Quick Patch for Mailgun PHP API and CA Update

Published by John on January 23, 2018 Under PHP

A client reached out to me today because they were having an issue sending emails on their website. When attempting to send an email using the Mailgun PHP API, the following error occurred:

PHP Fatal error:  Uncaught Guzzle\\Http\\Exception\\CurlException:
[curl] 60: Peer's Certificate issuer is not recognized. /src/Guzzle/Http/Curl/CurlMulti.php

After some debugging, I found that Mailgun recently updated their SSL certificates and older versions of Guzzle include their own ca-bundle, which was causing a certificate error

In this case, the site was running an older version of PHP that wasn’t compatible with the latest version of Guzzle, so it wasn’t possible to upgrade immedietly(although this will be a project for tomorrow.)

Quick Patch

As a quick fix, I patched Guzzle to stop using the included ca-bundle file. The below stops Guzzle from using it’s own CA.Bundle, but still verifies the SSL Connection to reduce the risk of eavesdropping.

In this version of Guzzle, the ca-bundle was loaded in the src/Guzzle/Http/Client.php file. Modify the setSslVerification function and comment out the line that sets the CURLOPT_CAINFO option to load the bundled cacert.pem file. 


 final public function setSslVerification($certificateAuthority = true, $verifyPeer = true, $verifyHost = 2)
    {
        $opts = $this->config[self::CURL_OPTIONS] ?: array();

        if ($certificateAuthority === true) {
            // use bundled CA bundle, set secure defaults
            //$opts[CURLOPT_CAINFO] = __DIR__ . '/Resources/cacert.pem';
            $opts[CURLOPT_SSL_VERIFYPEER] = true;
            $opts[CURLOPT_SSL_VERIFYHOST] = 2;
        }

Another, possibly better(especially if you still get an SSL error using the above), option would be to replace the ca-bundle that is included with guzzle with an updated file. The bundled file should be called cacert.pem(or something similar) and is located in a subfoder of Guzzle. You can download a new copy and replace the version in Guzzle here: curl CA.

Long term, upgrading PHP and the MailGun API is of course a better fix, but that usually requires a little testing, so the above can be used as a quick fix.


No Comments |

Add a Comment