Dompdf is a very popular PHP library that generates PDFs from HTML and CSS. It makes it very easy to create invoices, reports, or any other dynamic documents for your web application. I've been using it for at least 5 years already, it supports most of HTML5 and CSS2.1 and works by rendering your HTML content as a PDF page, you can embed plenty of resources such as fonts, images, and custom CSS (as long as it's supported).
After trying to create a new report that included an image from one of our client's website, I noticed that their website was unable to serve resources via HTTPS as their SSL certificate expired a week ago. Unfortunately, they weren't going to solve it for at least another week, however, the application had to work for the demo of the client without any problem. As the issue wasn't directly on our side, and we couldn't just download the image and store it in our own servers because the URLs of the images were dynamically generated with an access token, so our only option here was to bypass the SSL verification when loading images in Dompdf.
Important
This is certainly not a good approach, the best way to access those resources is to access them securely, with a valid SSL certificate. There are plenty of risks of accessing resources from a website with expired SSL certificates (images or any HTTPS content):
- Most HTTP clients (of course, it happens with Dompdf) will block the request if the certificate is expired.
- If your app forces it to load anyway, the request is open to a Man-in-the-Middle attack.
- Your application's behaviors is going to become unpredictable, failing and working sometimes.
- In serious applications, forcibly ignoring certificate errors may goes against regulations such as HIPAA in the case of the medical sector.
So, only use this approach if you have a good reason to do it (we had to show a demo, so they fixed the certificate issue after a week and we were able to remove this snippet).
Allow loading of insecure images
To load insecure images in Dompdf, you need to create a custom HTTP context that disables SSL certificate verification when executing HTTPS requests using functions such as file_get_contents, fopen or stream_socket_client:
verify_peer: when set to false, PHP will trust any certificated (including expired or fake ones), as it skips the verification against trusted certificate authorities (CA).verify_peer_name: disables checking if the hostname in the provided certificate matches the server you're trying to connect to.allow_self_signed: allows connections to servers that provide self-signed certificates (those that aren't signed by a trusted CA).
You can implement the mentioned context in your code like this:
<?php
// 1. Instantiate Dompdf with options
$dompdfOptions = new Options();
$dompdfOptions->setIsRemoteEnabled(true);
// 2. Create a new Dompdf instance
$pdf = new Dompdf($dompdfOptions);
// 3. Create a new stream context
$context = stream_context_create([
'ssl' => [
'verify_peer' => false,
'verify_peer_name' => false,
'allow_self_signed' => true,
]
]);
// 4. Set the stream context to the Dompdf instance
$pdf->setHttpContext($context);
// The rest of your PDF generation code goes here...With this snippet, you're essentially telling PHP to trust any SSL certificate, even if it's self-signed or invalid. Remember, this is a security risk, so only use it if you know what you're doing (working locally, etc.).
Happy coding ❤️!
