Write For Us
php
ssl
curl
openssl
ca

HTTPS and SSL3_GET_SERVER_CERTIFICATE:certificate verify failed, CA is OK

Viewed   143 times

I am using XAMPP for development. Recently I upgraded my installation of xampp from an old version to 1.7.3.

Now when I curl HTTPS enabled sites I get the following exception

Fatal error: Uncaught exception 'RequestCore_Exception' with message 'cURL resource: Resource id #55; cURL error: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (60)'

Everyone suggest using some specific curl options from PHP code to fix this problem. I think this shouldn't be the way. Because I didn't have any problem with my old version of XAMPP and happened only after installing the new version.

I need help to figure out what settings change in my PHP installation, Apache etc can fix this problem.

 Answers

4

curl used to include a list of accepted certificate authorities (CAs) but no longer bundles ANY CA certs since 7.18.1 and onwards. So by default it'll reject all TLS/SSL certificates as unverifiable.

You'll have to get your CA's root certificate and point curl at it. More details at curl's details on TLS/SSL certificates verification.

Tuesday, December 27, 2022
 
skipper-75c4eb056e47
 
skipper-75c4eb056e47
2 
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);

Change that to 1. Also, set this after CURLOPT_SSL_VERIFYPEER:

curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
Thursday, September 8, 2022
 
promo
 
promo
1

Finally got this to work!

  1. Download the certificate bundle.

  2. Put it somewhere. In my case, that was c:wamp directory (if you are using Wamp 64 bit then it's c:wamp64).

  3. Enable mod_ssl in Apache and php_openssl.dll in php.ini (uncomment them by removing ; at the beginning). But be careful, my problem was that I had two php.ini files and I need to do this in both of them. One is the one you get from your WAMP taskbar icon, and another one is, in my case, in C:wampbinphpphp5.5.12

  4. Add these lines to your cert in both php.ini files:

    curl.cainfo="C:/wamp/cacert.pem"
openssl.cafile="C:/wamp/cacert.pem"

  5. Restart Wamp services.

Thursday, November 3, 2022
 
notso
 
notso
1

As already pointed out in a comment: the site has a bad SSL implementation as can be seen from the SSLLabs report. The main part of this report regarding your problem is:

This server's certificate chain is incomplete. Grade capped to B.

This means that the server is not sending the full certificate chain as is needed to verify the certificate. This means you need to add the missing certificates yourself when validating. For this you need to include the PEM for the missing chain certificate C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA and also for the root CA C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA info a file my_trust_store.pem and then you can call:

requests.get("https://...", verify='my_trust_store.pem')

... but I've tried downloading the site's certificate and pointing to that file using the verify option

This will not work with normal leaf certificates. Since the SSL stack of Python is based on OpenSSL and OpenSSL expects only trusted certificate authorities in the trust store (i.e. given with verify) and a server certificate is not CA certificate it will not help to add it to the trust store.

Thursday, November 24, 2022
 
luchaos
 
luchaos
1

The problem here is that you can't validate a certificate with itself (that is what you are trying to do) unless it is self-signed, and has a CA bit set. You should add a real CA certificate of the web site to the cacerts.txt file. Another alternative (something like "connect anyway" in a web browser) is to drop the cert_reqs to ssl.CERT_NONE after you get such exception, and understand that there could possibly be a man in the middle. This is not the ssl module issue, this is how SSL/X.509 work.

Wednesday, September 7, 2022
 
jonathan_evans
 
jonathan_evans
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :
php
ssl
curl
openssl
ca
 
Share
Related Answers
335
 How to verify a method is called two times with mockito verify()
202
 Python requests SSL error - certificate verify failed
101
 NGINX Redirect http to https and non-www to ww
312
 How to ignore 'Certificate Verify Failed' error in perl?
44
 Short way to link to http from https (and vice versa) using relative links
104
 HTTPS and HTTP CORS
74
 How to redirect http to https and www to non-www via web.config?
56
 Force HTTPS and WWW for domain and only HTTPS for subdomains HTACESS
177
 Python mechanize doesn't work when HTTPS and Proxy Authentication required
751
 Using HTTPS and httpWebRequest
Top Answers Related To

php,ssl,curl,openssl,ca

301
 cURL error 60: SSL certificate: unable to get local issuer certificate
149
 How to get SSL certificate info with CURL in PHP?
101
 reading SSL page with CURL (php)
251
 curl errno 35 (Unknown SSL protocol error in connection to [secure site]:443)
66
 Amazon MarketplaceWebServiceOrders requests suddenly failing, PHP curl giving SSL CA cert error?
109
 php ssl curl : object moved error
535
 PHP curl error: “Unknown SSL protocol error in connection to…”
106
 Certificate CA bundle file: PEM - PHP/cURL - Local install..?
194
 Passing .PEM and .KEY as string in Curl using PHP
380
 PHP curl FTPes w/ explicit TLS/SSL
Write For Us · Blog · Privacy · Faqs · Terms of Use · Contact us ·