I have an Ubuntu LAMP server on Digital Ocean and have setup an SSL certificate (which works perfectly fine). The website runs via https (http requests are redirected to https). In one of my PHP scripts, I have to send a cURL request to the local server. I am basically sending a POST request with JSON data that will be used for templating a document at the other end. In short, both ends are hosted at the same site:
https://example.com/form.php
https://example.com/templates/document.php
The cURL error I get when sending data from form.php to templates/document.php is:
SSL certificate problem: unable to get local issuer certificate
I have read at least 20 articles telling me to add these lines to php.ini at their original line positions:
curl.cainfo="/etc/ssl/certs/cacert.pem"
openssl.cafile="/etc/ssl/certs/cacert.pem"
The CA certificate is located as described above, but the cURL error persists.
I am able to bypass this error by forcing CURLOPT_SSL_VERIFYPEER to false in the cURL request itself. However, I know this is not an option for a website in production mode.
Is it not possible to do such SSL cURL request to its own host? Or is it so that I can actually disable CURLOPT_SSL_VERIFYPEER for this very specific request since it's just a local request anyway?
Thank you in advance!
EDIT:
Adding a verbose option to the cURL request shows the following information:
Trying 123.456.789.01...
Connected to example.com (123.456.789.01) port 443 (#0)
ALPN, offering http/1.1
Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:#STRENGTH
successfully set certificate verify locations:
CAfile: /etc/ssl/certs/cacert.pem CApath: /etc/ssl/certs
SSL certificate problem: unable to get local issuer certificate
Closing connection 0
It doesn't seem to be of any help though.
Related
When trying to access one particular API through curl in PHP, I get the curl error code 60 - unable to get local issuer certificate. The strange thing is that I only get this error for this particular domain, and only when using curl in php.
When accessing the API with command line curl, the issue does not occur. When trying to access any other SSL domain via curl in php, the issue does not occur. In fact, I have found another website that uses the same intermediate certificate (i.e. RapidSSL Global TLS RSA4096 SHA256 2022 CA1), and I can access that website.
I have of course tried setting cacert.pem manually, for both curl and openssl, through both the php.ini and through curl_setopt in code, but to no avail. I have also verified that the root certificate that is used by the problematic api (i.e. Digicert Global Root CA) is present in both the downloaded and default CA stores.
At this point, I would appreciate any guesses as to what could possibly be causing this behaviour.
Here is the output of Curl in verbose mode when trying to access the problematic website:
* Trying <IP>:443...
* Connected to <Domain> (<IP>) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* CAfile: /usr/local/etc/openssl#1.1/cert.pem
* CApath: none
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
Update: after running testssl.sh, it seems that chain of trust is not entirely complete. This does not explain why only curl with php has this issue, and I would still appreciate it if anybody could point me to a way to accept this particular flaw without disabling SSL verification entirely.
When I enable CURLOPT_SSL_VERIFYPEER i get this error from curl:
SSL certificate problem: unable to get local issuer certificate.
I read that i should include something to the php.ini file but i do not have access to that file because it's not a self hosted site. I alredy purchased ssl certification for my site and the host said that they will set everything.
Where could be the problem at my site or at the host?
You might have to talk about this issue with the technical support from your host. The installation/configuration of the ssl certificate might not be completed yet.
I'm trying to install Vaprobash via CURL but I get this message everytime I try to download something through CURL. I'm using a Mac.
curl -L http://bit.ly/vaprobash > Vagrantfile
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Append option in curl call:
-k/--insecure
The curl will be not trying to verify SSL cert.
The link is redirecting to a secure HTTP (SSL) server, and curl doesn't have access to the proper chain of trusted certificates to confirm that the site says it is who it is.
If you're sure the site is legitimate, and this is a once-off effort, you can use the --insecure option (it will ignore any certificate errors). Opening the link in a browser directs to GitHub with no issues, and curl fetches it fine on my Ubuntu 12.04 box.
It's likely a missing certificate in your SSL installation. Run with the -v option to get a detailed output if you need to confirm this.
For a web application which is able to mount users directories I want to provide a option for the user to upload his root certificate to use curl over ssl.
I tried to set the capath to the upload directory (CURLOPT_CAPATH => $capath) but I still get this error message:
[CURL] Error while making request: SSL certificate problem, verify that the CA cert is OK
If I try to set the cert additionally to the path (but I would prefer to set up curl in a way to accept all certificates signed by a bunch of root certificates provided by the user).
Anyway, if I set for test purpose:
CURLOPT_CAPATH => $capath
CURLOPT_CAINFO => $capath."/myrootcert.der"
I get this error message:
[CURL] Error while making request: error setting certificate verifylocations:\n CAfile: /foo/bar/cacertroot.der\n CApath: /foo/bar/\n (error code: 77)
Any hints what I'm doing wrong? Thanks!
Quick question : I have a PHP script which query Pinnacle Cart API through a cURL query. While testing this on my laptop, no problem. I get the XML response and all. But once it's on the remote server... I get no result. I checked beforehand to be sure cURL was installed on the remote server, and it sure is. I don't have the same version as the remote server (libcurl/7.15.5 vs libcurl/7.19.5) but I kind of doubt it's the issue here. Any idea what might throw off my script?
EDIT : Here is what I get when I output the errors to a file with CURLOPT_STDERR :
Locally :
successfully set certificate verify locations:
CAfile: none
CApath: /etc/ssl/certs
SSL connection using DHE-RSA-AES256-SHA
Server-side :
successfully set certificate verify locations:
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
SSL certificate problem, verify that the CA cert is OK. Details:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
1 minutes of googling later... I found out that with this parameter :
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
My script works on the server... But it's kind of butched, isn't it?
See your PHP error log or turn the PHP's error reporiting functionality on so that it gives you the exact error message. Most probably PHP's safe_mode is open on your server and prevents some functionality (eg. CURLOPT_FOLLOWLOCATION) of curl library.