Curl Error #:SSL Certificate problem: Unable to get local Issuer Certificate

Asked

Viewed 824 times

0

Hello, I need to request an API using Curl in php, but the server response is "Curl Error #:SSL Certificate problem: Unable to get local Issuer Certificate".

The other certificates, which are being pointed out in apache’s Virtualhost are working.

<VirtualHost *:443>
 DocumentRoot /www/blah
 ServerName www.blah.com
 SSLEngine on
 SSLCertificateFile /etc/pki/tls/ssl/blah.com.crt
 SSLCertificateKeyFile /etc/pki/tls/ssl/blah.key
 SSLCertificateChainFile /etc/pki/tls/ssl/blah.crt
</VirtualHost>

I researched about and found that I need to add some lines to php.ini and download cacert.pem. then -> I downloaded the certificate here -> https://curl.haxx.se/docs/caextract.html

And I modified php.ini by adding openssl.cafile and Curl.cainfo.

[curl]
; A default value for the CURLOPT_CAINFO option. This is required to be an
; absolute path.
curl.cainfo "/etc/pki/tls/ssl/cacert.pem"
extension=php_curl.dll

[openssl]
; The location of a Certificate Authority (CA) file on the local filesystem
; to use when verifying the identity of SSL/TLS peers. Most users should
; not specify a value for this directive as PHP will attempt to use the
; OS-managed cert stores in its absence. If specified, this value may still
; be overridden on a per-stream basis via the "cafile" SSL stream context
; option.
openssl.cafile= "/etc/pki/tls/ssl/cacert.pem"

; If openssl.cafile is not specified or if the CA file is not found, the
; directory pointed to by openssl.capath is searched for a suitable
; certificate. This value must be a correctly hashed certificate directory.
; Most users should not specify a value for this directive as PHP will
; attempt to use the OS-managed cert stores in its absence. If specified,
; this value may still be overridden on a per-stream basis via the "capath"
; SSL stream context option.
openssl.capath="/etc/pki/tls/ssl/cacert.pem"

I made the settings in php.ini, added the cacert.pem certificate to the project and when I restart httpd.service the problem still persists. " Curl Error #:SSL Certificate problem: Unable to get local Issuer Certificate".

Note: if I disable ssl in the Curl call of the php file the request happens successfully. But I need ssl enabled.

php api apache curl ssl

1 answer

0

The curl.cainfo "/etc/pki/tls/ssl/cacert.pem" must contain a =:

curl.cainfo="/etc/pki/tls/ssl/cacert.pem"

Another solution is using the CA_INFO:

curl_setopt($ch, CURLOPT_CAINFO, '/caminho/absoluto/para/o/cacert.pem');

You can get the CA-Bundle (the list of authorities) at https://curl.se/docs/caextract.html or on its own operating system.

If you’re connecting with just a few sites, like Apis, and everything goes wrong, you can use CURLOPT_PINNEDPUBLICKEY and enter the hash of the website’s public key, so you won’t need to check the authority, as you will only trust a specific key. The problem is that such key should be updated when such external service changes the key.

Browser other questions tagged php api apache curl ssl

You are not signed in. Login or sign up in order to post.