OpenSSL Error 14090086 certificate verify failed

[mkortink]

Hi, I am getting the following log and error when trying to send an email via smtp. This occurs after the server gives the client a : 220 TLS go ahead.

Connection failed. Error #2: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed [C:\Users\Mark\OneDrive\www\orm\00\02\mailer\class.smtp.php line 368]

I have the latest PHPMailer, use autoload, and based my PHP code directly on the smtp example here on GitHub.

Ho do I fix this?

Thanks

[Synchro]

Right. This is covered extensively in the troubleshooting guide that the error message links you to.

[mkortink]

Synchro was right, i did read the Troubleshooting but didn't recognise the problem was described there. The solution is at

https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting#php-56-certificate-verification-failure

and involves adding

$mail->SMTPOptions = array(
    'ssl' => array(
        'verify_peer' => false,
        'verify_peer_name' => false,
        'allow_self_signed' => true
    )
);

My website is hosted by hostpapa.

Regards

[andris9]

If you run the code locally in your computer then the most common reason for messed up TLS certificates are antivirus applications intercepting SMTP traffic. In production it might not be needed to skip certificate validation checks.

[krystyna93]

@Synchro I am having the same issue.
The troubleshooting guide does not really help me, being a novice at php. How do I check my certificate on a windows 10 PC terminal as the given sample:

php -i | grep cafile
openssl.cafile => /etc/ssl/cacert.pem => /etc/ssl/cacert.pem

the above snippet does not work in my terminal, and how do I even replace the certificate on my mail server???

Please be more specific, or give steps as to go about it...

Thanks.

[Synchro]

If you can't use php in a windows terminal, put <?php phpinfo(); in a .php file and view it via your web server (as you do for all your other PHP scripts). That will show your php config, and search on the page for cafile and similar items. The reason the docs don't go further is that this isn't a PHPMailer problem - it's a problem with your operating system, and trying to document how to fix operating systems is well outside PHPMailer's responsibility.

Ultimately though it's not complicated - download the CA file from the URL given in the docs, store it somewhere, set that path in your php.ini (there are plenty of php docs on how to do that), and restart PHP or your web server (depending on how your PHP deployment works). after that, you should see the new setting in your phpinfo page.

Alternatively, use an operating system that ships up to date CA certificates, and then you don't have to do anything at all.

You don't need to replace the certificate on your mail server - but if you did, the place to look would be in your mail server docs, not here.

[krystyna93]

@Synchro Ok.
This seems much more understandable.

I have windows 10 OS, so it should have an up-to-date CA certificate, yes?

I will test your directions out on my localhost.
However, what happens when I migrate this file to a hosted domain? Will have the same issue?
By the way, when you refer to the mail server docs, do you mean in my instance, gmail?

Thanks.

[Synchro]

Windows certainly should have up to date certs - make sure you've applied all system updates - but it still may not. PHP normally gets CA certs from the OS, but what I've described above is a PHP-specific fix.

You may have the same problem on your hosted domain, and you may need to do the same thing on there - but I can't tell. If you don't have full access (e.g. you're on shared hosting), you should request support from your hosting provider.

[krystyna93]

@Synchro Wow, I checked my phpinfo file and it seems there is no set value, its empty!

Directive	Local Value	Master Value
openssl.cafile	no value	no value
openssl.capath	no value	no value

Is this abnormal??

[Synchro]

No, that's normal - it just means it's not been set explicitly, and so will fall back to using your OS.

[krystyna93]

@Synchro Oh right, okay.
Well, thank you for your help.

[husseinsheikh]

in which file do we need to write this code?

$mail->SMTPOptions = array(
    'ssl' => array(
        'verify_peer' => false,
        'verify_peer_name' => false,
        'allow_self_signed' => true
    )
);

[Synchro]

As I say above, you should not have to do that at all - fix your TLS setup first. But if you insist on doing it, it should go in your own code, in the same place you use PHPMailer.

[husseinsheikh]

I am getting this error
et_enable_crypto(): SSL operation failed with code 1.
OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Hosting company got no clue how to fix this.

Is there any DNS entry needs to be done to fix this as well?

[Synchro]

Read the troubleshooting guide. It tells you how to diagnose and fix this.

[husseinsheikh]

My certificate location on cPanel is ssl/certs but I can't find the codes where you mentioned below
php -i | grep cafile
openssl.cafile => /etc/ssl/cacert.pem => /etc/ssl/cacert.pem

in which file is this?

[husseinsheikh]

I am not using the SMTP method but still getting this error message as below

[10-Mar-2018 19:23:35 UTC] PHP Warning: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed in /home/username/public_html/domainname/wp-includes/class-smtp.php on line 369

[Synchro]

You must be using SMTP or you would not get that error. If you run php -i|grep ini, it will show you where all the config files are that PHP reads from.

[husseinsheikh]

Where do I run this command from I am on a cpanel hosting? Any idea in which file the SMTP details would be as I don't seem to find any file with username or password contained in it considering it was working previously and not on the new hosting?

[Synchro]

I have no idea about cpanel or your hosting - ask them. I would expect you to be able to get to a phpinfo() page which will tell you the same thing as php -i on a command line, but you'll need to read channel docs for that, or just put it in a PHP file and upload it as you do your other PHP files.

[husseinsheikh]

I managed to view the openssl config details using below php code - any idea how to update the value on it?

<?php // Show all information, defaults to INFO_ALL phpinfo(); ?>

openssl.cafile = no value
openssl.capath = no value

Any way to update it via SSH access command line?

[husseinsheikh]

It looks like my codes already has what you suggested but still getting the same error
if ($controls->data['ssl_insecure'] == 1) { $mail->SMTPOptions = array( 'ssl' => array( 'verify_peer' => false, 'verify_peer_name' => false, 'allow_self_signed' => true ) ); }

[husseinsheikh]

@Synchro I have noticed that it might be due to the path for the ca-bundle.crt file located on the server which is not verifying? located under public_html/wp-includes/certificates/ca-bundle.crt

[husseinsheikh]

I am getting the error twice so i think it is failing at two different lines

[12-Mar-2018 17:49:25 UTC] PHP Warning:  stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed in /home/public_html/wp-includes/class-smtp.php on line 369
[12-Mar-2018 17:49:31 UTC] PHP Warning:  stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed in /home/public_html/wp-includes/class-smtp.php on line 369

[Synchro]

No, that's the same failure happening twice in the same place; you must be causing it to be run twice. Look at the timestamps - they are several seconds apart.

Do what the guide says - alter your PHP config to point at a fresh download of the CA certs - how you actually do that is something you need to find out from your control panel; it's not something I know about.

[husseinsheikh]

@Synchro I have switched to public $Mailer = 'mail'; and not getting any error message but the PHPMailer is not working as well as I am not getting any email through. I tried your solution as well but still can't make it work, can you FTP and look in to this for me?

[Synchro]

If you switch to mail, it won't use SMTP at all but will send via a sendmail binary that talks to your local mail server. All errors relating to that will be in your mail server logs, just as the troubleshooting guide says. No, I can't fix your server for you - and you do have a server problem, not a PHPMailer problem.

[husseinsheikh]

@Synchro it is a GoDaddy shared hosting account who got no clue and wouldn't help on this, I have configured the smtp with the username and password and the host ip address now, it doesn't give any error message but still no message going through. Any ways thanks for reply back on this.

[Synchro]

Seriously? The troubleshooting guide has specific comments on GoDaddy because they block outbound SMTP. If you won't read the docs I point you at, I'm not going to write the same thing here so you can ignore that too.

[husseinsheikh]

@Synchro I have followed your documentation as mentioned earlier and get no errors - but I don't get any email as well from the form so not sure what's happening.

[Synchro]

If you're talking to a SMTP server, you will see what happens to the message if you have SMTPDebug = 2 set. If you're using mail(), it will be in your mail server logs. Those are the only two possibilities, and both are covered in the docs.

[narutojone]

Hi @Synchro , Thanks for your help.
But It doesn't work in php version 7. Do you know how to use PHP mailer in PHP 7?

[Synchro]

PHPMailer works fine in PHP 7. If it's not working for you, you need to be more precise, and don't hijack closed, unrelated issues.