cURL error 60: SSL certificate: unable to get local issuer certificate
How to solve this problem:
download and extract cacert.pem following the instructions at https://curl.se/docs/caextract.html
save it on your filesystem somewhere (for example, XAMPP users might use
C:\xampp\php\extras\ssl\cacert.pem
)in your php.ini, put this file location in the
[curl]
section (putting it in the[openssl]
section is also a good idea):
[curl]
curl.cainfo = "C:\xampp\php\extras\ssl\cacert.pem"
[openssl]
openssl.cafile = "C:\xampp\php\extras\ssl\cacert.pem"
- restart your webserver (e.g. Apache) and PHP FPM server if applicable
(Reference: https://laracasts.com/discuss/channels/general-discussion/curl-error-60-ssl-certificate-problem-unable-to-get-local-issuer-certificate)
Ubuntu 22.04 LTS and Composer curl error 60 - SSL certificate problem: unable to get local issuer certificate
Finally managed to solve it by manually replacing the ca-bundle.crt file, after realizing that even a simple curl/wget CLI command (outside of PHP/Composer) returned the same error (this the reason of the --no-check-certificate below):
sudo mv /etc/ssl/certs/ca-bundle.crt /etc/ssl/certs/ca-bundle.crt.backup
sudo wget -O /etc/ssl/ca-bundle.crt https://curl.se/ca/cacert.pem --no-check-certificate
I got the link from: https://curl.se/docs/caextract.html
Still same error display: cURL error 60: SSL certificate problem: unable to get local issuer certificate
How to solve this problem:
download and extract cacert.pem following the instructions at https://curl.se/docs/caextract.html
save it on your filesystem somewhere (for example, XAMPP users might use C:\xampp\php\extras\ssl\cacert.pem)
in your php.ini, put this file location in the [curl] section (putting it in the [openssl] section is also a good idea):
Example:
[curl]
curl.cainfo = "C:\xampp\php\extras\ssl\cacert.pem"
[openssl]
openssl.cafile = "C:\xampp\php\extras\ssl\cacert.pem"
- restart your webserver (e.g. Apache) and PHP FPM server if applicable
reference here
You could also remove SSL validation on localhost. Just need to add options to de GuzzleHttp client in the 'withOptions' method to disable verification.
$options = ['verify'=>false];
To check if a local environment can do a simple if:
public function authApi(){
$options = [];
if (App::environment('local')) {
$options = ['verify'=>false];
}
return Http::withBasicAuth($this->client_key, $this->client_key_secret)->withOptions($options);
}
Guzzle Curl Error 60 SSL unable to get local issuer
[curl] 60: SSL certificate problem: unable to get local issuer certificate
Well, from the outside looking in, it looks like the server certificate is bad. It does not include the name "googleapis.com".
First, fetch the certificate with openssl s_client
:
openssl s_client -connect googleapis.com:443
Then save the certificate to a file. The certificate starts with -----BEGIN CERTIFICATE-----
and ends with -----END CERTIFICATE-----
.
Next, print the certificate with openssl x509
(shown below). Its missing googleapis.com
.
You probably need to accept the name mismatch, and pin the server's public key. Google rotates their certificates every 30 days or so to keep CRLs small for mobile clients. That means you can't pin the certificate. However, Google re-certifies the same public key, so key continuity schemes like public key pinning work.
There's a smaller, second issue when using openssl s_client
. s_client
needs the option CAfile
using Google Internet Authority G2
. The missing CA is causing the error unable to get local issuer certificate
below. You can download Google's CA file at pki.google.com.
$ openssl s_client -connect googleapis.com:443
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
You could also use Equifax Secure Certificate Authority
as the root of trust because it appears Equifax cross-certified Google's CA.
But the name mismatch is a deal breaker. That's the one thing an X509 certificate is supposed to do: bind a entity, like a server name or user, to a public key through a trusted authority. It does not matter who signed the broken certificate (I could have signed it).
$ openssl x509 -in googleapis-com.txt -inform PEM -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 9106978240760957072 (0x7e627c7589c4c890)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2
Validity
Not Before: Jul 2 13:04:27 2014 GMT
Not After : Sep 30 00:00:00 2014 GMT
Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=google.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ab:02:29:67:f1:08:cc:f0:5c:63:ff:75:b3:bd:
41:62:c6:83:0c:3b:e6:1b:9a:41:0d:dc:5a:b3:34:
db:a3:37:6f:4f:bf:f5:8a:01:39:6a:91:b7:d1:a6:
83:6d:c6:28:60:79:c9:07:f2:ad:23:00:f2:31:74:
b0:a3:d0:d6:ac:5a:f4:31:c8:98:9c:49:c6:20:0b:
ce:81:2b:51:b6:54:0f:65:54:f2:b3:08:c9:c0:c8:
ca:a6:ec:bb:fc:8e:a5:64:70:6b:dc:08:45:9c:14:
cd:cd:aa:49:fd:e9:a5:f1:7d:c6:f8:5d:52:e8:d8:
3d:21:81:46:49:ba:f7:bd:7d:07:42:31:cf:79:61:
b1:47:2c:ba:ce:5a:cd:52:4a:5f:d2:b6:88:d0:a2:
94:53:e2:65:d6:66:80:43:17:e1:2e:43:ab:ca:2f:
79:e6:11:8b:4a:35:fa:e1:43:e3:49:66:5a:1f:e0:
a3:1c:5e:1c:6e:aa:de:0d:ba:cb:20:e3:3d:9e:66:
47:32:25:3c:01:22:b3:69:a6:96:0e:2e:13:c7:fd:
70:c6:61:7e:a9:f0:ad:a4:a6:41:13:36:8c:46:74:
c8:a5:ac:b0:b5:17:00:b8:0e:62:79:1a:fc:7e:7c:
2b:f7:2e:c0:ab:07:fc:8e:46:3c:8f:f2:e5:6e:8f:
83:17
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:google.com, DNS:*.2mdn.net, DNS:*.android.com, DNS:*.appengine.google.com,
DNS:*.au.doubleclick.net, DNS:*.cc-dt.com, DNS:*.cloud.google.com, DNS:*.de.doubleclick.net,
DNS:*.doubleclick.com, DNS:*.doubleclick.net, DNS:*.fls.doubleclick.net, DNS:*.fr.doubleclick.net,
DNS:*.google-analytics.com, DNS:*.google.ac, DNS:*.google.ad, DNS:*.google.ae, DNS:*.google.af,
DNS:*.google.ag, DNS:*.google.al, DNS:*.google.am, DNS:*.google.as, DNS:*.google.at,
DNS:*.google.az, DNS:*.google.ba, DNS:*.google.be, DNS:*.google.bf, DNS:*.google.bg,
DNS:*.google.bi, DNS:*.google.bj, DNS:*.google.bs, DNS:*.google.bt, DNS:*.google.by,
DNS:*.google.ca, DNS:*.google.cat, DNS:*.google.cc, DNS:*.google.cd, DNS:*.google.cf,
DNS:*.google.cg, DNS:*.google.ch, DNS:*.google.ci, DNS:*.google.cl, DNS:*.google.cm,
DNS:*.google.cn, DNS:*.google.co.ao, DNS:*.google.co.bw, DNS:*.google.co.ck, DNS:*.google.co.cr,
DNS:*.google.co.hu, DNS:*.google.co.id, DNS:*.google.co.il, DNS:*.google.co.im, DNS:*.google.co.in,
DNS:*.google.co.je, DNS:*.google.co.jp, DNS:*.google.co.ke, DNS:*.google.co.kr, DNS:*.google.co.ls,
DNS:*.google.co.ma, DNS:*.google.co.mz, DNS:*.google.co.nz, DNS:*.google.co.th, DNS:*.google.co.tz,
DNS:*.google.co.ug, DNS:*.google.co.uk, DNS:*.google.co.uz, DNS:*.google.co.ve, DNS:*.google.co.vi,
DNS:*.google.co.za, DNS:*.google.co.zm, DNS:*.google.co.zw, DNS:*.google.com, DNS:*.google.com.af,
DNS:*.google.com.ag, DNS:*.google.com.ai, DNS:*.google.com.ar, DNS:*.google.com.au,
DNS:*.google.com.bd, DNS:*.google.com.bh, DNS:*.google.com.bn, DNS:*.google.com.bo,
DNS:*.google.com.br, DNS:*.google.com.by, DNS:*.google.com.bz, DNS:*.google.com.cn,
DNS:*.google.com.co, DNS:*.google.com.cu, DNS:*.google.com.cy, DNS:*.google.com.do,
DNS:*.google.com.ec, DNS:*.google.com.eg, DNS:*.google.com.et, DNS:*.google.com.fj,
DNS:*.google.com.ge, DNS:*.google.com.gh, DNS:*.google.com.gi, DNS:*.google.com.gr,
DNS:*.google.com.gt, DNS:*.google.com.hk, DNS:*.google.com.iq, DNS:*.google.com.jm,
DNS:*.google.com.jo, DNS:*.google.com.kh, DNS:*.google.com.kw, DNS:*.google.com.lb,
DNS:*.google.com.ly, DNS:*.google.com.mm, DNS:*.google.com.mt, DNS:*.google.com.mx,
DNS:*.google.com.my, DNS:*.google.com.na, DNS:*.google.com.nf, DNS:*.google.com.ng,
DNS:*.google.com.ni, DNS:*.google.com.np, DNS:*.google.com.nr, DNS:*.google.com.om,
DNS:*.google.com.pa, DNS:*.google.com.pe, DNS:*.google.com.pg, DNS:*.google.com.ph,
DNS:*.google.com.pk, DNS:*.google.com.pl, DNS:*.google.com.pr, DNS:*.google.com.py,
DNS:*.google.com.qa, DNS:*.google.com.ru, DNS:*.google.com.sa, DNS:*.google.com.sb,
DNS:*.google.com.sg, DNS:*.google.com.sl, DNS:*.google.com.sv, DNS:*.google.com.tj,
DNS:*.google.com.tn, DNS:*.google.com.tr, DNS:*.google.com.tw, DNS:*.google.com.ua,
DNS:*.google.com.uy, DNS:*.google.com.vc, DNS:*.google.com.ve, DNS:*.google.com.vn, DNS:*.google.cv,
DNS:*.google.cz, DNS:*.google.de, DNS:*.google.dj, DNS:*.google.dk, DNS:*.google.dm,
DNS:*.google.dz, DNS:*.google.ee, DNS:*.google.es, DNS:*.google.fi, DNS:*.google.fm,
DNS:*.google.fr, DNS:*.google.ga, DNS:*.google.ge, DNS:*.google.gg, DNS:*.google.gl,
DNS:*.google.gm, DNS:*.google.gp, DNS:*.google.gr, DNS:*.google.gy, DNS:*.google.hk,
DNS:*.google.hn, DNS:*.google.hr, DNS:*.google.ht, DNS:*.google.hu, DNS:*.google.ie,
DNS:*.google.im, DNS:*.google.info, DNS:*.google.iq, DNS:*.google.ir, DNS:*.google.is,
DNS:*.google.it, DNS:*.google.it.ao, DNS:*.google.je, DNS:*.google.jo, DNS:*.google.jobs,
DNS:*.google.jp, DNS:*.google.kg, DNS:*.google.ki, DNS:*.google.kz, DNS:*.google.la,
DNS:*.google.li, DNS:*.google.lk, DNS:*.google.lt, DNS:*.google.lu, DNS:*.google.lv,
DNS:*.google.md, DNS:*.google.me, DNS:*.google.mg, DNS:*.google.mk, DNS:*.google.ml,
DNS:*.google.mn, DNS:*.google.ms, DNS:*.google.mu, DNS:*.google.mv, DNS:*.google.mw,
DNS:*.google.ne, DNS:*.google.ne.jp, DNS:*.google.net, DNS:*.google.ng, DNS:*.google.nl,
DNS:*.google.no, DNS:*.google.nr, DNS:*.google.nu, DNS:*.google.off.ai, DNS:*.google.pk,
DNS:*.google.pl, DNS:*.google.pn, DNS:*.google.ps, DNS:*.google.pt, DNS:*.google.ro,
DNS:*.google.rs, DNS:*.google.ru, DNS:*.google.rw, DNS:*.google.sc, DNS:*.google.se,
DNS:*.google.sh, DNS:*.google.si, DNS:*.google.sk, DNS:*.google.sm, DNS:*.google.sn,
DNS:*.google.so, DNS:*.google.sr, DNS:*.google.st, DNS:*.google.td, DNS:*.google.tg,
DNS:*.google.tk, DNS:*.google.tl, DNS:*.google.tm, DNS:*.google.tn, DNS:*.google.to,
DNS:*.google.tt, DNS:*.google.us, DNS:*.google.uz, DNS:*.google.vg, DNS:*.google.vu,
DNS:*.google.ws, DNS:*.googleapis.cn, DNS:*.googlecommerce.com, DNS:*.googlevideo.com,
DNS:*.gstatic.com, DNS:*.gvt1.com, DNS:*.jp.doubleclick.net, DNS:*.metric.gstatic.com,
DNS:*.uk.doubleclick.net, DNS:*.urchin.com, DNS:*.url.google.com, DNS:*.youtube-nocookie.com,
DNS:*.youtube.com, DNS:*.youtubeeducation.com, DNS:*.ytimg.com, DNS:ad.mo.doubleclick.net,
DNS:android.com, DNS:doubleclick.net, DNS:g.co, DNS:goo.gl, DNS:google-analytics.com, DNS:google.ac,
DNS:google.ad, DNS:google.ae, DNS:google.af, DNS:google.ag, DNS:google.al, DNS:google.am,
DNS:google.as, DNS:google.at, DNS:google.az, DNS:google.ba, DNS:google.be, DNS:google.bf,
DNS:google.bg, DNS:google.bi, DNS:google.bj, DNS:google.bs, DNS:google.bt, DNS:google.by,
DNS:google.ca, DNS:google.cat, DNS:google.cc, DNS:google.cd, DNS:google.cf, DNS:google.cg,
DNS:google.ch, DNS:google.ci, DNS:google.cl, DNS:google.cm, DNS:google.cn, DNS:google.co.ao,
DNS:google.co.bw, DNS:google.co.ck, DNS:google.co.cr, DNS:google.co.hu, DNS:google.co.id,
DNS:google.co.il, DNS:google.co.im, DNS:google.co.in, DNS:google.co.je, DNS:google.co.jp,
DNS:google.co.ke, DNS:google.co.kr, DNS:google.co.ls, DNS:google.co.ma, DNS:google.co.mz,
DNS:google.co.nz, DNS:google.co.th, DNS:google.co.tz, DNS:google.co.ug, DNS:google.co.uk,
DNS:google.co.uz, DNS:google.co.ve, DNS:google.co.vi, DNS:google.co.za, DNS:google.co.zm,
DNS:google.co.zw, DNS:google.com.af, DNS:google.com.ag, DNS:google.com.ai, DNS:google.com.ar,
DNS:google.com.au, DNS:google.com.bd, DNS:google.com.bh, DNS:google.com.bn, DNS:google.com.bo,
DNS:google.com.br, DNS:google.com.by, DNS:google.com.bz, DNS:google.com.cn, DNS:google.com.co,
DNS:google.com.cu, DNS:google.com.cy, DNS:google.com.do, DNS:google.com.ec, DNS:google.com.eg,
DNS:google.com.et, DNS:google.com.fj, DNS:google.com.ge, DNS:google.com.gh, DNS:google.com.gi,
DNS:google.com.gr, DNS:google.com.gt, DNS:google.com.hk, DNS:google.com.iq, DNS:google.com.jm,
DNS:google.com.jo, DNS:google.com.kh, DNS:google.com.kw, DNS:google.com.lb, DNS:google.com.ly,
DNS:google.com.mm, DNS:google.com.mt, DNS:google.com.mx, DNS:google.com.my, DNS:google.com.na,
DNS:google.com.nf, DNS:google.com.ng, DNS:google.com.ni, DNS:google.com.np, DNS:google.com.nr,
DNS:google.com.om, DNS:google.com.pa, DNS:google.com.pe, DNS:google.com.pg, DNS:google.com.ph,
DNS:google.com.pk, DNS:google.com.pl, DNS:google.com.pr, DNS:google.com.py, DNS:google.com.qa,
DNS:google.com.ru, DNS:google.com.sa, DNS:google.com.sb, DNS:google.com.sg, DNS:google.com.sl,
DNS:google.com.sv, DNS:google.com.tj, DNS:google.com.tn, DNS:google.com.tr, DNS:google.com.tw,
DNS:google.com.ua, DNS:google.com.uy, DNS:google.com.vc, DNS:google.com.ve, DNS:google.com.vn,
DNS:google.cv, DNS:google.cz, DNS:google.de, DNS:google.dj, DNS:google.dk, DNS:google.dm,
DNS:google.dz, DNS:google.ee, DNS:google.es, DNS:google.fi, DNS:google.fm, DNS:google.fr,
DNS:google.ga, DNS:google.ge, DNS:google.gg, DNS:google.gl, DNS:google.gm, DNS:google.gp,
DNS:google.gr, DNS:google.gy, DNS:google.hk, DNS:google.hn, DNS:google.hr, DNS:google.ht,
DNS:google.hu, DNS:google.ie, DNS:google.im, DNS:google.info, DNS:google.iq, DNS:google.ir,
DNS:google.is, DNS:google.it, DNS:google.it.ao, DNS:google.je, DNS:google.jo, DNS:google.jobs,
DNS:google.jp, DNS:google.kg, DNS:google.ki, DNS:google.kz, DNS:google.la, DNS:google.li,
DNS:google.lk, DNS:google.lt, DNS:google.lu, DNS:google.lv, DNS:google.md, DNS:google.me,
DNS:google.mg, DNS:google.mk, DNS:google.ml, DNS:google.mn, DNS:google.ms, DNS:google.mu,
DNS:google.mv, DNS:google.mw, DNS:google.ne, DNS:google.ne.jp, DNS:google.net, DNS:google.ng,
DNS:google.nl, DNS:google.no, DNS:google.nr, DNS:google.nu, DNS:google.off.ai, DNS:google.pk,
DNS:google.pl, DNS:google.pn, DNS:google.ps, DNS:google.pt, DNS:google.ro, DNS:google.rs,
DNS:google.ru, DNS:google.rw, DNS:google.sc, DNS:google.se, DNS:google.sh, DNS:google.si,
DNS:google.sk, DNS:google.sm, DNS:google.sn, DNS:google.so, DNS:google.sr, DNS:google.st,
DNS:google.td, DNS:google.tg, DNS:google.tk, DNS:google.tl, DNS:google.tm, DNS:google.tn,
DNS:google.to, DNS:google.tt, DNS:google.us, DNS:google.uz, DNS:google.vg, DNS:google.vu,
DNS:google.ws, DNS:googlecommerce.com, DNS:gstatic.com, DNS:urchin.com, DNS:youtu.be,
DNS:youtube.com, DNS:youtubeeducation.com
Authority Information Access:
CA Issuers - URI:http://pki.google.com/GIAG2.crt
OCSP - URI:http://clients1.google.com/ocsp
X509v3 Subject Key Identifier:
71:D7:BB:09:DE:42:EB:E5:E0:75:3D:49:64:97:E5:9A:8D:6E:C3:8E
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:4A:DD:06:16:1B:BC:F6:68:B5:76:F5:81:B6:BB:62:1A:BA:5A:81:2F
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.11129.2.5.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://pki.google.com/GIAG2.crl
Signature Algorithm: sha1WithRSAEncryption
8f:f3:ec:dd:ca:45:d2:20:12:40:cd:ce:72:10:42:b5:ac:4b:
8c:45:15:15:d7:9f:fb:01:e7:84:63:c6:41:b4:93:8b:79:ab:
51:56:b9:3f:07:74:5b:c7:38:ad:f0:ee:97:53:3b:f8:2d:bc:
94:23:ca:2e:1f:0c:5b:21:82:ae:b8:0f:55:43:1a:58:8f:4d:
25:0a:80:32:a6:c9:ff:3f:43:f5:1f:39:63:9f:a6:82:20:b4:
74:d4:e1:ef:e0:f9:92:c5:63:b6:e2:61:e4:e7:4e:c7:a3:dd:
44:1b:32:e0:06:7f:84:b6:45:20:57:6a:71:07:c2:54:b0:69:
9c:a2:f6:3f:5f:52:ca:9e:ba:77:b3:0b:4f:2a:b7:14:ca:c9:
7a:6c:f3:ce:2b:aa:c1:0d:ea:33:8f:e6:39:24:83:84:dc:3c:
ac:f0:83:2e:98:9f:2f:54:de:c4:c5:b0:05:a3:e3:ca:a5:13:
9c:28:ba:6b:e9:ee:e0:10:41:4a:d7:78:cd:60:0f:79:0f:0a:
e3:76:46:ce:7a:b4:84:1b:07:91:21:83:23:17:7a:77:e8:32:
3b:14:7c:3a:a8:fb:d6:c2:bf:18:4a:ad:d7:c1:d6:30:cd:67:
b4:8f:7d:27:43:97:b8:12:9d:0b:7e:ae:de:27:83:fa:89:29:
d9:be:e4:43
Composer Curl error 60: SSL certificate problem: unable to get local issuer certificate
Further research led me to the proxy, which is ZScaler, being the problem. As stated in this post, ZScaler intercepts SSL traffic and re-encrypts it with its own certificate which is not trusted, so Composer (or any other program accessing sites via https) will complain with the above error that it's "unable to get local issuer certificate".
So the solution must be to get the "ZScaler Intermediate Root CA" to be trusted on the server. (Which I can't do myself due to company policy, but anyone looking for a solution to the above problem probably has another hint now what to do.)
MAMP local development - cURL error 60: SSL certificate: unable to get local issuer certificate
Update the location of the cacert.pem in your openssl.cnf file to point to the latest version you got from curl.se and you should be right.
Related Topics
PHP SQL Select Where Like Search Item with Multiple Words
Call to Undefined Function Curl_Init() Error in Wamp 2.2
Cannot Call Function SQLsrv_Connect()
Is This a PHP Date() Bug, or Is There Something Wrong with My Code
How to Insert Multiple Rows Using Prepared Statements
Folder Structure of a PHP MVC Framework... am I Doing This Right
Php: Type Hinting - Difference Between 'Closure' and 'Callable'
What Is Unexpected T_Variable in PHP
PHP Merge Array(S) and Delete Double Values
Asynchronous Processing or Message Queues in PHP (Cakephp)
How to Rename Column in Laravel Using Migration
"Error 404 Not Found" in Magento Admin Login Page
Use Curl with Sni (Server Name Indication)
Decoding Numeric HTML Entities via PHP
How to Post Multiple <Input Type="Checkbox" /> as Array in PHP