Curl Error 60, Ssl Certificate Issue: Self Signed Certificate in Certificate Chain

  • Home
  • Languages
  • PHP
  • Curl Error 60, Ssl Certificate Issue: Self Signed Certificate in Certificate Chain

Curl error 60, SSL certificate issue: self signed certificate in certificate chain

Answers suggesting to disable CURLOPT_SSL_VERIFYPEER should not be accepted. The question is "Why doesn't it work with cURL", and as correctly pointed out by Martijn Hols, it is dangerous.

The error is probably caused by not having an up-to-date bundle of CA root certificates. This is typically a text file with a bunch of cryptographic signatures that curl uses to verify a host’s SSL certificate.

You need to make sure that your installation of PHP has one of these files, and that it’s up to date (otherwise download one here: http://curl.haxx.se/docs/caextract.html).

Then set in php.ini:

curl.cainfo = <absolute_path_to> cacert.pem

If you are setting it at runtime, use (where $ch = curl_init();):

curl_setopt ($ch, CURLOPT_CAINFO, dirname(__FILE__)."/cacert.pem");

curl (60) ssl certificate problem self signed certificate localhost at windows

It is because you localhost server’s SSL certificate is self-signed (signed by itself) and not signed by a well known Certified Authority (CA).

This makes curl (or any https requester, like a browser as Chrome) not able to guarantee that the certifícate is worth of thrust, because basically that certificate is saying: ‘trust me, i am who i say i am’, but in practice there is nothing backing that affirmation.
That is precisely the role of a external CA: validate that the identity of the signed certificate is truly from who claims to be (https://en.m.wikipedia.org/wiki/Certificate_authority)

You can bypass curl CA validation with the insecure -k flag (https://linux.die.net/man/1/curl), like this:

curl -X GET -H 'Authorization: Bearer ${Token}' -k https://localhost/student-sevice/list-of-student

Whatsoever, I would strongly recommend that you change your server certificate with one validated by a well known CA to avoid further problems.

See also, duplicated of: How to disable cURL SSL certificate verification

cURL error 60: SSL certificate problem: self signed certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html)

The quick solution for localhost is to turn off the certificate verification using options in guzzle of verify as false.

A quick small example below

use GuzzleHttp\Client;

$client = new Client([
    'base_uri' => 'http://exmaple.org'
]);
$client->request('GET', '/', ['verify' => false]);

If you are using Http-client provided by laravel you can add guzzle options like this,

$response = Http::withOptions([
    'verify' => false,
])->get('http://example.org/');

NOTE:

Though even guzzle suggests to not using it, but if you are testing your own apis it can work.

Though you can simple add your certificates as per request just by providing path.

Mozilla provides a commonly used CA bundle which can be downloaded here (provided by the maintainer of cURL).

// Use a custom SSL certificate on disk.
$client->request('GET', '/', ['verify' => '/path/to/cacert.pem']);

Read more about certificates from https://curl.se/docs/sslcerts.html .

Read more about verify from guzzle docs verify

PHP cURL error: SSL certificate problem: self signed certificate

You should append the public key of your self signed certificate to the cacert.pem file. Then either of the solutions (setting curl.cainfo in php.ini OR explicitly specifying the path to the cacert.pem file using CURLOPT_CAINFO) proposed here should work just fine.

Make sure you respect the format of the cacert.pem file when adding your public key.

cURL error 60: SSL certificate: unable to get local issuer certificate

How to solve this problem:

  • download and extract cacert.pem following the instructions at https://curl.se/docs/caextract.html

  • save it on your filesystem somewhere (for example, XAMPP users might use C:\xampp\php\extras\ssl\cacert.pem)

  • in your php.ini, put this file location in the [curl] section (putting it in the [openssl] section is also a good idea):

[curl]
curl.cainfo = "C:\xampp\php\extras\ssl\cacert.pem"

[openssl]
openssl.cafile = "C:\xampp\php\extras\ssl\cacert.pem"
  • restart your webserver (e.g. Apache) and PHP FPM server if applicable

(Reference: https://laracasts.com/discuss/channels/general-discussion/curl-error-60-ssl-certificate-problem-unable-to-get-local-issuer-certificate)


Related Topics

Tracking the Script Execution Time in PHP

What Are the Differences in Die() and Exit() in PHP

Explode PHP String by New Line

Diagnosing Memory Leaks - Allowed Memory Size of # Bytes Exhausted

Url Friendly Username in PHP

Keeping Session Alive With Curl and PHP

Increasing Nesting Function Calls Limit

Why I Am Getting Cannot Pass Parameter 2 by Reference Error When I Am Using Bindparam With a Constant Value

Find a Matching or Closest Value in an Array

How to Find the Mime Type of a File With PHP

PHP Regex to Match Outside of HTML Tags

Convert Backslash-Delimited String into an Associative Array

Insert/Update Helper Function Using Pdo

PHP Mail Not Working For Some Reason

What's the Difference Between :: (Double Colon) and -≫ (Arrow) in PHP

I Have an Array of Integers, How to Use Each One in a MySQL Query (In PHP)

PHP Shell_Exec() VS Exec()

"The Page Has Expired Due to Inactivity" - Laravel 5.5


Leave a reply



Submit