SSL certificate problem: unable to get local issuer certificate (with new information)

[vesper8]

On my dev environment (Mac) I used to be able to use laravel-websockets without any issues. Recently after running some updates things stopped working and I am now getting the

SSL certificate problem: unable to get local issuer certificate error.

I've been trying to troubleshoot this issue and found a lot of new information which doesn't seem to be mentioned on the multiple other SSL threads so I thought I would share here to help us all come to an answer.

#864 #845 #815 #792 #760 #753 #743 #732 #680

First of all, it should be noted that curl_options was deprecated as of 6.0.0 of pusher/pusher-php-server.

https://github.com/pusher/pusher-http-php/blob/master/CHANGELOG.md

I checked my version and I'm on 7.0.1. This is on the project doing the broadcasting. On the project hosting the laravel-websockets package it's on 5.0.3

So all solutions pointing to the "old way" of circumventing this issue by using, provided you're using ^6.0

    'curl_options' => [
        CURLOPT_SSL_VERIFYHOST => 0,
        CURLOPT_SSL_VERIFYPEER => 0,
    ],

... are now obsolete

In debugging the issue, I noticed that if I modify this file vendor/guzzlehttp/guzzle/src/Handler/CurlHandler.php and add

$options['verify'] = false;

inside the __invoke method.

Then the problem goes away.

The only remaining issue now is that I'm at a loss of how to set this verify=false in any of the configuration files.

Even though pusher has deprecated curl_options, I can't find any information yet on how we are supposed to disable verification following this deprecation.

Hopefully this new information leads us to answer as I see many people struggling with this issue right now

[vesper8]

I should add that downgrading pusher/pusher-php-server from ^7.0 to ^5.0 on the project doing the broadcasting also makes this error go away, since this version does support curl_options

[vesper8]

I opened an issue on pusher/pusher-php-server and quickly received an answer that there is no workaround

pusher/pusher-http-php#313 (comment)

I guess forking Guzzle itself and adding an optional configuration to allow for slipping in $options['verify'] = false; in there is a possible workaround

For now it seems like reverting to ^5.0 is the easiest solution

[rennokki]

@vesper8 I think that having Pusher 6.x+ and passing a client instance when creating the Pusher\Pusher instance is much better than extending the entire class :)

• Add this to broadcasting:

    'options' => [
        // ...
    ],
    'client_options' => [
        'verify' =>true, // to disable TLS checks
    ],

• Extend the Illuminate\Broadcasting\BroadcastManager to create Pusher with client options:

namespace App;

use Illuminate\Broadcasting\Broadcasters\PusherBroadcaster;
use Illuminate\Broadcasting\BroadcastManager as BaseBroadcastManager;
use Psr\Log\LoggerInterface;
use Pusher\Pusher;

class TlsSupportingBroadcastManager extends BaseBroadcastManager
{
    protected function createPusherDriver(array $config)
    {
        $pusher = new Pusher(
            $config['key'], $config['secret'],
            $config['app_id'], $config['options'] ?? [],
            new \GuzzleHttp\Client($config['client_options']) ?? []
        );

        if ($config['log'] ?? false) {
            $pusher->setLogger($this->app->make(LoggerInterface::class));
        }

        return new PusherBroadcaster($pusher);
    }
}

• Re-instantiate the BroadcastManager at runtime:

namespace App\Providers;

use App\TlsSupportingBroadcastManager;

class BroadcastingServiceProvider extends ServiceProvider
{
    public function register()
    {
        $this->app->singleton(BroadcastManager::class, function ($app) {
            return new TlsSupportingBroadcastManager($app);
        });
    }
}

[ckr0n]

I have the same problem. i make the like @rennokki suggest but it doesnt work for me. When i start th websockets serve i see the connections to chanel. But when i try to send event from dashboard it throws an Error sending event.
exception: "GuzzleHttp\\Exception\\RequestException" file: "/var/www/ckr0n/data/www/test.compit.tech/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php" line: 211 message: "cURL error 60: SSL certificate problem: unable to get local issuer certificate

bootstrap.js

• import Echo from 'laravel-echo';
  window.Pusher = require('pusher-js');
  window.Echo = new Echo({
  broadcaster: 'pusher',
  key: process.env.MIX_PUSHER_APP_KEY,
  wsHost: window.location.hostname,
  wsPort: 6001,
  wssPort: 6001,
  disableStats: true,
  forceTLS: true, //возможно для обхода wss поставить false
  encrypted: true, //и здесь тоже
  enabledTransports: ['ws', 'wss']

broadcasting.php

•    'pusher' => [
        'driver' => 'pusher',
        'key' => env('PUSHER_APP_KEY'),
        'secret' => env('PUSHER_APP_SECRET'),
        'app_id' => env('PUSHER_APP_ID'),
        'options' => [
            'cluster' => env('PUSHER_APP_CLUSTER'),
            'host' => '127.0.0.1',
            'port' => 6001,
            'scheme' => 'https',
        ],
        'client_options' => [
            'verify' => true, // to disable TLS checks
        ],
  

Pusher 7.0.2
Is there any ideas how to fix it. Or is it better to downgrade Pusher to 5.0?

[thegr8awais]

Any update guys?

[ckr0n]

In my case i had to downgrade Pusher to v5.0.3 and it work for me.

[yourjhay]

Experiencing this also on Ubuntu 20.4
when using Laravel 8 Brodcasting
currently using certificate from GlobalSign RSA OV SSL CA 2018

[anditsung]

@vesper8 I think that having Pusher 6.x+ and passing a client instance when creating the Pusher\Pusher instance is much better than extending the entire class :)

• Add this to broadcasting:

    'options' => [
        // ...
    ],
    'client_options' => [
        'verify' =>true, // to disable TLS checks
    ],

• Extend the Illuminate\Broadcasting\BroadcastManager to create Pusher with client options:

namespace App;

use Illuminate\Broadcasting\Broadcasters\PusherBroadcaster;
use Illuminate\Broadcasting\BroadcastManager as BaseBroadcastManager;
use Psr\Log\LoggerInterface;
use Pusher\Pusher;

class TlsSupportingBroadcastManager extends BaseBroadcastManager
{
    protected function createPusherDriver(array $config)
    {
        $pusher = new Pusher(
            $config['key'], $config['secret'],
            $config['app_id'], $config['options'] ?? [],
            new \GuzzleHttp\Client($config['client_options']) ?? []
        );

        if ($config['log'] ?? false) {
            $pusher->setLogger($this->app->make(LoggerInterface::class));
        }

        return new PusherBroadcaster($pusher);
    }
}

• Re-instantiate the BroadcastManager at runtime:

namespace App\Providers;

use App\TlsSupportingBroadcastManager;

class BroadcastingServiceProvider extends ServiceProvider
{
    public function register()
    {
        $this->app->singleton(BroadcastManager::class, function ($app) {
            return new TlsSupportingBroadcastManager($app);
        });
    }
}

this fix only available for laravel v9

[LingaTigeen]

I had the same issue. I downloaded the https://curl.se/ca/cacert.pem as per https://curl.se/docs/caextract.html and added to my php.ini

[curl]
curl.cainfo = "C:\xampp\php\extras\ssl\cacert.pem"

[openssl]
openssl.cafile = "C:\xampp\php\extras\ssl\cacert.pem"

No need to have the 'client_options' in broadcasting.php

[bilalsheikh1]

In my case i had to downgrade Pusher to v5.0.3 and it work for me.

is it pusher-server or pusher js

[vesper8]

In my case i had to downgrade Pusher to v5.0.3 and it work for me.

is it pusher-server or pusher js

The service you have to downgrade is the php dependency pusher/pusher-php-server using Composer

https://packagist.org/packages/pusher/pusher-php-server

You do not have to downgrade the client-side https://www.npmjs.com/package/pusher-js

[YassineChe]

Any update?

[ven0ms99]

I'm wondering as well. Having to use such an old version of pusher/pusher-php-server cannot be the solution here.