there some solution that I can use to get around this?

Gent

[Gina Trapani]

On Thu, Dec 9, 2010 at 5:13 AM, Groucho <gentl...@gmail.com> wrote:
> I have read the old thread regarding Beta 2, but I am using Beta 5 and
> I am wondering if this is going to be a problem in the future that
> will still depend on which host one is using? I have no way of
> controlling the configuration of the host that I am using.
>
> Is there some solution that I can use to get around this?

cURL has to be able to connect via SSL to Twitter and Facebook' s API
from your server to gather data, so yes, this is a ThinkUp system
requirement. We're going to add a check for it in the installer so you
find out sooner rather than later if it doesn't work on your setup
(apologies for that).

--
http://ginatrapani.org
http://twitter.com/ginatrapani

[Steltek]

Yes, there is.

Hack the file _lib/extlib/facebook/facebookapi_php5_restlib.php

At around line 3600, you will see several curl_setopt lines. Insert
the following two there:

curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

Same deal around line 3644.

With those in place, Curl should no longer care about the validity of
the certificates.

- Michel

[Gina Trapani]

On Fri, Dec 10, 2010 at 7:12 AM, Steltek <lev....@gmail.com> wrote:
> Hack the file _lib/extlib/facebook/facebookapi_php5_restlib.php
>
> At around line 3600, you will see several curl_setopt lines. Insert
> the following two there:
>
>      curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
>      curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
>
> Same deal around line 3644.
>
> With those in place, Curl should no longer care about the validity of
> the certificates.

Well there you go! Thanks for the workaround Michel! We could add this
option to the developer area of the config file so that folks don't
have to re-edit code every time.

[Kevin R. Raney]

I don't see this file in my install the only file i see listed is
facebook.php and it only has ~900 lines could this have changes in
version .5?

-Kevin

[Andy Baio]

Yeah, the method used to set curl options changed a little.  You can add this at around line 600:

$opts[CURLOPT_SSL_VERIFYHOST] = false;
$opts[CURLOPT_SSL_VERIFYPEER] = false;

-- Andy.

--
You received this message because you are subscribed to the Google
Groups "ThinkUp App" group.
http://groups.google.com/group/thinkupapp?hl=en

Find out more about ThinkUp:
http://thinkupapp.com

[Parker Higgins]

I'm getting this bug on a new install of 0.9. However, I'm not even seeing a directory called facebook in my /_lib/extlib folder. Has it been moved in the most recent version, or is there anything I can do to trigger its creation?

Thanks,
Parker

[Gina Trapani]

On Fri, Mar 18, 2011 at 2:48 PM, Parker Higgins <parker...@gmail.com> wrote:
> Has it been moved in the most recent version

Yes, now it's located in webapp/plugins/facebook/extlib/facebook/

[Randi Miller]

Just ran into this problem. I wanted to verify for future that adding the below code does work if added to line 600. Thanks Andy Baio and Steltek!! 

[Simon Griffiths]

Any updates on this? I'm trying to upgrade 1.08.1 and am looking at adding code in around line 800 ish by the looks of it. Where do I add those lines in the following: -

  protected function makeRequest($url, $params, $ch=null) {

    if (!$ch) {

      $ch = curl_init();

    }

    $opts = self::$CURL_OPTS;

    if ($this->useFileUploadSupport()) {

      $opts[CURLOPT_POSTFIELDS] = $params;

    } else {

      $opts[CURLOPT_POSTFIELDS] = http_build_query($params, null, '&');

    }

    $opts[CURLOPT_URL] = $url;

    // disable the 'Expect: 100-continue' behaviour. This causes CURL to wait

    // for 2 seconds if the server does not support this header.

    if (isset($opts[CURLOPT_HTTPHEADER])) {

      $existing_headers = $opts[CURLOPT_HTTPHEADER];

      $existing_headers[] = 'Expect:';

      $opts[CURLOPT_HTTPHEADER] = $existing_headers;

    } else {

      $opts[CURLOPT_HTTPHEADER] = array('Expect:');

    }

    curl_setopt_array($ch, $opts);

    $result = curl_exec($ch);

    if (curl_errno($ch) == 60) { // CURLE_SSL_CACERT

      self::errorLog('Invalid or no certificate authority found, '.

                     'using bundled information');

      curl_setopt($ch, CURLOPT_CAINFO,

                  dirname(__FILE__) . '/fb_ca_chain_bundle.crt');

      $result = curl_exec($ch);

    }

    if ($result === false) {

      $e = new FacebookApiException(array(

        'error_code' => curl_errno($ch),

        'error' => array(

        'message' => curl_error($ch),

        'type' => 'CurlException',

        ),

      ));

      curl_close($ch);

      throw $e;

    }

    curl_close($ch);

    return $result;

  }

btw - Is there any way we can delete the old posts. This is very confusing having all old info which you can't find file locations etc!

Cheers

Simon 

[Nathan Collier]

http://turboflash.wordpress.com/2009/06/23/curl-adding-installing-trusting-new-self-signed-certificate/

^^ Explains updating your SSL CA certs to properly override the default self signed certs that prevent use of curl ssl verify/verify peer.

[Chris Moyer]

If you can't update the CA chain (which, you probably can't in a
shared host) you can turn of ssl verification for those curl requests
in the code.

This is *certainly not ideal*, since it basically removes a good
portion of the reason to use https, but it should make it work.

You'd modify webapp/_lib/class.Utils.php
around line 133 (just after $c = curl_init();) , you'd add:

curl_setopt ($c, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($c, CURLOPT_SSL_VERIFYPEER, 0);

> --

> -- You received this message because you are subscribed to the Google

> Groups ThinkUp group.

> http://groups.google.com/group/thinkupapp?hl=en
>
> Find out more about ThinkUp:
> http://thinkupapp.com

> ---

> You received this message because you are subscribed to the Google Groups

> "ThinkUp" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to thinkupapp+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.