2

How do I call an https (SSL) url from my Symfony2 controller on localhost? I am using the Debril RssAtomBundle bundle to call the Google Blogger API which is only on https, and am not sure how to achieve this from localhost. My Google Blogger API call definitely works as the URL returns the expected blog content in the browser. I want to make sure the code is secure too.

The error I get when calling the URL is:

SSL certificate problem, verify that the CA cert is OK

Improve this question
2
  • This is not clear to me: "...am not sure how to ... [call the Google Blogger API] from localhost". What do you mean call from localhost? Commented Aug 3, 2014 at 3:07
  • My controller has a method that calls the Google Blogger API. I am using my web application in app_dev.php mode on localhost (localhost/pathname). The Google API is on https and hence the SSL certification error, as my app cannot call https from the localhost domain. Commented Aug 3, 2014 at 4:01

1 Answer 1

Reset to default
1 
The error I get when calling the URL is:

SSL certificate problem, verify that the CA cert is OK

It sounds like you need to use Google Internet Authority G2 as a trust anchor. In the case of *.blogger.com, it looks like Google's CA is also signed by GeoTrust Global CA:

$ openssl s_client -connect blogger.com:443
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.blogger.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
 ...

Start Time: 1407035752
Timeout   : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)

Once you use the Google CA as a trust anchor, it will verify OK (notice the addition of -CAfile option):

$ openssl s_client -connect blogger.com:443 -CAfile GIAG2.pem 
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = *.blogger.com
verify return:1
...

Start Time: 1407035642
Timeout   : 300 (sec)
Verify return code: 0 (ok)

Hint: after you download GIAG2.crt, you will need to convert it from ASN.1/DER to PEM with openssl x509 -in GIAG2.crt -inform DER -out GIAG2.pem -outform PEM.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Why don't Google just share the PEM file if that is what is required? What do I do with that file once I have it? Does it just sit in the root of my application? Do I need to config my Symfony app?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.