CURL Error 60 with new certificate

Have been trying to get new certificate to work with PayPal API.  They are upgrading their security to G5 effective 10/13/2015.  This upgrade should be a no-brainer.  Copy the new certificate to the same location and change the name in the curl function. You'd think.

They have provided numerous different .pem/.crt files.  All result in CURL Error 60 - SSL certificate problem: unable to get local issuer certificate.

I have been told that this could be a result of running PHP on a Windows Server (2012).  My host says that the server has a G5 certificate but he doesn't think that it will be used because of running PHP.  I know squat about certificates, just how to point the code to the one being used.  Is a certificate supposed to be somehow "registered" with PHP?

I need help badly on this one.  Time is running out and we will be shut down if we can't get it working.  PayPal keeps saying the problem is on our end, host says it's not the server.  The old cert works.  (It's long expired, incidentally.)  but will not work after the 12th, as proven during PP's ghost testing.

I've verified that the cert is in the correct location (CURL error 77 if it's not) and tried all different path designators and different locations.  Went back to what was working with the old cert.  My CURL functions are below and I've attached copies of the currently working cert and the most recent new one.  (.txt extension added)  Also attaching screen shot of the cURL settings from PHP Info.

Can anyone help?


Windows Server 2012
PHP 5.3.19

function hashcall($nvpStr)
      //setting the curl parameters.
      $ch = curl_init();
      curl_setopt($ch, CURLOPT_URL, "");
        curl_setopt($ch, CURLOPT_CAINFO, "cert/verisignroot.crt");                      // CURL error 60
      //      curl_setopt($ch, CURLOPT_CAINFO, "cert/api_cert_chain.crt");           // old code that works
      curl_setopt($ch, CURLOPT_VERBOSE, 1);

      //turning off the server and peer verification(TrustManager Concept).
      curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, TRUE);
      curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, TRUE);
      curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
      curl_setopt($ch, CURLOPT_POST, 1);
      curl_setopt($ch, CURLOPT_POSTFIELDS, $nvpStr);

      //getting response from server
      $response = curl_exec($ch);
      if (curl_errno($ch)) {
            $nvpResArray = array('RESULT' => 9999, 'CURL_ERRNO' => curl_errno($ch), 'CURL_ERROR' => curl_error($ch));
      } else {
            //converting NVPResponse to an Associative Array
            $nvpResArray = deformatNVP($response);
            //closing the curl
      return $nvpResArray;
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
1. you are way behind in your open ssl version .. you need to update it. OpenSSL 1.0.2d is the current version
Dave BaldwinFixer of ProblemsCommented:
The problem is the Cipher Suites that come with 'curl'.  The ones with PHP 5.3 are out of date.  You have to upgrade to PHP 5.5 at least for them to be current enough.  PHP 5.5 and 5.6 use 'curl' 7.36.0.  And upgrading OpenSSL outside of PHP will have no effect because it uses it's own internal copy of it.  PHP 5.5 uses OpenSSL 1.0.1g and PHP 5.6 uses OpenSSL 1.0.1i.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
springthorpeSoftwareAuthor Commented:
David & Dave,
Thanks for the info!!  Will upgrade this weekend, then post back results
springthorpeSoftwareAuthor Commented:
Sorry for the delay in posting the solution!
Dave BaldwinFixer of ProblemsCommented:
No problem, thanks for the points.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.