?
avatar maxvalentini77
maxvalentini77
10 Mar 2016

Steps to reproduce the issue

1: Enable and configure the plugin "Captcha - ReCaptcha".
2: Enable user registration and specify you whant to use "Captcha - ReCaptcha".
3: Try to create a new account.

Expected result

A page with the Message:
Your account has been created and an activation link has been sent to the email address you entered.
Note that you must activate the account by selecting the activation link when you get the email before you can login.

Actual result

An error page with this message:
0 SSL certificate problem: unable to get local issuer certificate

Call stack

1 JApplicationCms->execute() C:\xampp\htdocs\my_project_home\index.php:49
2 JApplicationSite->doExecute() C:\xampp\htdocs\my_project_home\libraries\cms\application\cms.php:257
3 JApplicationSite->dispatch() C:\xampp\htdocs\my_project_home\libraries\cms\application\site.php:230
4 JComponentHelper::renderComponent() C:\xampp\htdocs\my_project_home\libraries\cms\application\site.php:191
5 JComponentHelper::executeComponent() C:\xampp\htdocs\my_project_home\libraries\cms\component\helper.php:380
6 require_once() C:\xampp\htdocs\my_project_home\libraries\cms\component\helper.php:405
7 JControllerLegacy->execute() C:\xampp\htdocs\my_project_home\components\com_users\users.php:15
8 UsersControllerRegistration->register() C:\xampp\htdocs\my_project_home\libraries\legacy\controller\legacy.php:728
9 JModelForm->validate() C:\xampp\htdocs\my_project_home\components\com_users\controllers\registration.php:137
10 JForm->validate() C:\xampp\htdocs\my_project_home\libraries\legacy\model\form.php:306
11 JForm->validateField() C:\xampp\htdocs\my_project_home\libraries\joomla\form\form.php:1187
12 JFormRuleCaptcha->test() C:\xampp\htdocs\my_project_home\libraries\joomla\form\form.php:1968
13 JCaptcha->checkAnswer() C:\xampp\htdocs\my_project_home\libraries\cms\form\rule\captcha.php:52
14 JEvent->update() C:\xampp\htdocs\my_project_home\libraries\cms\captcha\captcha.php:199
15 call_user_func_array() C:\xampp\htdocs\my_project_home\libraries\joomla\event\event.php:69
16 PlgCaptchaRecaptcha->onCheckAnswer()

17 PlgCaptchaRecaptcha->getResponse() C:\xampp\htdocs\my_project_home\plugins\captcha\recaptcha\recaptcha.php:152
18 JReCaptcha->verifyResponse() C:\xampp\htdocs\my_project_home\plugins\captcha\recaptcha\recaptcha.php:198
19 JReCaptcha->_submitHTTPGet() C:\xampp\htdocs\my_project_home\plugins\captcha\recaptcha\recaptchalib.php:131
20 JHttp->get() C:\xampp\htdocs\my_project_home\plugins\captcha\recaptcha\recaptchalib.php:97
21 JHttpTransportCurl->request() C:\xampp\htdocs\my_project_home\libraries\joomla\http\http.php:175

System information (as much as possible)

PHP Built On: Windows NT PLUTONE 6.2 build 9200 (Windows 8 Home Premium Edition) i586
Database Version: 5.6.21
Database Collation: latin1_swedish_ci
Database Connection Collation: utf8mb4_general_ci
PHP Version: 5.6.3
Web Server: Apache/2.4.10 (Win32) OpenSSL/1.0.1i PHP/5.6.3
WebServer to PHP Interface: apache2handler
Joomla! Version: Joomla! 3.5.0-rc Release Candidate [ Ember ] 10-March-2016 00:30 GMT
Joomla! Platform Version: Joomla Platform 13.1.0 Stable [ Curiosity ] 24-Apr-2013 00:00 GMT
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36

Additional comments

A similar configuration (different plugins keys because the domain is different) on Joomla! 3.4.8 works.

avatar maxvalentini77 maxvalentini77 - open - 10 Mar 2016
avatar andrepereiradasilva
andrepereiradasilva - comment - 10 Mar 2016

Can't reproduce the problem on 3.5.0 RC.

An error page with this message:
0 SSL certificate problem: unable to get local issuer certificate

Anyway, the problem seems to be that your server, somehow, can't connect with cURL via HTTPS to google recaptcha server.

avatar brianteeman
brianteeman - comment - 10 Mar 2016

@andrepereiradasilva dont think that can be the case as @maxvalentini77 stated it works on the same server with 3.4.8 BUT there are different plugins

avatar andrepereiradasilva
andrepereiradasilva - comment - 10 Mar 2016

if you see the last line of the callback posted by @maxvalentini77 you can see it stops at https://github.com/joomla/joomla-cms/blob/staging/libraries/joomla/http/http.php#L175 which in turn calls the JHttpTransportCurl request method https://github.com/joomla/joomla-cms/blob/staging/libraries/joomla/http/transport/curl.php#L61.

That is returning an error:

0 SSL certificate problem: unable to get local issuer certificate

I think that normally this is a cURL error that signifies that curl cannot check the certificate chain of trust.

But @maxvalentini77 you can do a simple test (just to check if this is the issue - verify peer should NOT be disabled), what happens if you put ...

$options[CURLOPT_SSL_VERIFYPEER] = false;

in this line https://github.com/joomla/joomla-cms/blob/staging/libraries/joomla/http/transport/curl.php#L174

avatar maxvalentini77
maxvalentini77 - comment - 10 Mar 2016

I have make the test again.

Same computer, same php, same db, same apache, just 2 different virtual host.
(is my development computer)

The difference in the plugin configuration are only the public key and the secret key.

On Joomla! 3.4.8 works, on Joomla! 3.5.0 RC I got the error.

@andrepereiradasilva
I try adding the line as you suggest and works.

In some ways default parameter for curl has changed from 3.4.8 to 3.5.0 RC.
I think other peaple like me will get the error.


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9367.

avatar andrepereiradasilva
andrepereiradasilva - comment - 10 Mar 2016

@mbabker do you think this have something to do with JHttp curl cacert.pem?

avatar mbabker
mbabker - comment - 10 Mar 2016

If the required root certificates aren't in the cacert.pem, it could. Simple tests then are to use cacert.pem shipped with 3.4.8 on current staging and current staging's cacert.pem on 3.4.8.

avatar maxvalentini77
maxvalentini77 - comment - 10 Mar 2016

@mbabker @andrepereiradasilva
I swapped the files "/libraries/joomla/http/transport/cacert.pem" and now i have the error on Jommla! 3.4.8 and not on Joomla! 3.5.0 RC.


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9367.

avatar andrepereiradasilva
andrepereiradasilva - comment - 10 Mar 2016

thanks @mbabker for the enlightenment and thanks @maxvalentini77 for the tests

so .. that's the problem.

But this URI (https://www.google.com/recaptcha/api/siteverify) is the www.google.com domain ...

From https://www.ssllabs.com/ssltest/analyze.html?d=www.google.com&s=172.217.2.36&hideResults=on i think it uses the "GeoTrust Global CA" that is in both cacert.pem ...

Should be verified right?

But i also see this is signed by "Equifax Secure Certificate Authority".

Don't know why but i think the problem is with this CA. (It was removed 3 days ago 095a0af)

@maxvalentini77
can you test just adding this CA certificate (https://github.com/joomla/joomla-cms/blob/3.4.x/libraries/joomla/http/transport/cacert.pem#L21-L40) in 3.5.0 RC cacert.pem to see if this is the problem?

UPDATE: please notice that Mozilla still hasn't removed the Equifax 1024 bit root because of problems with removing that CA root before. See http://mxr.mozilla.org/mozilla-release/source/security/nss/lib/ckfw/builtins/certdata.txt (search for equifax). You can also check that this root is in the latest Firefox version.

Don't know why curl removed it tough.

avatar maxvalentini77
maxvalentini77 - comment - 10 Mar 2016

@andrepereiradasilva
I add the Equifax Secure CA certificate in the cacert.pem file of the 3.5.0 RC and works.

avatar andrepereiradasilva
andrepereiradasilva - comment - 10 Mar 2016

@mbabker @wilsonge the problem in this case is discovered (see comments above) and is a simple fix, but involves changing the curl cacert.pem.
so i leave with Joomla team for a decision on this.

avatar wilsonge wilsonge - change - 10 Mar 2016
Status New Closed
Closed_Date 0000-00-00 00:00:00 2016-03-10 23:34:20
Closed_By wilsonge
avatar wilsonge wilsonge - close - 10 Mar 2016
avatar wilsonge wilsonge - close - 10 Mar 2016
avatar wilsonge
wilsonge - comment - 10 Mar 2016

I've decided to move us to the centos cacert.pem from the mozilla one. It sucks hard - but we are getting screwed over by github's amazon s3 cert as well at the moment and this solves that problem as well

avatar mbabker
mbabker - comment - 10 Mar 2016

we are getting screwed over by github's amazon s3 cert as well

Where? They refreshed their certificate last October. Unless there's still a validation issue somewhere that nobody's reported, that's a closed 6-month-old item.

avatar Bakual
Bakual - comment - 11 Mar 2016

The AmazonS3 cert is fine. We don't have any issues anymore and their root CA is in our cacert.pem file. We were covered for that.

Add a Comment

Login with GitHub to post a comment