No releases available for package "pecl.php.net/timezonedb"; pear.php.net certificate still expired

[gouh]

Description

Description:

RUN pecl install timezonedb

No releases available for package "pecl.php.net/timezonedb"

PHP Version

Irrelevant

Operating System

[damianwadley]

How about now? Are you able to view https://pecl.php.net/package/timezonedb normally?

[gouh]

The site sometimes loads and sometimes it just doesn't show, I have a pipeline on bitbucket and I run the dockerfile locally, but the problem is the same, I just ran the command and the problem persists.

[gouh]

@damianwadley I saw that this already happened in https://bugs.php.net/bug.php?id=81355&

[damianwadley]

@gouh Yes, there was a very specific problem that happened two years ago, but I wouldn't think that it's related to whatever is happening now.

[gouh]

@damianwadley Apparently it is a detail with the expiration of the certificate

https://bugs.php.net/bug.php?id=81078

[damianwadley]

Correct, the certificate did expire, but a new one was installed 16 hours ago.

(screenshot is UTC-7)

[paulosoares-resale]

@damianwadley , in my pipeline and in my local the error still continues. How long does it take to propagate the certificate ?

[damianwadley]

For anyone still having problems: do you have OpenSSL 1.1.0 or later?

The PECL and PEAR certificates are issued by Let's Encrypt, which had a noteworthy change to its certificates in 2021 that would require clients to update their openssl libraries to at least 1.1.0. (I don't know how old the previous certs were...)

<edit> In addition, ensure your system has an updated CA certificates store. </edit>

@paulosoares-resale The certificate was applied on the server. There is no propagation required.

[gouh]

Hey guys I got a response from Derick Rethans.

This is not a bug with the code of this extension, nor (as far as I can see) with the pecl website. I suspect your local PHP might not support the new Let's Encrypt TLS certificates that the PHP project started using.

php/pecl-datetime-timezonedb#8

In my case, I did was download the extension and install it manually, I think there will only be that solution.

[kr3niu]

Hey guys.
This new Let's Encrypt ceritifcate doesn't work on docker PHP 5.6 image. I have project that I cannot upgrade to PHP 7 right now.
Could you change certificate?
OpenSSL is in latest version

root@18cee0fdd73f:/var/www/html# openssl version
OpenSSL 1.1.0j  20 Nov 2018 (Library: OpenSSL 1.1.0l  10 Sep 2019)
root@18cee0fdd73f:/var/www/html# curl   https://pear.php.net/go-pear.phar
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

I cannot install imagemagick right now. I don't know how to install manually without pecl install

root@18cee0fdd73f:/var/www/html# pecl install pecl.php.net/imagick
No releases available for package "pecl.php.net/imagick"
install failed

Tested rigtht now. 26.06.2023 still we have this problem.

[damianwadley]

Could you change certificate?

@kr3niu That is not an option, no.

In addition to OpenSSL 1.1.0, you also need Let's Encrypt's root certificate in your local store. Perhaps your ca-certificates (package or equivalent) needs to be updated?

[reinisalpins]

Hey guys. This new Let's Encrypt ceritifcate doesn't work on docker PHP 5.6 image. I have project that I cannot upgrade to PHP 7 right now. Could you change certificate? OpenSSL is in latest version

root@18cee0fdd73f:/var/www/html# openssl version
OpenSSL 1.1.0j  20 Nov 2018 (Library: OpenSSL 1.1.0l  10 Sep 2019)
root@18cee0fdd73f:/var/www/html# curl   https://pear.php.net/go-pear.phar
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

I cannot install imagemagick right now. I don't know how to install manually without pecl install

root@18cee0fdd73f:/var/www/html# pecl install pecl.php.net/imagick
No releases available for package "pecl.php.net/imagick"
install failed

Tested rigtht now. 26.06.2023 still we have this problem.

maybe try this- https://stackoverflow.com/questions/76507083/pecl-install-no-releases-available

[gouh]

Hey guys. This new Let's Encrypt ceritifcate doesn't work on docker PHP 5.6 image. I have project that I cannot upgrade to PHP 7 right now. Could you change certificate? OpenSSL is in latest version

root@18cee0fdd73f:/var/www/html# openssl version
OpenSSL 1.1.0j  20 Nov 2018 (Library: OpenSSL 1.1.0l  10 Sep 2019)
root@18cee0fdd73f:/var/www/html# curl   https://pear.php.net/go-pear.phar
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

I cannot install imagemagick right now. I don't know how to install manually without pecl install

root@18cee0fdd73f:/var/www/html# pecl install pecl.php.net/imagick
No releases available for package "pecl.php.net/imagick"
install failed

Tested rigtht now. 26.06.2023 still we have this problem.

maybe try this- https://stackoverflow.com/questions/76507083/pecl-install-no-releases-available

@reinisalpins is a good solution, works for me, thanks!

[kr3niu]

@reinisalpins solution work for mee too.

Part of my Dockerfile
RUN apt-get install -y wget && wget --no-check-certificate https://pecl.php.net/get/imagick-3.6.0.tgz \ && pecl install --offline ./imagick-3.6.0.tgz \ && docker-php-ext-enable imagick

I tried to upgrade certificate CA but this won't fixed me problem. Still produce SSL errors.

[knixeur]

I was able to solve this by removing the offending certificate from the docker image. I'm also on a situation where I cannot upgrade the PHP version and I need timezonedb always up-to-date from PECL.
After removing them PECL works normally.

Read libressl/portable#692 (comment) lead to openbsd/src@3c95f6f

I then made a grep to see where the cert was on my docker image (php5.6-alpine) and removed it.
Two files required a patch, and two files were the whole certificate.

#12 [web base 4/7] RUN grep -r Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ /etc
#12 0.445 /etc/ssl/cert.pem:Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
#12 0.754 /etc/ssl/certs/2e5ac55d.0:Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
#12 0.754 /etc/ssl/certs/ca-cert-DST_Root_CA_X3.pem:Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
#12 0.754 /etc/ssl/certs/ca-certificates.crt:Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ

Patch /etc/ssl/certs/ca-certificates.crt

--- /etc/ssl/certs/ca-certificates.crt.ori
+++ /etc/ssl/certs/ca-certificates.crt
@@ -956,27 +956,6 @@
 -----END CERTIFICATE-----
 
 -----BEGIN CERTIFICATE-----
-MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
-MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
-DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
-PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
-Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
-rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
-OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
-xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
-7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
-aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
-HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
-SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
-ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
-AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
-R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
-JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
-Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
------END CERTIFICATE-----
-
------BEGIN CERTIFICATE-----
 MIIDtzCCAp+gAwIBAgIQDOfg5RfYRv6P5WD8G/AwOTANBgkqhkiG9w0BAQUFADBl
 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
 d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv

Patch /etc/ssl/cert.pem

--- cert.pem.ori
+++ cert.pem
@@ -2182,49 +2182,6 @@
 gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+
 -----END CERTIFICATE-----
 
-### Digital Signature Trust Co.
-
-=== /O=Digital Signature Trust Co./CN=DST Root CA X3
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
-    Signature Algorithm: sha1WithRSAEncryption
-        Validity
-            Not Before: Sep 30 21:12:19 2000 GMT
-            Not After : Sep 30 14:01:15 2021 GMT
-        Subject: O=Digital Signature Trust Co., CN=DST Root CA X3
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10
-SHA1 Fingerprint=DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13
-SHA256 Fingerprint=06:87:26:03:31:A7:24:03:D9:09:F1:05:E6:9B:CF:0D:32:E1:BD:24:93:FF:C6:D9:20:6D:11:BC:D6:77:07:39
------BEGIN CERTIFICATE-----
-MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
-MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
-DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
-PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
-Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
-rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
-OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
-xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
-7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
-aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
-HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
-SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
-ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
-AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
-R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
-JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
-Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
------END CERTIFICATE-----
-
 ### Disig a.s.
 
 === /C=SK/L=Bratislava/O=Disig a.s./CN=CA Disig Root R2

Then remove the other two files which are the whole cert /etc/ssl/certs/2e5ac55d.0 and /etc/ssl/certs/ca-cert-DST_Root_CA_X3.pem

These are the final dockerfile lines, I left the grep line intentionally to debug this if some file is renamed

COPY docker/ca-certificates.patch /tmp
COPY docker/cert.pem.patch /tmp
RUN grep -r Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ /etc
RUN apk update && apk upgrade
RUN patch /etc/ssl/certs/ca-certificates.crt /tmp/ca-certificates.patch && \
    patch /etc/ssl/cert.pem /tmp/cert.pem.patch && \
    rm /etc/ssl/certs/2e5ac55d.0 && \
    rm /etc/ssl/certs/ca-cert-DST_Root_CA_X3.pem

[jamesmcglinn]

Hey guys. This new Let's Encrypt ceritifcate doesn't work on docker PHP 5.6 image. I have project that I cannot upgrade to PHP 7 right now. Could you change certificate? OpenSSL is in latest version

root@18cee0fdd73f:/var/www/html# openssl version
OpenSSL 1.1.0j  20 Nov 2018 (Library: OpenSSL 1.1.0l  10 Sep 2019)
root@18cee0fdd73f:/var/www/html# curl   https://pear.php.net/go-pear.phar
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

I cannot install imagemagick right now. I don't know how to install manually without pecl install

root@18cee0fdd73f:/var/www/html# pecl install pecl.php.net/imagick
No releases available for package "pecl.php.net/imagick"
install failed

Tested rigtht now. 26.06.2023 still we have this problem.

maybe try this- https://stackoverflow.com/questions/76507083/pecl-install-no-releases-available

A quick fix for the official Docker PHP 5.6 image is to delete the DST root CA cert:

FROM php:5.6-apache-stretch

RUN rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt

That will get pecl install and pear install working again.

If you need wget etc to be able to connect to offical PHP servers with those new Let's Encrypt certificates you'll also need to patch /etc/ssl/certs/ca-certificates.crt to remove the DST root cert (as mentioned above by @knixeur).

[derickr]

I don't think there is anything to be done on the PHP side here, so I am closing this issue.

[trittler]

Correct, the certificate did expire, but a new one was installed 16 hours ago. (screenshot is UTC-7)

Aaaaaand It's Monday, September 11, 2023 and the certificate expired again 😅
Does anybody know whom to contact for cert renewal on pecl.php.net?

[adrianrudnik]

Give me flak for it, but could I get a --insecure flag?

[MarcHagen]

@trittler it is known. https://externals.io/message/121040 (or https://news-web.php.net/php.internals/121040)
see: php/web-pecl#93

[BooleanType]

Today I had the same problem (with apcu package, but package doesn't matter, when something like this happens). It has been fixed later, but I decided not to rely on the intermittent pecl working in future. So here is my solution:

RUN apt-get update -y && apt-get upgrade -y \
&& apt-get install -y ca-certificates \
&& update-ca-certificates \
&& apt install -y --no-install-recommends \
    git \
    ...
    wget \
&& apt-get autoremove -y \
&& docker-php-ext-install \
    intl \
    ...
### SOLUTION IS BELOW. ###
&& pecl channel-update pecl.php.net \
&& { \
    pecl install apcu || ( \
        wget --no-check-certificate https://pecl.php.net/get/APCu -O ./apcu_latest.tgz \
        && pecl install --offline ./apcu_latest.tgz \
        && rm ./apcu_latest.tgz \
    ); \
} \
...

If pecl install apcu is successful, this command is used. This is preferred command, because dealing with expired certificates by bypassing SSL checks is not recommended for production environments, as it poses security risks.

But we cannot allow certificate outages to disrupt the application. So, if pecl install apcu failed, commands after || are used (download package - latest version in my case, install it and remove downloaded ./apcu_latest.tgz).

[rodolforamos]

A quick fix for the official Docker PHP 5.6 image is to delete the DST root CA cert:

FROM php:5.6-apache-stretch

RUN rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt

That will get pecl install and pear install working again.

If you need wget etc to be able to connect to offical PHP servers with those new Let's Encrypt certificates you'll also need to patch /etc/ssl/certs/ca-certificates.crt to remove the DST root cert (as mentioned above by @knixeur).

Saved my day!! Thank you!!

[tiagogoncalves-7egend]

I found this on stackoverflow. Finally it solve the problem!

rm /etc/ssl/certs/ca-cert-DST_Root_CA_X3.pem && cat /etc/ssl/certs/*.pem > /etc/ssl/certs/ca-certificates.crt && cat /etc/ssl/certs/*.pem > /etc/ssl/cert.pem

https://stackoverflow.com/questions/76507083/pecl-install-no-releases-available#comment136513209_76651916