SSL Certificate issue with connecting to other sites

Hi,

I realize that this issue was brought up on and off on another of previous queries (https://forum.omeka.org/t/omeka-s-and-https/10596 and that it not an omeka issue per say, but I am looking to find some guidance to pass on to our IT teams that has access to the server that runs omeka .

Basically everytime I tried to import a media image from another site, or even when i try to use something like the Value Suggest module, I get an error that is like the below.

ErrorException: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in /data/www/omeka-s/vendor/laminas/laminas-http/src/Client/Adapter/Socket.php:320
Stack trace:
#0 [internal function]: Laminas\Stdlib\ErrorHandler::addError(2, 'stream_socket_e...', '/data/www/omeka...', 320, Array)
#1 /data/www/omeka-s/vendor/laminas/laminas-http/src/Client/Adapter/Socket.php(320): stream_socket_enable_crypto(Resource id #1014, true, 57)
#2 /data/www/omeka-s/vendor/laminas/laminas-http/src/Client.php(1445): Laminas\Http\Client\Adapter\Socket->connect('en.wikipedia.or...', 443, true)
#3 /data/www/omeka-s/vendor/laminas/laminas-http/src/Client.php(945): Laminas\Http\Client->doRequest(Object(Laminas\Uri\Http), 'GET', true, Array, '')
#4 /data/www/omeka-s/application/src/File/Downloader.php(64): Laminas\Http\Client->send()
#5 /data/www/omeka-s/application/src/Media/Ingester/Url.php(63): Omeka\File\Downloader->download(Object(Laminas\Uri\Http), Object(Omeka\Stdlib\ErrorStore))
#6 /data/www/omeka-s/application/src/Api/Adapter/MediaAdapter.php(159): Omeka\Media\Ingester\Url->ingest(Object(Omeka\Entity\Media), Object(Omeka\Api\Request), Object(Omeka\Stdlib\ErrorStore))
#7 /data/www/omeka-s/application/src/Api/Adapter/AbstractEntityAdapter.php(590): Omeka\Api\Adapter\MediaAdapter->hydrate(Object(Omeka\Api\Request), Object(Omeka\Entity\Media), Object(Omeka\Stdlib\ErrorStore))
#8 /data/www/omeka-s/application/src/Api/Adapter/ItemAdapter.php(240): Omeka\Api\Adapter\AbstractEntityAdapter->hydrateEntity(Object(Omeka\Api\Request), Object(Omeka\Entity\Media), Object(Omeka\Stdlib\ErrorStore))
#9 /data/www/omeka-s/application/src/Api/Adapter/AbstractEntityAdapter.php(590): Omeka\Api\Adapter\ItemAdapter->hydrate(Object(Omeka\Api\Request), Object(Omeka\Entity\Item), Object(Omeka\Stdlib\ErrorStore))
#10 /data/www/omeka-s/application/src/Api/Adapter/AbstractEntityAdapter.php(318): Omeka\Api\Adapter\AbstractEntityAdapter->hydrateEntity(Object(Omeka\Api\Request), Object(Omeka\Entity\Item), Object(Omeka\Stdlib\ErrorStore))
#11 /data/www/omeka-s/application/src/Api/Manager.php(224): Omeka\Api\Adapter\AbstractEntityAdapter->create(Object(Omeka\Api\Request))
#12 /data/www/omeka-s/application/src/Api/Manager.php(78): Omeka\Api\Manager->execute(Object(Omeka\Api\Request))
#13 /data/www/omeka-s/application/src/Api/Adapter/AbstractEntityAdapter.php(363): Omeka\Api\Manager->create('items', Array, Array, Array)
#14 /data/www/omeka-s/application/src/Api/Manager.php(227): Omeka\Api\Adapter\AbstractEntityAdapter->batchCreate(Object(Omeka\Api\Request))
#15 /data/www/omeka-s/application/src/Api/Manager.php(97): Omeka\Api\Manager->execute(Object(Omeka\Api\Request))
#16 /data/www/omeka-s/modules/CSVImport/src/Job/Import.php(355): Omeka\Api\Manager->batchCreate('items', Array, Array, Array)
#17 /data/www/omeka-s/modules/CSVImport/src/Job/Import.php(255): CSVImport\Job\Import->create(Array)
#18 /data/www/omeka-s/modules/CSVImport/src/Job/Import.php(194): CSVImport\Job\Import->processBatchData(Array)
#19 /data/www/omeka-s/application/src/Job/DispatchStrategy/Synchronous.php(34): CSVImport\Job\Import->perform()
#20 /data/www/omeka-s/modules/Log/src/Job/Dispatcher.php(32): Omeka\Job\DispatchStrategy\Synchronous->send(Object(Omeka\Entity\Job))
#21 /data/www/omeka-s/application/data/scripts/perform-job.php(44): Log\Job\Dispatcher->send(Object(Omeka\Entity\Job), Object(Log\Job\DispatchStrategy\Synchronous))
#22 {main}

Next Laminas\Http\Client\Adapter\Exception\RuntimeException: Unable to enable crypto on TCP connection en.wikipedia.org in /data/www/omeka-s/vendor/laminas/laminas-http/src/Client/Adapter/Socket.php:350
Stack trace:
#0 /data/www/omeka-s/vendor/laminas/laminas-http/src/Client.php(1445): Laminas\Http\Client\Adapter\Socket->connect('en.wikipedia.or...', 443, true)
#1 /data/www/omeka-s/vendor/laminas/laminas-http/src/Client.php(945): Laminas\Http\Client->doRequest(Object(Laminas\Uri\Http), 'GET', true, Array, '')
#2 /data/www/omeka-s/application/src/File/Downloader.php(64): Laminas\Http\Client->send()
#3 /data/www/omeka-s/application/src/Media/Ingester/Url.php(63): Omeka\File\Downloader->download(Object(Laminas\Uri\Http), Object(Omeka\Stdlib\ErrorStore))
#4 /data/www/omeka-s/application/src/Api/Adapter/MediaAdapter.php(159): Omeka\Media\Ingester\Url->ingest(Object(Omeka\Entity\Media), Object(Omeka\Api\Request), Object(Omeka\Stdlib\ErrorStore))
#5 /data/www/omeka-s/application/src/Api/Adapter/AbstractEntityAdapter.php(590): Omeka\Api\Adapter\MediaAdapter->hydrate(Object(Omeka\Api\Request), Object(Omeka\Entity\Media), Object(Omeka\Stdlib\ErrorStore))
#6 /data/www/omeka-s/application/src/Api/Adapter/ItemAdapter.php(240): Omeka\Api\Adapter\AbstractEntityAdapter->hydrateEntity(Object(Omeka\Api\Request), Object(Omeka\Entity\Media), Object(Omeka\Stdlib\ErrorStore))
#7 /data/www/omeka-s/application/src/Api/Adapter/AbstractEntityAdapter.php(590): Omeka\Api\Adapter\ItemAdapter->hydrate(Object(Omeka\Api\Request), Object(Omeka\Entity\Item), Object(Omeka\Stdlib\ErrorStore))
#8 /data/www/omeka-s/application/src/Api/Adapter/AbstractEntityAdapter.php(318): Omeka\Api\Adapter\AbstractEntityAdapter->hydrateEntity(Object(Omeka\Api\Request), Object(Omeka\Entity\Item), Object(Omeka\Stdlib\ErrorStore))
#9 /data/www/omeka-s/application/src/Api/Manager.php(224): Omeka\Api\Adapter\AbstractEntityAdapter->create(Object(Omeka\Api\Request))
#10 /data/www/omeka-s/application/src/Api/Manager.php(78): Omeka\Api\Manager->execute(Object(Omeka\Api\Request))
#11 /data/www/omeka-s/application/src/Api/Adapter/AbstractEntityAdapter.php(363): Omeka\Api\Manager->create('items', Array, Array, Array)
#12 /data/www/omeka-s/application/src/Api/Manager.php(227): Omeka\Api\Adapter\AbstractEntityAdapter->batchCreate(Object(Omeka\Api\Request))
#13 /data/www/omeka-s/application/src/Api/Manager.php(97): Omeka\Api\Manager->execute(Object(Omeka\Api\Request))
#14 /data/www/omeka-s/modules/CSVImport/src/Job/Import.php(355): Omeka\Api\Manager->batchCreate('items', Array, Array, Array)
#15 /data/www/omeka-s/modules/CSVImport/src/Job/Import.php(255): CSVImport\Job\Import->create(Array)
#16 /data/www/omeka-s/modules/CSVImport/src/Job/Import.php(194): CSVImport\Job\Import->processBatchData(Array)
#17 /data/www/omeka-s/application/src/Job/DispatchStrategy/Synchronous.php(34): CSVImport\Job\Import->perform()
#18 /data/www/omeka-s/modules/Log/src/Job/Dispatcher.php(32): Omeka\Job\DispatchStrategy\Synchronous->send(Object(Omeka\Entity\Job))
#19 /data/www/omeka-s/application/data/scripts/perform-job.php(44): Log\Job\Dispatcher->send(Object(Omeka\Entity\Job), Object(Log\Job\DispatchStrategy\Synchronous))
#20 {main}

This does not happen if i try to import youtube videos for example.

in our config file we do have the following

    'http_client' => [
        'sslcapath' => '/etc/apache2/ssl',
        'sslcafile' => '/etc/apache2/ssl/ibali_uct_ac_za_interm.cer',
    ],

When we did get a certificate we did change the domain name from showcase to ibali, and i am not sure if this might be the issue. I did also come across this, and am not sure if the issue might be in the php: https://simplerisk.freshdesk.com/support/solutions/articles/6000222776-how-to-correct-ssl-verification-issues-with-simplerisk or something like this where the certificate is incomplete: https://stackoverflow.com/questions/49308744/telegram-bot-ssl-error-ssl-error-error1416f086ssl-routinestls-process-serve

If you have any pointers, would be much advised so that i can forward to the IT team to adjust. Many thanks.
We are running

Omeka S
Version	3.0.1
PHP
Version	7.2.34-18+ubuntu18.04.1+deb.sury.org+1
SAPI	apache2handler
Memory Limit	256M
POST Size Limit	256M
File Upload Limit	1024M
Garbage Collection	Yes
Extensions	apache2handler, bz2, calendar, Core, ctype, curl, date, dom, exif, fileinfo, filter, ftp, gettext, hash, iconv, json, libxml, mbstring, mysqli, mysqlnd, openssl, pcre, PDO, pdo_mysql, Phar, posix, readline, Reflection, session, shmop, SimpleXML, sockets, sodium, SPL, standard, sysvmsg, sysvsem, sysvshm, tokenizer, wddx, xml, xmlreader, xmlwriter, xsl, Zend OPcache, zip, zlib
Disabled Functions	, pcntl_alarm, pcntl_async_signals, pcntl_exec, pcntl_fork, pcntl_getpriority, pcntl_get_last_error, pcntl_setpriority, pcntl_signal, pcntl_signal_dispatch, pcntl_signal_get_handler, pcntl_sigprocmask, pcntl_sigtimedwait, pcntl_sigwaitinfo, pcntl_strerror, pcntl_wait, pcntl_waitpid, pcntl_wexitstatus, pcntl_wifcontinued, pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig
MySQL
Server Version	5.7.33-0ubuntu0.18.04.1
Client Version	mysqlnd 5.0.12-dev - 20150407 - $Id: 3591daad22de08524295e1bd073aceeff11e6579 $
Mode	ONLY_FULL_GROUP_BY, STRICT_TRANS_TABLES, NO_ZERO_IN_DATE, NO_ZERO_DATE, ERROR_FOR_DIVISION_BY_ZERO, NO_AUTO_CREATE_USER, NO_ENGINE_SUBSTITUTION
OS
Version	Linux 5.4.0-70-generic x86_64

For most systems, you don’t need to set those sslcapath or sslcafile settings, and at any rate, you really only need one or the other, and not both.

It looks like you maybe have pointed the sslcafile setting at your site’s certificate: that’s not what you want to do with it. Both of these settings are to point at the certificates on the server for “trusted” CAs. Setting it to just your own certificate is likely to have you essentially “trusting” nobody and getting this error whenever you try to use https.

Just removing those http_client settings completely may fix the problem. If not, they can be fixed to point to the folder or bundle of CA certificates on your server, rather than your own certificate.

Hi @jflatnes,

thanks for that explanation. We have tried the solutions you have proposed but we are still getting the same error. If we take out both it says

Error downloading https://upload.wikimedia.org/wikipedia/commons/e/ef/Annie_Lennox_SING_campaign%2C_Vienna_2010_b.jpg: Unable to enable crypto on TCP connection upload.wikimedia.org: make sure the "sslcafile" or "sslcapath" option are properly set for the environment.

If we just leave 'sslcapath' => '/etc/apache2/ssl', we get the same

ErrorException: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in /data/www/omeka-s/vendor/laminas/laminas-http/src/Client/Adapter/Socket.php:320

Anything else we could try?

OK, if you can’t find (or don’t have) the right CA certificates on your server, here’s an option:

Download a bundle of the CA certificates extracted from Firefox, the curl project hosts a copy, download “cacert.pem” from that page.

Put it somewhere on your server and point the sslcafile setting to it. Don’t set sslcapath, or set it to null.

Thanks so much, that seemed to do the trick for the importing of media from other sites! Thanks
As for the value suggest module, it seems that disabling the wikidata module seems to have enable the value suggest to work, need to find out that might be the issue there (https://github.com/nishad/omeka-s-wikidata/issues/3).
Thanks for helping out with the certificates even though it is beyond Omeka S. So appreciated.