Using Tickers, Forecast, Twitter and other external resources that make use of HTTPS connections

It is easy to reference and use external sources in Xibo widgets such as Tickers, however special consideration may need to be taken when referencing resources provided over SSL (anything with HTTPS at the front of the Address).

Symptoms

You have added a Ticker/Twitter/Forecast media item which references a feed or uses resources served over HTTPS and nothing is shown. You have checked the logs and note a message similar to:

SSL certificate problem, verify that the CA cert is OK

or

Unable to reach Forecast API. No Host Found (HTTP Code 0). Curl Error = SSL certificate problem: unable to get local issuer certificate

The message originates from something called curl.

Explanation

curl is a PHP extension which allows the CMS to download resources from external sources like the Internet or a Local Network.

Any time Xibo uses curl it makes sure that it “Verifies the Peer”. In basic terms this means it checks to ensure whomever supplies the data is who they say they are.

Xibo does this because if something is served over HTTPS then it is reasonable to assume the returned information is sensitive and that it should be protected and verified.

The certificate problem error occurs because curl uses a bundle of “CA root certificates” to perform the verification and these certificates are missing on some installations. For example, these certificates are almost always missing on Windows Installations.

Resolution Windows Servers

The web server that hosts the CMS needs to be updated with the latest CA root certificates. This may sound complicated, but is actually very easy.

1. Download the latest CA root certificate from the curl website and save it to your server drive as, for example, c:\php\cacert.pem.
2. Edit the php.ini file for your PHP installation to tell curl where the root certificate is located. You will be adding a line that looks like curl.cainfo=c:\php\cacert.pem. If a similar line already exists, edit it to point to the correct location and ensure that it isn’t commented out. If the line doesn’t already exist, simply add a new line to the end of the file.
3. Restart the web server.

If these steps still produce the same error, then the certificate signing the resource you have requested in invalid and you actually want the error to be thrown to protect your data.

Resolution Linux Servers

On most Linux distributions, it should be sufficient to install the ca-certificates package provided by your distribution and then restart your web server.

Further Reading

There are some excellent sources of further reading:

• Stop turning off CURLOPT_SSL_VERIFYPEER and fix your PHP config by Ross McKay
• Latest root certificate
• PHP option to set in PHP.ini