ChatGPT解决这个技术问题 Extra ChatGPT

PHP - SSL certificate error: unable to get local issuer certificate

I'm running PHP Version 5.6.3 as part of XAMPP on Windows 7.

When I try to use the Mandrill API, I'm getting the following error:

Uncaught exception 'Mandrill_HttpError' with message 'API call to messages/send-template failed: SSL certificate problem: unable to get local issuer certificate'

I already tried everything I read on StackOverflow, including adding the following to the php.ini file: 

curl.cainfo = "C:\xampp\php\cacert.pem"

And ofcourse downloaded to that location the cacert.pem file from http://curl.haxx.se/docs/caextract.html

but after all that, restarted XAMPP and Apache server but still getting the same error.

I really don't know what else to try.

Can anyone advise on what else can I try?

See my answere: stackoverflow.com/a/29649024/660410
Also ensure that you have uncommented that line by removing the starting ';'. it should be curl.cainfo = "C:\xampp\php\cacert.pem" rather than ;curl.cainfo = "C:\xampp\php\cacert.pem"
Is using HTTPS over HTTP would also cause this error?

M
Mladen Janjetovic

Finally got this to work!

Download the certificate bundle. Put it somewhere. In my case, that was c:\wamp\ directory (if you are using Wamp 64 bit then it's c:\wamp64\). Enable mod_ssl in Apache and php_openssl.dll in php.ini (uncomment them by removing ; at the beginning). But be careful, my problem was that I had two php.ini files and I need to do this in both of them. One is the one you get from your WAMP taskbar icon, and another one is, in my case, in C:\wamp\bin\php\php5.5.12\ Add these lines to your cert in both php.ini files: curl.cainfo="C:/wamp/cacert.pem" openssl.cafile="C:/wamp/cacert.pem" Restart Wamp services.

In my case that was c:\xamp\ directory and its windows 7 and this solution works perfect..thanks a lot...
Newest certificate bundle can be downloaded from the original curl site curl.haxx.se/docs/caextract.html
In my case the line had a ; at the beginning and it took me hours to realize that it means it is a comment. so for noobs like me, one needs to remove the ; as well
@SurajNeupane not sure, I spent a lot of time to get this one back then, I use virtual machines, like Homestead and I don't have to deal with this. This was specific case
This is key But be careful, my problem was that I had two php.ini files and I need to do this in both of them. One is the one you get from your WAMP taskbar icon, and another one is, in my case, in C:\wamp\bin\php\php5.5.12\
m
miken32

Editor's note: disabling SSL verification has security implications. Without verification of the authenticity of SSL/HTTPS connections, a malicious attacker can impersonate a trusted endpoint (such as GitHub or some other remote Git host), and you'll be vulnerable to a Man-in-the-Middle Attack. Be sure you fully understand the security issues before using this as a solution.

I had the same problem in Mandrill.php file after line number 65 where it says $this->ch = curl_init();

Add following two lines: 

curl_setopt($this->ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($this->ch, CURLOPT_SSL_VERIFYPEER, 0);

This solved my problem and also sent email using localhost but I suggest to NOT use it on live version live. On your live server the code should work without this code.

any things I can try to make my developers environment to work without this bypass?
for me, with just setting CURLOPT_SSL_VERIFYPEER to false worked.
While you are technically correct, disabling SSL is a bad idea. Even on localhost, it's better to properly load the certificates as mentioned in the other answer.
While you a technically correct, disabling SSL is a bad idea. Even if it's vehemently resistant to getting working any other way, better to lose your job than do things the non-proper sys-admin way. @Spinal
i'm confused about the "your server insecure", if I'm pinging an external API with this snippet it makes my client insecure?
D
Damodar Bashyal

Thanks @Mladen Janjetovic,

Your suggestion worked for me in mac with ampps installed.

Copied: http://curl.haxx.se/ca/cacert.pem

To: /Applications/AMPPS/extra/etc/openssl/certs/cacert.pem

And updated php.ini with that path and restarted Apache: 

[curl]
; A default value for the CURLOPT_CAINFO option. This is required to be an
; absolute path.
curl.cainfo="/Applications/AMPPS/extra/etc/openssl/certs/cacert.pem"
openssl.cafile="/Applications/AMPPS/extra/etc/openssl/certs/cacert.pem"

And applied same setting in windows AMPPS installation and it worked perfectly in it too. 

[curl]
; A default value for the CURLOPT_CAINFO option. This is required to be an
; absolute path.
curl.cainfo="C:/Ampps/php/extras/ssl/cacert.pem"
openssl.cafile="C:/Ampps/php/extras/ssl/cacert.pem"

: Same for wamp. 

[curl]
; A default value for the CURLOPT_CAINFO option. This is required to be an
; absolute path.
curl.cainfo="C:/wamp/bin/php/php5.6.16/extras/ssl/cacert.pem"
openssl.cafile="C:/wamp/bin/php/php5.6.16/extras/ssl/cacert.pem"

If you are looking for generating new SSL certificate using SAN for localhost, steps on this post worked for me on Centos 7 / Vagrant / Chrome Browser.

A
Arturo Alvarado

When you view the http://curl.haxx.se/docs/caextract.html page, you will notice in big letters a section called:

RSA-1024 removed

Read it, then download the version of the certificates that includes the 'RSA-1024' certificates. https://github.com/bagder/ca-bundle/blob/e9175fec5d0c4d42de24ed6d84a06d504d5e5a09/ca-bundle.crt

Those will work with Mandrill.

Disabling SSL is a bad idea.

This fixed a problem with AWS/Guzzle/cURL I have been struggling with all day. Thank you!
@voidstate I know this is old but you can also bypass it in guzzle using this ['verify' => false], for the full doc on ssl/curl/guzzle go here guzzle.readthedocs.org/en/latest/…
@John but that would dissable SSL verification which is not what you want to do, so I would not suggest doing that.
For Windows, you'll need to save the files on your server (eg. to C:\curl\curl-ca-bundle.crt), then add the following to your php.ini: [curl] curl.cainfo="C:/curl/curl-ca-bundle.crt" [openssl] openssl.cafile="C:/curl/curl-ca-bundle.crt"
I just had this after it worked perfectly for ages (even survived a server change) but I am having trouble understanding exactly what is going on here. Is it that curl or openssl was updated and had it;s ca-bundle changed to one that is incompatible with mailchimp?
H
HopeKing

The above steps, though helpful, didnt work for me on Windows 8. I don't know the co-relation, but the below steps worked. Basically a change in the cacert.pem file. Hope this helps someone.

Download cacert.pem file from here: http://curl.haxx.se/docs/caextract.html

Save the file in your PHP installation folder. (eg: If using xampp – save it in c:\Installation_Dir\xampp\php\cacert.pem).

Open your php.ini file and add these lines:

curl.cainfo=”C:\Installation_Dir\xampp\php\cacert.pem” openssl.cafile=”C:\Installation_Dir\xampp\php\cacert.pem”

Restart your Apache server and that should fix it (Simply stop and start the services as needed).

m
miken32

Note: disabling SSL verification has security implications. Without verification of the authenticity of SSL/HTTPS connections, a malicious attacker can impersonate a trusted endpoint (such as GitHub or some other remote Git host), and you'll be vulnerable to a Man-in-the-Middle Attack. Be sure you fully understand the security issues before using this as a solution.

I found new Solution without any required certification to call curl only add two line code. 

curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
While this may work, this isn't recommended at all. You are basically saying, trust all certificates... and it also opens your application up for possible attack if you forget and your code makes it to production with this change...it really isn't much work to download the CA bundle and add point PHP to it.
that is curl concept , so whenever you are use curl there add above code
This solution can lead to man-in-the-middle attacks and it is not recommended.
W
Wild Beard

If you don't have access to php.ini, adding this code (after your $ch = curl_init(); line) works for me: 

$certificate_location = "C:\Program Files (x86)\EasyPHP-Devserver-16.1\ca-bundle.crt"; // modify this line accordingly (may need to be absolute)
curl_setopt($ch, CURLOPT_CAINFO, $certificate_location);
curl_setopt($ch, CURLOPT_CAPATH, $certificate_location);

Then, you will just need to download ca-bundle.crt and save it to location you specified in $certificate_location.

m
miken32

Editor's note: disabling SSL verification has security implications. Without verification of the authenticity of SSL/HTTPS connections, a malicious attacker can impersonate a trusted endpoint (such as GitHub or some other remote Git host), and you'll be vulnerable to a Man-in-the-Middle Attack. Be sure you fully understand the security issues before using this as a solution.

I tried this it works

open 

vendor\guzzlehttp\guzzle\src\Handler\CurlFactory.php

and change this 

 $conf[CURLOPT_SSL_VERIFYHOST] = 2;
 `enter code here`$conf[CURLOPT_SSL_VERIFYPEER] = true;

to this 

$conf[CURLOPT_SSL_VERIFYHOST] = 0;
$conf[CURLOPT_SSL_VERIFYPEER] = FALSE;
If there's anything dumber than editing files in your vendor directory, it's not verifying TLS host certificates.
m
miken32

Note: disabling SSL verification has security implications. Without verification of the authenticity of SSL/HTTPS connections, a malicious attacker can impersonate a trusted endpoint (such as GitHub or some other remote Git host), and you'll be vulnerable to a Man-in-the-Middle Attack. Be sure you fully understand the security issues before using this as a solution.

elaborating on the above answers for server deployment. 

$hostname = gethostname();
if($hostname=="mydevpc")
{
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
}

should do the trick for development environment without compromising the server when deployed.

Running different parts of your code in different environments does not sound like a good concept - it makes debugging harder
p
pankaj kumar

I was facing a problem like this in my local system but not in the live server. I also mentioned another solution on this page its before, but that was not working in localhost.so find a new solution of this, that is working in the localhost-WAMP Server.

cURL Error #:SSL certificate problem: unable to get local issuer certificate

sometimes system could not find your cacert.pem in your drive. so you can define this in your code where you are going to use CURL

Note that i am fulfilling all conditions for this like OPEN-SSL library active and other things.

check this code of CURL. 

 $curl = curl_init();
 curl_setopt_array($curl, array(
            CURLOPT_URL =>$url,
            CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
            CURLOPT_CUSTOMREQUEST => "GET",
            CURLOPT_RETURNTRANSFER=> true,
        ));
curl_setopt($curl, CURLOPT_CAINFO, "f:/wamp/bin/cacert.pem"); // <------ 
curl_setopt($curl, CURLOPT_CAPATH, "f:/wamp/bin/cacert.pem"); // <------
$response = json_decode(curl_exec($curl),true);
$err = curl_error($curl);
curl_close($curl);

but this solution may not work in live server. because of absolute path of cacert.pem

c
cby016

On Amazon Linux (CentOS / Red Hat etc) I did the following to fix this issue. First copy the cacert.pem downloaded from http://curl.haxx.se/ca/cacert.pem and put it in the /etc/pki/ca-trust/source/anchors/ directory. Then run the update-ca-trust command.

Here is a one liner taken from https://serverfault.com/questions/394815/how-to-update-curl-ca-bundle-on-redhat

curl https://curl.se/ca/cacert.pem -o /etc/pki/ca-trust/source/anchors/curl-cacert-updated.pem && update-ca-trust

However since curl was broken I actually used this command to download the cacert.pem file.

wget --no-check-certificate http://curl.haxx.se/ca/cacert.pem

After running the update-ca-trust command you can restart the web server service httpd restart for apache or service nginx restart for nginx.

p
pankaj

I have Very Simple Solution of this problem. You can do this without any certificate file.

Note that this solution is valid for local system not client server and Production server.

Go on Laravel Root Folder -> Vender -> guzzlehttp -> guzzle -> src

open Client.php

find $defaults Array . that look like this way .. 

$defaults = [
    'allow_redirects' => RedirectMiddleware::$defaultSettings,
    'http_errors'     => true,
    'decode_content'  => true,
    'verify'          => true,
    'cookies'         => false
];

Now main Job is to change value of verify key .. 

'verify'          => false,

So After this it will not check SSL Certificate for CURL Request... This Solution is work for me. I find this solution after many research ...

F
Facedown

I had the same issue during building my app in AppVeyor.

Download https://curl.haxx.se/ca/cacert.pem to c:\php

Enable openssl echo extension=php_openssl.dll >> c:\php\php.ini

Locate certificateecho curl.cainfo=c:\php\cacert.pem >> c:\php\php.ini

p
prasoon

I have a proper solution of this problem, lets try and understand the root cause of this issue. This issue comes when remote servers ssl cannot be verified using root certificates in your system's certificate store or remote ssl is not installed along with chain certificates. If you have a linux system with root ssh access, then in this case you can try updating your certificate store with below command:

update-ca-certificates

If still, it doesn't work then you need to add root and interim certificate of remote server in your cert store. You can download root and intermediate certs and add them in /usr/local/share/ca-certificates directory and then run command update-ca-certificates. This should do the trick. Similarly for windows you can search how to add root and intermediate cert.

The other way you can solve this problem is by asking remote server team to add ssl certificate as a bundle of domain root cert, intermediate cert and root cert.

h
harshpatel991

Another reason this error can occur is if a CA bundle has been removed from your system (and is no longer available in ca-certificates).

This is currently the situation with the GeoTrust Global CA which (among other things) is used to sign Apple's certificate for APNS used for Push Notifications.

Additional details can be found on the bug report here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962596

You can manually add the GeoTrust Global CA certificate on your machine as suggested by Carlos Alberto Lopez Perez: 

wget --no-check-certificate -c https://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.pem   \
&& mkdir /usr/local/share/ca-certificates/extra                                                                       \
&& mv GeoTrust_Global_CA.pem /usr/local/share/ca-certificates/extra/GeoTrust_Global_CA.crt                            \
&& update-ca-certificates
c
ccrez

If none of the solutions above are working for you try updating your XAMPP installation to a newer version.

I was running XAMPP with php 5.5.11, the same exact code didn't work, I upgraded to XAMPP with php 5.6.28 and the solutions above worked.

Additionally only updating PHP didn't work either seems like a combination of apache and php settings on that version of XAMPP.

Hope it helps someone.

S
S Debasish Nayak

I got the error like : 

failed loading cafile stream: `C:\xamppPhp\apache\bin\curl-ca-bundle.crt`

I am using windows machine. So I followed the below steps. 

1. I have downloaded .pem file from " https://curl.haxx.se/docs/caextract.html "

2. Then I kept the downloaded file inside  "C:/xamppPhp/apache/bin/" folder and renamed the same downloaded file to "curl-ca-bundle.crt".

3. I restarted XAMPP and cleared the cache.
4. It's done.

Hope it may help someone

B
Bhola Kr. Khawas

simply put two more line on local to solve the issue and this worked for me fine. 

curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
f
fico7489

for guzzle you can try this : 

$client = new Client(env('API_HOST'));
$client->setSslVerification(false);

tested on guzzle/guzzle 3.*

is there a point answering a 3 yr old question that has an accepted answer with 200+ upvotes?
my answer is simpler than above ones, you will see I will get 10 upvotes for few months...
I highly doubt it, not seeing any mention of guzzle in OP ... so it's an unrelated answer. It's the same when someone provides a jQuery solution for a JavaScript problem. It's irrelevant.
that doesn't change the fact it's not being used here. Would you suggest a Linux solution to a Windows user because it's most used server operating system? Not everyone wants to use Guzzle, I personally have never used it once in my years of using PHP. To me, a HTTP request really isn't that difficult to need a package for it.
fully aware - it's just not needed.. just read the docs for curl and it's all self-explanatory. It's not about being smarter... it's about answering the question properly

关注公众号,不定期副业成功案例分享
Follow WeChat

Success story sharing

Want to stay one step ahead of the latest teleworks?

Subscribe Now

HuntsBot,a one-stop outsourcing task, remote job, product ideas sharing and subscription platform, which supports DingTalk, Lark, WeCom, Email and Telegram robot subscription. The platform will push outsourcing task requirements, remote work opportunities, product ideas to every subscribed user with timely, stable and reliable.

简体中文 English

Platform

Support

Contact US

Any questions or suggestions during use, you can contact us in the following ways:

Email: huntsbot@xinbeitime.com

Copyright© 2022-2023 www.huntsbot.com 浙ICP备2022000860号-4 All Rights Reserved.