Home » Php » Curl error 60, SSL certificate prðblem: self signed certificate in certificate chain

Curl error 60, SSL certificate prðblem: self signed certificate in certificate chain

Posted by: admin November 26, 2017 Leave a comment

Questions:

I try to send curl request with my correct APP_ID, APP_SECRET etc. to the

  https://oauth.vk.com/access_token?client_id=APP_ID&client_secret=APP_SECRET&code=7a6fa4dff77a228eeda56603b8f53806c883f011c40b72630bb50df056f6479e52a&redirect_uri=REDIRECT_URI 

I need to get access_token from it, but get a FALSE and curl_error() print next message otherwise:

60: SSL certificate problem: self signed certificate in certificate chain

My code is:

    // create curl resource
    $ch = curl_init();

    // set url
    curl_setopt($ch, CURLOPT_URL, $url);
    //return the transfer as a string
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

    // $output contains the output string
    $output = curl_exec($ch);
    if ( ! $output) {
        print curl_errno($ch) .': '. curl_error($ch);
    }

    // close curl resource to free up system resources
    curl_close($ch);

    return $output;

When I move manually to the link above, I get access_token well. Why it doesn’t work with curl? Help, please.

Answers:

The accepted answer should not be accepted. The question is “Why doesn’t it work with cURL”, and as correctly pointed out by Martijn Hols, it is dangerous.

The error is probably caused by not having an up-to-date bundle of CA root certificates. This is typically a text file with a bunch of cryptographic signatures that curl uses to verify a host’s SSL certificate.

You need to make sure that your installation of PHP has one of these files, and that it’s up to date (otherwise download one here: http://curl.haxx.se/docs/caextract.html).

Then set in php.ini:

curl.cainfo = <absolute_path_to> cacert.pem

If you are setting it at runtime, use:

curl_setopt ($ch, CURLOPT_CAINFO, dirname(__FILE__)."/cacert.pem");

Questions:
Answers:

This workaround is dangerous and not recommended:

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

It’s not a good idea to disable SSL peer verification. Doing so might expose your requests to MITM attackers.

In fact, you just need an up-to-date CA root certificate bundle. Installing an updated one is as easy as:

  1. Downloading up-to-date cacert.pem file from cURL website and
  2. Setting a path to it in your php.ini file, e.g. on Windows:

    curl.cainfo=c:\php\cacert.pem

That’s it!

Stay safe and secure.

Questions:
Answers:

Since the protocol is https, For the development mode you can set this curl option to avoid ssl verification errors as a quick solution.

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

But for your production environment, do not deploy with this easy fix. It will cause you a security issue as the data transfer will be transparent among the network layers. See the section proper fix from the following url:

http://unitstep.net/blog/2009/05/05/using-curl-in-php-to-access-https-ssltls-protected-sites/

Questions:
Answers:

HEY GUYS: VERY IMPORTANT! This issue drove me crazy for a couple days and I couldn’t figure out what was going on with my curl & openssl installations. I finally figured out that it was my INTERMEDIATE certificate (in my case, GoDaddy) which was out of date. I went back to my godaddy SSL admin panel, downloaded the new intermediate certificate, and the issue disappeared.

I’m sure this is the issue for some of you.

Apparently, GoDaddy had changed their intermediate certificate at some point, due to scurity issues, as they now display this warning:

“Please be sure to use the new SHA-2 intermediate certificates included in your downloaded bundle.”

Hope this helps some of you, because I was going nuts and this cleaned up the issue on ALL my servers…

Questions:
Answers:

If the SSL certificates are not properly installed in your system, you may get this error:

cURL error 60: SSL certificate problem: unable to get local issuer
certificate.

You can solve this issue as follows:

Download a file with the updated list of certificates from https://curl.haxx.se/ca/cacert.pem

Move the downloaded cacert.pem file to some safe location in your system

Update your php.ini file and configure the path to that file:

Questions:
Answers:

Do not use this workaround in production! Use only for development purposes

I found an answer, you need to disable SSL verifying:

// create curl resource
$ch = curl_init();

// set url
curl_setopt($ch, CURLOPT_URL, $url);
//return the transfer as a string
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);

// $output contains the output string
$output = curl_exec($ch);
if ( ! $output) {
    print curl_errno($ch) .': '. curl_error($ch);
}

// close curl resource to free up system resources
curl_close($ch);

return $output;

and it’s works well! Thanks all 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *