Link to home
Start Free TrialLog in
Avatar of Robert Saylor
Robert SaylorFlag for United States of America

asked on

curl SSL certificate unable to get local issuer certificate

I am on a Linux server and getting the error "unable to get local issuer certificate" from curl. It is a PHP app that is giving the error. Can somebody walk me through updating the SSL for curl?
ASKER CERTIFIED SOLUTION
Avatar of gr8gonzo
gr8gonzo
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Robert Saylor

ASKER

Thanks, I downloaded that and placed this in my php.ini file. I don't have the ability to set the cert in the curl command. It is a software package we are using.

php.ini:
curl.cainfo=/root/ssl/cacert.cer

I no longer get the original error. I now get this:

error setting certificate verify locations: CAfile: /root/ssl/cacert.cer CApath: none
What happens if you run this command on the shell:
cat /root/ssl/cacert.cer | openssl md5

What's the resulting hash and the file size of /root/ssl/cacert.cer?
Oh, and what version of PHP are you using?
php 5.6.19

(stdin)= 38cd779c9429ab6e2e5ae3437b763238
The issue might be the app. I placed in a test file and I don't get the error.

<?php
        // create curl resource
        $ch = curl_init();

        // set url
        curl_setopt($ch, CURLOPT_URL, "https://www.google.com");

        //return the transfer as a string
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

        // $output contains the output string
        $output = curl_exec($ch);

        // close curl resource to free up system resources
        curl_close($ch);

        print "$output";
?>

Open in new window

Would you agree that my test file validates PHP curl is working over SSL ?
Okay, that's the right hash, then, and you're on a version that should accept that path. I'm wondering if it's a permissions issue due to the file's location. Just for testing purposes, try this:

cp /root/ssl/cacert.cer /tmp/cacert.cer
chmod 444 /tmp/cacert.cer

Then update your php.ini file to use /tmp/cacert.cer as your location for curl.cainfo, and run your test again.
Very possibly. I'd recommend you also enable verbose output:
curl_setopt($ch, CURLOPT_ VERBOSE, true);

In the request output, you should see where it's pulling the CA info from, so you can see if it's using a different source or the expected one.
It went back to the original error with I moved it to tmp

I get the same error in my test file now.

Here in /root/ssl:
root@server [/home/dev2/www]# php curl_test.php
* Rebuilt URL to: https://www.google.com/
* Hostname was NOT found in DNS cache
*   Trying 2607:f8b0:4002:c06::69...
*   Trying 74.125.21.147...
* Connected to www.google.com (74.125.21.147) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /root/ssl/cacert.cer
  CApath: none
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0

Here in /tmp:
root@server [/home/dev2/www]# php curl_test.php
* Rebuilt URL to: https://www.google.com/
* Hostname was NOT found in DNS cache
*   Trying 2607:f8b0:4002:c06::69...
*   Trying 74.125.21.147...
* Connected to www.google.com (74.125.21.147) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /tmp/cacert.cer
  CApath: none
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
if I remove the php.ini call and just use what was originally on the server my test works but the other one does not.


root@server [/home/dev2/www]# php curl_test.php 
* Rebuilt URL to: https://www.google.com/
* Hostname was NOT found in DNS cache
*   Trying 2607:f8b0:4002:c03::69...
*   Trying 173.194.219.106...
* Connected to www.google.com (173.194.219.106) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
* 	 subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=www.google.com
* 	 start date: 2017-01-04 10:18:00 GMT
* 	 expire date: 2017-03-29 10:18:00 GMT
* 	 subjectAltName: www.google.com matched
* 	 issuer: C=US; O=Google Inc; CN=Google Internet Authority G2
* 	 SSL certificate verify ok.
> GET / HTTP/1.1
Host: www.google.com
Accept: */*

< HTTP/1.1 200 OK
< Date: Thu, 19 Jan 2017 19:25:05 GMT
< Expires: -1
< Cache-Control: private, max-age=0
< Content-Type: text/html; charset=ISO-8859-1
< P3P: CP="This is not a P3P policy! See https://www.google.com/support/accounts/answer/151657?hl=en for more info."
* Server gws is not blacklisted
< Server: gws
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< Set-Cookie: NID=95=MQ1xy4ZPThNoDe_KXPOevBlv1qay13di_4O0peE_NkgdGHp04KUOkaAvxPDSQeNNe_5bSPrW3zGZe8H-LNZfgiqSZ7CU-lC8iwfw06xuqBKhtwgis0y8RouhAFsN7EdFWAGCVXWjkwSRs_k; expires=Fri, 21-Jul-2017 19:25:05 GMT; path=/; domain=.google.com; HttpOnly
< Alt-Svc: quic=":443"; ma=2592000; v="35,34"

Open in new window

I think it is 3rd party issue. Will let you know the outcome.
That's interesting... if I run the same thing on my server with the updated bundle and an HTTPS call to Google, it works out just fine - I have exactly the same bundle on my system.

# cat /tmp/cacert.cer | openssl md5

(stdin)= 38cd779c9429ab6e2e5ae3437b763238

# php curltest.php

* Rebuilt URL to: https://www.google.com/
*   Trying 216.58.216.228...
* Connected to www.google.com (216.58.216.228) port 443 (#0)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /tmp/cacert.cer
  CApath: none
* NPN, negotiated HTTP1.1
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
*  subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=www.google.com
*  start date: Jan 11 09:13:00 2017 GMT
*  expire date: Apr  5 08:56:00 2017 GMT
*  subjectAltName: host "www.google.com" matched cert's "www.google.com"
*  issuer: C=US; O=Google Inc; CN=Google Internet Authority G2
*  SSL certificate verify ok.
> GET / HTTP/1.1
Host: www.google.com
Accept: */*

< HTTP/1.1 200 OK
< Date: Thu, 19 Jan 2017 20:24:07 GMT
< Expires: -1
< Cache-Control: private, max-age=0
< Content-Type: text/html; charset=ISO-8859-1
< P3P: CP="This is not a P3P policy! See https://www.google.com/support/accounts/answer/151657?hl=en for more info."
< Server: gws
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< Set-Cookie: NID=95=d6BK.............ZKp6iA; expires=Fri, 21-Jul-2017 20:24:07 GMT; path=/; domain=.google.com; HttpOnly
< Alt-Svc: quic=":443"; ma=2592000; v="35,34"
< Accept-Ranges: none
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
<
* Connection #0 to host www.google.com left intact

Open in new window


I'd be interested in hearing what you find out about the possible 3rd party issue.
I have a ticket open with cPanel to validate the server and one with the software vendor.
Just an update. It does not appear to be a server issue. cPanel checked it out and the server checks out. We have another version of the app on another virtual domain on the same server and does not get a curl issue. The vendor is slow to respond so it is pretty clear it is a vendor issue.