I'm trying to setup our internal Satis server which should be reachable via HTTPS (certificate is signed by an internal CA). On Linux, everything works as expected once the root certificate of the CA is added to certificate store (e.g. /etc/ssl/certs/ca-certificates.crt). But on my Mac, I'm getting a "SSL operation failed with code 1" error even after adding the certificate to the OS X Keychain. Curl on the command line and using libcurl in PHP can fetch the HTTPS URL but Composer and file_get_contents (which is used by Composer) always throw the "SSL operation failed with code 1" error.
I know I can specify the "openssl.capath" in my php.ini but why does it work with Curl without specifying the path?
I finally figured out what's wrong:
Curl is using SecureTransport instead of OpenSSL, so it's directly using the OS X Keychain and therefore works with certificates signed by public CAs as well as our internal CA (I've added it to the System keychain before).
file_get_contents is using OpenSSL which uses it's own CA bundle located at /usr/local/etc/openssl/cert.pem.
As /usr/local/etc/openssl/cert.pem only contains public CAs by default, I had to export the certificates from my Keychain (System and System Roots) to the cert.pem of OpenSSL: security find-certificate -a -p /Library/Keychains/System.keychain /System/Library/Keychains/SystemRootCertificates.keychain | sudo tee /usr/local/etc/openssl/cert.pem
Now file_get_contents() works for both, internal as well as external certificates/CAs.
But Composer does not look into /usr/local/etc/openssl/cert.pem, so I had to set the openssl.cafile php.ini property to the path of the cert.pem:
[openssl]
openssl.cafile = /usr/local/etc/openssl/cert.pem