HTTPS and SSL3_GET_SERVER_CERTIFICATE:certificate verify failed, CA is OK
Asked Answered
J

12

210

I am using XAMPP for development. Recently I upgraded my installation of xampp from an old version to 1.7.3.

Now when I curl HTTPS enabled sites I get the following exception

Fatal error: Uncaught exception 'RequestCore_Exception' with message 'cURL resource: Resource id #55; cURL error: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (60)'

Everyone suggest using some specific curl options from PHP code to fix this problem. I think this shouldn't be the way. Because I didn't have any problem with my old version of XAMPP and happened only after installing the new version.

I need help to figure out what settings change in my PHP installation, Apache etc can fix this problem.

Josiah answered 19/6, 2011 at 3:18 Comment(0)
S
145

curl used to include a list of accepted certificate authorities (CAs) but no longer bundles ANY CA certs since 7.18.1 and onwards. So by default it'll reject all TLS/SSL certificates as unverifiable.

You'll have to get your CA's root certificate and point curl at it. More details at curl's details on TLS/SSL certificates verification.

Songful answered 19/6, 2011 at 5:23 Comment(10)
The curl is happening in Amazon web services php library. I didn't understand how to fix it without editing the library code.Josiah
Then turn off certificate verification (CURLOPT_SSL_VERIFYPEER -> false). Your either add the CA cert of the site you're trying to do SSL with, or you disable CA verfification. Those are the only two options available.Songful
Just fyi — setting CURLOPT_SSL_VERIFYPEER to false defeats the purpose of using SSL.Besmear
"You'll have to get your CA's cert and point curl at it" -> see Артур Курицын's answer below for details...Familial
@Besmear doesn't it defeat half the purpose of SSL? You still get privacy between you and your peer: you just don't have authenticity of your peer.Talmud
without authenticity, what's the point in encrypting the data you're sending? If you've been MITMed then the data is compromised anywayZootechnics
That depends on what you're sending and the resources of your attacker. Sure, people can MITM you, but without SSL, anyone can passively snoop your plaintexts. Encryption-only SSL is still better than no SSL at all.Jadotville
Does anyone know what version of Curl "used to include a list of accepted CAs"?Signatory
Before version 7.18.1 @ElijahLynn (released March 30 2008) we no longer distribute or install a ca cert bundle curl.haxx.se/changes.htmlKnew
Thanks, added to answer.Signatory
I
294

It's a pretty common problem in Windows. You need just to set cacert.pem to curl.cainfo.

Since PHP 5.3.7 you could do:

  1. download https://curl.se/ca/cacert.pem and save it somewhere.
  2. update php.ini -- add curl.cainfo = "PATH_TO/cacert.pem"

Otherwise you will need to do the following for every cURL resource:

curl_setopt ($ch, CURLOPT_CAINFO, "PATH_TO/cacert.pem");
Inchworm answered 11/5, 2013 at 7:54 Comment(9)
This worked for me in XAMPP on OS X. It fixed a problem where a Wordpress plugin wouldn't update due to being unable to locate a local certificate.Disabled
For anyone else trying to solve this problem on Windows using Apache, I had to set the full path (i.e. C:\PATH_TO\cacert.pem) in my PHP code. On IIS, the relative path seemed to work ok.Photostat
If the cacert.pem is in same directory then curl_setopt($ch, CURLOPT_CAINFO, dirname(FILE) . '/cacert.pem'); will workDoff
When using WampServer with 2., you must add the variable to two separate php.ini files. See https://mcmap.net/q/126162/-https-and-ssl3_get_server_certificate-certificate-verify-failed-ca-is-okProtrusive
What's puzzling/ironic is that you can download curl.haxx.se/ca/cacert.pem over HTTPS without specifing any extra options. Is the certificate for curl.haxx.se backed into curl itself?Anette
I have the cacert.pem file in /usr/local/lib/ where the php.ini file is and i have this code [PHP] curl.cainfo = "/cacert.pem" just in the beggining of the php.ini file. But i get this error Failed to save image file, with error message: error setting certificate verify locations: CAfile: /cacert.pem CApath: noneFailed to update your Event, with error message: Bad RequestDeterrence
This worked for me on Centos. Caused some confusion because I'm running multiple versions of PHP through phpbrew and I was editing the wrong php.ini file :/ Used phpinfo to log PHP config, and once I added cacert.pem path to the right php.ini it worked like a charmPatella
i had this issue: Exception: SSL Certificate problem: unable to get local issuer certificate and the above answer worked like a charm for me. Thank uTempting
Is it possible to use a .crt file instead of .pem fileKlatt
S
145

curl used to include a list of accepted certificate authorities (CAs) but no longer bundles ANY CA certs since 7.18.1 and onwards. So by default it'll reject all TLS/SSL certificates as unverifiable.

You'll have to get your CA's root certificate and point curl at it. More details at curl's details on TLS/SSL certificates verification.

Songful answered 19/6, 2011 at 5:23 Comment(10)
The curl is happening in Amazon web services php library. I didn't understand how to fix it without editing the library code.Josiah
Then turn off certificate verification (CURLOPT_SSL_VERIFYPEER -> false). Your either add the CA cert of the site you're trying to do SSL with, or you disable CA verfification. Those are the only two options available.Songful
Just fyi — setting CURLOPT_SSL_VERIFYPEER to false defeats the purpose of using SSL.Besmear
"You'll have to get your CA's cert and point curl at it" -> see Артур Курицын's answer below for details...Familial
@Besmear doesn't it defeat half the purpose of SSL? You still get privacy between you and your peer: you just don't have authenticity of your peer.Talmud
without authenticity, what's the point in encrypting the data you're sending? If you've been MITMed then the data is compromised anywayZootechnics
That depends on what you're sending and the resources of your attacker. Sure, people can MITM you, but without SSL, anyone can passively snoop your plaintexts. Encryption-only SSL is still better than no SSL at all.Jadotville
Does anyone know what version of Curl "used to include a list of accepted CAs"?Signatory
Before version 7.18.1 @ElijahLynn (released March 30 2008) we no longer distribute or install a ca cert bundle curl.haxx.se/changes.htmlKnew
Thanks, added to answer.Signatory
V
85

Warning: this can introduce security issues that SSL is designed to protect against, rendering your entire codebase insecure. It goes against every recommended practice.

But a really simple fix that worked for me was to call:

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

before calling:

curl_exec():

in the php file.

I believe that this disables all verification of SSL certificates.

Vaden answered 12/5, 2012 at 19:59 Comment(10)
... and by disabling the verification of the certificates, you leave the door open to potential MITM attacks, which SSL/TLS otherwise aims to protect against. DON'T DO THIS!Entwine
Yup. I should have drawn more attention to this in the answer. Only do this if you aren't working on anything important. I use it on localhost to access websites that I personally programmed.Vaden
Downvote from me. This is a dirty fix to get your code working, but not a solution. Answer provided by Артур Курицын is much better.Indies
@Jānis - its kind of equivalent to nothing. In this incarnation, it wastes network bandwidth because the server still sends the certificate. Since CURLOPT_SSL_VERIFYPEER=false, don't send the certificate. Just use an anonymous protocol, like Anonymous Diffie-Hellman (ADH).Incardination
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); worked for me thanksEth
@Entwine This is the perfect solution, for helper scripts, tests, trusted applications, intranet, ..... Everyone who knows A LITTLE about SSL, knows in which cases the certificate validation can be skipped. So all the 'smart' comments on this answer and things like 'DON'T DO THIS' is just NONSENSE!!Louislouisa
@KenyakornKetsombut Not sure, really. If you really want a good test environment, use your own test CA, that will be a more realistic test. Otherwise, you'll just have vulnerable code in your code base, which you'll have to treat separately later (which can be more costly overall). Most likely, you'll forget to remove that bad code the day before shipping. Generally, if you already are in a trusted environment, you might not need SSL, but if your helper scripts and trusted applications are on a network you might not be able to trust fully, you might as well do things right.Entwine
... "Everyone who knows A LITTLE about SSL [...]"... and you'd be surprised how many people don't even bother knowing a little bit about the basics of SSL/TLS, and are just coming here to copy/paste a quick fix for their error message.Entwine
I completely agree with @Bruno. Further, if the OP had known this in advance, she wouldn't have asked, therefore it's good to warn, because she didn't talk about internal scripts or testing, but "HTTPS enabled websites", and this makes me think that previously the default behavior was to cURL these websites without SSL verification (in a production environment). If you know what you are doing, you don't ask on stackoverflow. My 2 cents.Zloty
It's perfect for testing a post PHP file, and when testing is finished, you should remove this, as it is not secure.Bromal
U
55

Source: http://ademar.name/blog/2006/04/curl-ssl-certificate-problem-v.html

#Curl: SSL certificate problem, verify that the CA cert is OK# ###07 April 2006###

When opening a secure url with Curl you may get the following error:

SSL certificate problem, verify that the CA cert is OK

I will explain why the error and what you should do about it.

The easiest way of getting rid of the error would be adding the following two lines to your script . This solution poses a security risk tho.

//WARNING: this would prevent curl from detecting a 'man in the middle' attack
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0); 

Let see what this two parameters do. Quoting the manual.

CURLOPT_SSL_VERIFYHOST: 1 to check the existence of a common name in the SSL peer certificate. 2 to check the existence of a common name and also verify that it matches the hostname provided.

CURLOPT_SSL_VERIFYPEER: FALSE to stop CURL from verifying the peer's certificate. Alternate certificates to verify against can be specified with the CURLOPT_CAINFO option or a certificate directory can be specified with the CURLOPT_CAPATH option. CURLOPT_SSL_VERIFYHOST may also need to be TRUE or FALSE if CURLOPT_SSL_VERIFYPEER is disabled (it defaults to 2). Setting CURLOPT_SSL_VERIFYHOST to 2 (This is the default value) will garantee that the certificate being presented to you have a 'common name' matching the URN you are using to access the remote resource. This is a healthy check but it doesn't guarantee your program is not being decieved.

###Enter the 'man in the middle'###

Your program could be misleaded into talking to another server instead. This can be achieved through several mechanisms, like dns or arp poisoning ( This is a story for another day). The intruder can also self-sign a certificate with the same 'comon name' your program is expecting. The communication would still be encrypted but you would be giving away your secrets to an impostor. This kind of attack is called 'man in the middle'

###Defeating the 'man in the middle'###

Well, we need to to verify the certificate being presented to us is good for real. We do this by comparing it against a certificate we reasonable* trust.

If the remote resource is protected by a certificate issued by one of the main CA's like Verisign, GeoTrust et al, you can safely compare against Mozilla's CA certificate bundle which you can get from http://curl.se/docs/caextract.html

Save the file cacert.pem somewhere in your server and set the following options in your script.

curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, TRUE); 
curl_setopt ($ch, CURLOPT_CAINFO, "pathto/cacert.pem");

for All above Info Credit Goes to : http://ademar.name/blog/2006/04/curl-ssl-certificate-problem-v.html

Underbody answered 6/9, 2012 at 6:7 Comment(3)
It is generally considered polite to credit the source of your information and only quote certain parts relevant to the question, rather than simply copying and pasting it on here!Lundell
Sorry, I have been Away, yeah I appricate Dan for that and Updated The PostUnderbody
At least Deepak made the effort to research it. @danherd So danherd, you just made the research to find that he took the code from somewhere? What was the attribution right of this code? Instead of wasting your time to find someone else' mistakes try to help someone on your own. Don't fight, share!Ave
P
17

The above solutions are great, but if you're using WampServer you might find setting the curl.cainfo variable in php.ini doesn't work.

I eventually found WampServer has two php.ini files:

C:\wamp\bin\apache\Apachex.x.x\bin
C:\wamp\bin\php\phpx.x.xx

The first is apparently used for when PHP files are invoked through a web browser, while the second is used when a command is invoked through the command line or shell_exec().

TL;DR

If using WampServer, you must add the curl.cainfo line to both php.ini files.

Protrusive answered 7/9, 2014 at 3:4 Comment(0)
A
6

For the love of all that is holy...

In my case, I had to set the openssl.cafile PHP config variable to the PEM file path.

I trust it is very true that there are many systems where setting curl.cainfo in PHP's config is exactly what is needed, but in the environment I'm working with, which is the eboraas/laravel docker container, which uses Debian 8 (jessie) and PHP 5.6, setting that variable did not do the trick.

I noticed that the output of php -i did not mention anything about that particular config setting, but it did have a few lines about openssl. There is both an openssl.capath and openssl.cafile option, but just setting the second one allowed curl via PHP to finally be okay with HTTPS URLs.

Apocryphal answered 28/2, 2017 at 4:42 Comment(4)
Thank you! Setting the curl.cainfo didn't work for me either, but setting openssl.cafile did! I'm on Windows 7 with XAMPP and PHP 7.1.1.Chopping
@Chopping how did you go about setting the openssl.cafile? where did you download, and how do you activate it?Arlberg
Well, it's been a while but I think it's something like this: curl.cainfo = "C:\xampp\cacert\cacert.pem" and openssl.cafile= "C:\xampp\cacert\cacert.pem" in php.ini, while I think I got the pem file from one of the answers here.Chopping
"For the love of all that is holy..." indeed. This worked for my Ubuntu 18.08/Apache/Php7.2 setup. If the curl error is pointing at the right file, then it most certainly is openssls faultBlockhead
F
4

Sometimes if the application you try to contact has self signed certificates, the normal cacert.pem from http://curl.haxx.se/ca/cacert.pem does not solve the problem.

If you are sure about the service endpoint url, hit it through browser, save the certificate manually in "X 509 certificate with chain (PEM)" format. Point this certificate file with the

curl_setopt ($ch, CURLOPT_CAINFO, "pathto/{downloaded certificate chain file}");   
Freitag answered 18/12, 2013 at 18:52 Comment(0)
Y
4

I have the same error on amazon AMI linux.

I Solved by setting curl.cainfo on /etc/php.d/curl.ini

https://gist.github.com/reinaldomendes/97fb2ce8a606ec813c4b

Addition October 2018

On Amazon Linux v1 edit this file

vi /etc/php.d/20-curl.ini

To add this line

curl.cainfo="/etc/ssl/certs/ca-bundle.crt"
Yulandayule answered 9/10, 2014 at 2:43 Comment(1)
Perfect, thanks! I updated the question to add exactly what I did that solved the problem for me, rather than creating another answer.Shadowy
F
3

When setting the curl options for CURLOPT_CAINFO please remember to use single quotes, using double quotes will only cause another error. So your option should look like:

curl_setopt ($ch, CURLOPT_CAINFO, 'c:\wamp\www\mywebfolder\cacert.pem');

Additionally, in your php.ini file setting should be written as:(notice my double quotes)

curl.cainfo = "C:\wamp\www\mywebfolder"

I put it directly below the line that says this: extension=php_curl.dll

(For organizing purposes only, you could put it anywhere within your php.ini, i just put it close to another curl reference so when I search using keyword curl I caan find both curl references in one area.)

Fourpenny answered 30/9, 2014 at 15:27 Comment(1)
I hope php.ini should point to the pem file instead of its parent folderWende
C
2

I ended up here when trying to get GuzzleHttp (php+apache on Mac) to get a page from www.googleapis.com.

Here was my final solution in case it helps anyone.

Look at the certificate chain for whatever domain is giving you this error. For me it was googleapis.com

openssl s_client -host www.googleapis.com -port 443

You'll get back something like this:

Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.googleapis.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

Note: I captured this after I fixed the issue, to your chain output may look different.

Then you need to look at the certificates allowed in php. Run phpinfo() in a page.

<?php echo phpinfo();

Then look for the certificate file that's loaded from the page output:

openssl.cafile  /usr/local/php5/ssl/certs/cacert.pem

This is the file you'll need to fix by adding the correct certificate(s) to it.

sudo nano /usr/local/php5/ssl/certs/cacert.pem

You basically need to append the correct certificate "signatures" to the end of this file.

You can find some of them here: You may need to google/search for others in the chain if you need them.

They look like this:

example certificate image

(Note: This is an image so people will not simply copy/paste certificates from stackoverflow)

Once the right certificates are in this file, restart apache and test.

Consistory answered 18/4, 2017 at 21:45 Comment(0)
S
0

You could try to reinstall the ca-certificates package, or explicitly allow the certificate in question as described here.

Sicular answered 11/4, 2019 at 18:34 Comment(0)
F
-5

The solution is very simple! Put this line before curl_exec:

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

For me it works.

Fiedling answered 2/1, 2014 at 18:32 Comment(4)
Never, ever disable peer verification unless you don't care if the data is compromised in transit.Edieedification
Agreed. If you want a secure app you need peer verification.Although
"Never, ever disable peer verification " UNLESS you want default browser functionality haha. Also, why is this downvoted so much? This is the only answer that is short, sweet, to the point AND effective.Tibold
@AdamF FYI, browsers DO verify the peer certificate by default, they only give you the option to bypass errors manually, with a warning.Entwine

© 2022 - 2024 — McMap. All rights reserved.