Guzzle SSL Certificate Verification Failure on CircleCI

[evilantnie]

I'm trying to push coverage results from our CircleCI builds, but the test-reporter step fails at the end with the following error:

[Guzzle\Http\Exception\CurlException]                                        
  [curl] 60: server certificate verification failed. CAfile: /home/ubuntu/Sto  
  ck/www/protected/composer_vendor/guzzle/guzzle/src/Guzzle/Http/Resources/ca  
  cert.pem CRLfile: none [url] https://codeclimate.com/test_reports    

I've tried upgrading to the latest guzzle version in our composer.json, as well as ensuring that the box has running update-ca-certs on the box, but I still get this error. Any ideas?

[evilantnie]

I've attempted to upgrade the project to Guzzle 4.0 which has an updated pem file (https://github.com/guzzle/guzzle/blob/master/src/cacert.pem) which fixed the certificate issue. However, the ApiClient code isn't entirely compatible with the newer guzzle client and is failing w/ another error: "Unknown error posting Test coverage data."

At this point I'm giving up on leveraging code climate for php coverage until the feature is better supported.

[pbrisbin]

I was able to upload a coverage file successfully in a test project. This test project is using guzzle/guzzle3@92d9934f which is the release commit for 3.9.1. What version is installed in your case?

[rbait]

I'm getting the same exception on Codeship's CI. Installed version of guzzle is guzzle/guzzle3@92d9934

[munkie]

I have the same exception on Travis-CI. I came up with workaround creating report json with test-rporter --stdout > codeclimate.json and then sending it using console curl:

CODECLIMATE_REPO_TOKEN=<token> bin/test-reporter --stdout > codeclimate.json
curl -X POST -d @codeclimate.json -H 'Content-Type: application/json' -H 'User-Agent: Code Climate (PHP Test Reporter v1.0.1-dev)' https://codeclimate.com/test_reports

[rbait]

Nice, works like a charm 👍

[pbrisbin]

@rbait @munkie I've pushed a branch (pb-upgrade-guzzle) which uses Guzzle 4.0. Could you test this version for me?

I had to add the following to my project's composer.json to try out the branch:

    "repositories": [
      {
        "type": "vcs",
        "url": "https://github.com/codeclimate/php-test-reporter"
      }
    ],
    "require-dev": {
        "codeclimate/php-test-reporter": "dev-pb-upgrade-guzzle"
    }

I'm not very familiar with PHP packaging, so there may be an easier way.

[munkie]

@pbrisbin I tried to build with your branch - https://travis-ci.org/crystalservice/samba/jobs/28482243
Result is the same curl error #60:

CURLE_SSL_CACERT (60)
Peer certificate cannot be authenticated with known CA certificates. 

Also job with PHP 5.3 failed because Guzzle requires php 5.4 and composer install failes to execute.

[pbrisbin]

@munkie Just pushed an update to use Guzzle 4.1 (not 4.0) which has an even newer cert file. Could you try that?

[munkie]

@pbrisbin and exception remains - https://travis-ci.org/crystalservice/samba/jobs/28525032#L289

[sun]

Still an issue (travis-ci). File transfer fails due to CA cert verification error.

Given that cURL works, but Guzzle does not, the most simple fix is probably to configure/instruct Guzzle to not use its own CA file, but use the CA file of the operating system instead.

For Guzzle 3, pass the following config option into Client:

$config = ['ssl.certificate_authority' => 'system'];

For Guzzle 4, pass the following config option into Client:

$config = ['verify' => TRUE];

---

Alternatively, in case the final HTTP file transfer is the only usage of Guzzle in php-test-reporter, then it might be wise to even consider to

1. drop Guzzle altogether (one less dependency), and
2. either change the docs to use @munkie's script lines
   OR
   simply write a few lines of raw/native PHP code to perform a HTTP POST request (e.g., relying on the curl extension, which should be available everywhere), which should be more than sufficient for this use-case.

[pbrisbin]

Thanks for this information!

For now, I'm going to cut a new branch from master and do the (seemingly) quick fix of telling Guzzle 3 to use the system cert.

Ultimately, I like your last suggestion the best -- we really don't need that dependency. I'm not sure how quickly I can get that out the door though, not being a PHP developer myself. Hopefully that change to the client configuration will get things working in the meantime.

[pbrisbin]

OK, the branch pb-system-cert has been pushed and is ready to try.

/cc @munkie

[munkie]

@pbrisbin same sh*t - https://travis-ci.org/crystalservice/samba/jobs/28829337#L283