What is a "cacert.pem"?

Asked

Viewed 2,135 times

3

In the code where an API call is executed, there is the following line:

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);

When executing the code the following error is returned:

SSL Certificate problem: Unable to get local Issuer Certificate - Code: 60

Soon after, the following code was added:

if (curl_errno($ch) == 60) {
    curl_setopt($ch, CURLOPT_CAINFO, dirname(__FILE__) . '\cacert.pem');
    $result = curl_exec($ch);
    $httpStatus = curl_getinfo($ch, CURLINFO_HTTP_CODE);
}

What makes the file "cacert.pem" and why when setting "CURLOPT_SSL_VERIFYPEER" to "true" the error is returned?

php curl

  • I do not know if it is the same thing or not, but by the name of the file it seems to me that it should contain the root certificate of the certifying authority (CA) that issued the security certificate of your site. Reusing from one project to another can make it invalid, as pointed out in Vinicius' response. If you purchased your security certificate on site X, look on that same site for more information, they probably provide the right file and instructions on how to use it properly (mine, Startssl, even sent me an automated e-mail with these instructions the first time I made a mistake).

  • 1

    @mgibsonbr The file has data such as "Verisign Class 3 Public Primary Certification Authority". This file is used in the Paypal SDK/PHP, however I reused it to create a second SDK/PHP for an online billing system that also uses REST+Oauth (but does not have a ready-made SDK/PHP). The project is the same, the features are different. For Paypal it worked, for the billing system no.

1 answer

5

Filing cabinet *.pem It’s a container file. Generally, it contains the public certificate, but can also contain the entire chain of intermediate certification bodies and even public and private keys, as well as certification bodies.

The normal process of validating certificates on a web server involves only validating the server certificate, ensuring that the client is accessing the correct server (ensuring, in particular, that the information coming from the server is not repudiated).

CURLOPT_SSL_VERIFYPEER ensures that the customer’s certificate is also validated. In this way, we guarantee the non-repudiation of the customer’s information.

What is probably happening is that the intermediary certification bodies of your certificate are wrong. This can occur for several reasons, from erroneously specified file, to signature formatting diverging from the final certificate signature, or simply your intermediate certification entity is invalid (if it exists).

  • Probably the file ". pem" is wrong because it was taken advantage of another project. How do I generate a new?

  • If they are self-signed, just use Openssl. There are several tutorials on the internet of the commands to be executed according to your need, with an intermediate certification or not. If the policy is to use certificates signed by valid entities, you should contact the entity of your choice and pay for generation. In any case, it depends on your company’s policies, use and desired safety.

Browser other questions tagged php curl

You are not signed in. Login or sign up in order to post.