Home » Php » php – cURL fails with error: Couldn't understand the server certificate format

php – cURL fails with error: Couldn't understand the server certificate format

Posted by: admin July 12, 2020 Leave a comment

Questions:

Mac OSX El Capitan, default apache install on localhost, brew installed php70. The following code works using cli (php -f test.php), but when run from apache I get the following.

SSL certificate problem: Couldn't understand the server certificate format

Using “http” URLs works fine in both. Same setup on a Ubuntu machine works fine. I had this working before doing a clean install of El Capitan and I vaguely remember something about Mac OSX and openssl for curl but can’t find the difference here.

$curl = curl_init();

curl_setopt_array($curl, array(
  CURLOPT_URL => "https://api.example.com/",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "GET",
  CURLOPT_HTTPHEADER => array(
    "cache-control: no-cache"
  ),
));

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
}
How to&Answers:

I had the same issue and found the solution after quite a lot of searching…

I am using php56 but I see no reason why this wouldn’t also apply for php70.

Verify same issue

First check if the PHP cURL library is using the Mac OS(X) built in version of SSL:
php -i | grep "SSL Version"

If you get SSL Version => SecureTransport then it is using the Mac OS(X) built in version which appears to be at the heart of the issue.

Solution

  1. In order to solve this you must install a Homebrew version of the cURL library:

    brew install curl --with-libssh2 --with-openssl
    
  2. Then re-install PHP with these two options:
    --with-homebrew-curl --with-homebrew-openssl
    (including any options you require)

    brew install php56 --with-homebrew-curl --with-homebrew-openssl (--with-apache ...)
    

    or for PHP 7.2:

    brew reinstall php72 --with-apache --with-homebrew-curl --with-homebrew-libxslt --with-homebrew-openssl --without-snmp
    

Verify

php -i | grep "SSL Version"

should give:

SSL Version => OpenSSL/1.0.2j

Note: When installing Homebrew cURL they do warn:

macOS already provides this software and installing another version in
parallel can cause all kinds of trouble.

I have not lived with this long enough to verify any present/absent issues.


Source: https://www.farces.com/wikis/naked-server/php/php-openssl/

Answer:

Not finding much documentation on this error which stems from a Darwin SSL error -9808 errSSLBadCert.

You might have more luck if you compile cURL with OpenSSL rather than Darwin SSL.

Some other internet searches on this error indicate it might be having trouble reading your keychain but I’m not sure about this.