Problem/Motivation

At some point the Guzzle library was updated, forcing Windows users to manually configure the curl.cainfo setting in order to be able to install Drupal in languages other than English.

As far as I can tell from their GitHub repos, Guzzle used to provide a cacert.pem, but they don't seem to do that anymore. Now, on Windows libcurl (which is used to drive the curl extension for PHP) can't access Windows's certificate store. It needs this information however to check if the SSL certificates provided on https:// URL's are valid. cacert.pem basically contains a dump of the most well-known certificate authorities, these are the companies giving out commercial SSL certificates.

This is the error thrown to the user when trying to install:

The Spanish translation is not available.
The Spanish translation file is not available at the translation server. Choose a different language or select English and translate your website later.

The message is confusing because the real underlying issue is that CURL failed to negotiate SSL when trying to access the translation files.

Proposed resolution

Option A:

If running on a Windows platform Drupal whould verify that curl.cainfo is properly configured and if not, prompt the user to do so. Other parts of core - such as updates from remote server - are probably also affected by this issue.

Option B:

Provide a cacert.pem file and configure it on the fly if curl.cainfo is not setup.

Remaining tasks

--

User interface changes

--

API changes

(API changes/additions that would affect module, install profile, and theme developers, including examples of before/after code if appropriate.)

Data model changes

None

Original report

Current D8 head cannot be installed on languages other than English on Windows Systems.

The exact failure happens in:

function install_check_localization_server($uri) {
  try {
    \Drupal::httpClient()->head($uri);
    return TRUE;
  }
  catch (RequestException $e) {
    return FALSE;
  }
}

Where trying to get the translation files is throwing this exception:

cURL error 60: SSL certificate problem: unable to get local issuer certificate (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)

What is more puzzling is that the URI that it's trying to load is:

http://ftp.drupal.org/files/translations/8.x/drupal/drupal-8.0.0-dev.es.po

After some research I came accross this:

https://laracasts.com/discuss/channels/general-discussion/curl-error-60-...

CommentFileSizeAuthor
#8 2605266-curlcainfo-required-on-windows.patch1.21 KBdavid_garcia
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

david_garcia created an issue. See original summary.

david_garcia’s picture

david_garcia CreditAttribution: david_garcia commented

This solution works:

https://laracasts.com/discuss/channels/general-discussion/curl-error-60-...

I had the exact same but on Windows & xampp. My solution was as simple as: Follow this link: http://curl.haxx.se/ca/cacert.pem Copy the entire page and save it in a: "cacert.pem"

Then in your php.ini file insert or edit the following line: curl.cainfo = "[pathtothisfile]\cacert.pem"

cilefen’s picture

cilefen CreditAttribution: cilefen commented

What is the version of PHP in this case?

david_garcia’s picture

david_garcia CreditAttribution: david_garcia commented

That was 5.6.15, but I don't believe it's related.

Guzzle used to come with a cacert.pem file, but it does no more.

So there might be two things to do here:

1. Given that on windows you now need to manually setup curl.cacert to download translations, this might be somethign to check during install (and tell the user about). Also maybe in the status page.

2. This still does not explain why it is trying to deal with the SSL certificates when the remote URL is not secure (http://ftp.drupal.org/files/translations/8.x/drupal/drupal-8.0.0-dev.es.po)

cilefen’s picture

cilefen CreditAttribution: cilefen commented

The reason is that http://ftp.drupal.org/files/translations/8.x/drupal/drupal-8.0.0-dev.es.po redirects to https://ftp.drupal.org/files/translations/8.x/drupal/drupal-8.0.0-dev.es.po.

$ curl http://ftp.drupal.org/files/translations/8.x/drupal/drupal-8.0.0-dev.es.po
<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
drupal8x (2502637a)$ curl -L http://ftp.drupal.org/files/translations/8.x/drupal/drupal-8.0.0-dev.es.po
# Spanish translation of Drupal core (8.0.0-beta15)
# Copyright (c) 2015 by the Spanish translation team
#
msgid ""
msgstr ""
"Project-Id-Version: Drupal core (8.0.0-beta15)\n"
"POT-Creation-Date: 2015-10-30 11:36+0000\n"
"PO-Revision-Date: YYYY-mm-DD HH:MM+ZZZZ\n"
"Language-Team: Spanish\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=utf-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=(n!=1);\n"

msgid "Forms"
msgstr "Formularios"
...
david_garcia’s picture

david_garcia CreditAttribution: david_garcia commented
Issue summary: View changes
cilefen’s picture

cilefen CreditAttribution: cilefen commented

Expanding on #5, and simply for clarity, telnet shows more clearly that it is a redirect to https.

$ telnet ftp.drupal.org 80
Trying 23.235.46.68...
Connected to j.global-ssl.fastly.net.
Escape character is '^]'.
GET /files/translations/8.x/drupal/drupal-8.0.0-dev.es.po
host: ftp.drupal.org

HTTP/1.1 302 Moved Temporarily
Server: nginx/1.8.0
Content-Type: text/html
Location: https://ftp.drupal.org/files/translations/8.x/drupal/drupal-8.0.x.es.po
Via: 1.1 varnish
Content-Length: 160
Accept-Ranges: bytes
Date: Sun, 01 Nov 2015 15:39:03 GMT
Via: 1.1 varnish
Age: 157102
Connection: close
X-Served-By: cache-sea1927-SEA, cache-iad2124-IAD
X-Cache: HIT, HIT
X-Cache-Hits: 1, 1
X-Timer: S1446392343.304881,VS0,VE0

<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
Connection closed by foreign host.
david_garcia’s picture

david_garcia CreditAttribution: david_garcia commented
Status: Active » Needs review
FileSize
2605266-curlcainfo-required-on-windows.patch1.21 KB

Rather than implementing a workaround giving a proper message about what is going on will do the job.

cilefen’s picture

cilefen CreditAttribution: cilefen commented 
+++ b/core/modules/system/system.install
@@ -255,6 +255,21 @@ function system_requirements($phase) {
+  if (($phase == 'install' || $phase == 'runtime') && substr(PHP_OS, 0, 3) == 'WIN') {

Could this happen on a non-Windows OS?

cilefen’s picture

cilefen CreditAttribution: cilefen commented
Related issues: +#2595927: Update guzzle to fix 100% CPU usage with curl_multi_exec() in GuzzleHttp\Handler\CurlMultiHandler->tick() during install

A semi-related issue #2595927: Update guzzle to fix 100% CPU usage with curl_multi_exec() in GuzzleHttp\Handler\CurlMultiHandler->tick() during install.

david_garcia’s picture

david_garcia CreditAttribution: david_garcia commented

Could this happen on a non-Windows OS?

I don't really know about the inners of the CURL issue, but according to what I've read this will only happen on Windows because on *nix systems CURL is able to retrieve the certificates at the OS level.

cilefen’s picture

cilefen CreditAttribution: cilefen commented
Issue tags: +Windows, +needs review on Windows
anniekvandijk’s picture

anniekvandijk CreditAttribution: anniekvandijk commented

Same problem here. Windows 10 MAMP 3.2.0 and Drupal 8.0.2. Only English during installation works.

I think it also affects looking for available updates. When I check for updates I get the error: Failed to get available update data.

Logging:
GuzzleHttp\Exception\RequestException: cURL error 60: SSL certificate problem: unable to get local issuer certificate (see http://curl.haxx.se/libcurl/c/libcurl-errors.html) in GuzzleHttp\Handler\CurlFactory::createRejection() (line 187 of ..... \vendor\guzzlehttp\guzzle\src\Handler\CurlFactory.php).

After following this post and http://www.ambidev.com/category/drupal-8/ Got the problem solved.

liam.dupin’s picture

liam.dupin CreditAttribution: liam.dupin commented

An issue with not working updates for Drupal 8.0.2 (xampp, win7) solved #13 perfectly (i.e. download cacert.pem, write the path into php.ini and restart server)!

cilefen’s picture

cilefen CreditAttribution: cilefen commented
Status: Needs review » Closed (won't fix)
Related issues: +#2654474: Getting update info results in RequestException : cURL error 60: SSL certificate problem: unable to get local issuer certificate

Follow the instructions here: https://www.drupal.org/node/2481341 This is not something to be fixed by Drupal.

cilefen’s picture

cilefen CreditAttribution: cilefen commented

If there is consensus to reopen this based on #8, this issue will need a title change.