24

I was using cURL on my localhost for the longest time and all the sudden I noticed it no longer works unless I explictly set the option, CURLOPT_SSL_VERIFYPEER=FALSE.

I have no idea how/when this changed but I'm using NGINX and PHP and I can verify that this is not a specific issue to a specific requested host. I'm getting blank responses from https://site1.com and https://different-site.com.

Anyone have any thoughts?

tim peterson
  • 23,653
  • 59
  • 177
  • 299
  • 1
    I love this [hidden gem](http://stackoverflow.com/a/12293898/), it explains how you can use certificates to verify hosts. – Dave Chen Sep 24 '13 at 02:35
  • http://unitstep.net/blog/2009/05/05/using-curl-in-php-to-access-https-ssltls-protected-sites/ – Young Sep 24 '13 at 02:40
  • @DaveChen and -@Young thanks but do you have a sense as to why I didn't need to supply a certificate before, but do now? – tim peterson Sep 24 '13 at 02:47
  • From [another answer](http://stackoverflow.com/a/6400746/) on the [same question](http://stackoverflow.com/q/6400300/). cURL used to bundle CA certs, but now you must download them manually and pass them to cURL or give a [default value](http://www.php.net/manual/en/curl.configuration.php#ini.curl.cainfo) within PHP. – Dave Chen Sep 24 '13 at 02:54
  • those answers are 2 years old, this problem has arose for me in the last month. – tim peterson Sep 24 '13 at 02:56
  • I would ask if any changes were made to the environment, i.e, *.ini files being reset or having files moved (CA certs missing). Other than that, I don't think cURL would work while having `CURLOPT_SSL_VERIFYPEER => 1` and no certificates to verify the peer with. Could you provide a little more information on your host? Is it shared, homeroot, vps, dedicated? – Dave Chen Sep 24 '13 at 03:01
  • I'm the sole user of the host, its just my mac laptop, so I likely screwed something up. I must have installed a certificate at some point but would have no idea when I did and more troubling why it was removed. I'm still a newer developer so trying to slowly ween away from copy/paste things I learn about on the internet. – tim peterson Sep 24 '13 at 03:16

3 Answers3

43

Thanks to Dave Chen's suggestions, I realized I must have misplaced my certificate. The problem is solved by this certificate which is provided by the cURL creator (extracted from Mozilla): https://curl.haxx.se/ca/cacert.pem

So after downloading this cacert.pem file into your project, in PHP you can now do this:

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, TRUE);
curl_setopt($ch, CURLOPT_CAINFO, "/path/to/cacert.pem");

Alternatively, this can be set globally by adding the following to your php.ini

curl.cainfo=/path/to/cacert.pem
DecimalTurn
  • 3,243
  • 3
  • 16
  • 36
tim peterson
  • 23,653
  • 59
  • 177
  • 299
  • 9
    I'm not a security expert but downloading .pem file form insecure source (http:) can be trusted? – Gihan Sep 08 '15 at 11:26
  • where can i place this curl_setopt syntax if im using codeigniter – Hanthony Tagam Dec 17 '17 at 03:00
  • About file name, some programs will expect this file to be named ```ca-bundle.crt``` (in the correct path) More details [here](https://curl.se/docs/caextract.html) – Alliswell Oct 01 '21 at 09:05
5

If you are using WampServer, notice this:

You must put the absolute path in CURLOPT_CAINFO, for example: 

curl_setopt ($ch, CURLOPT_CAINFO, 'C:\wamp\www\your-project\cacert.pem')

Don't use relative path: curl_setopt ($ch, CURLOPT_CAINFO, 'cacert.pem') because it doesn’t work.

LuisEduardox
  • 364
  • 4
  • 9
1

The value for CURLOPT_SSL_VERIFYPEER by default is TRUE as of cURL 7.10.

Hence you may need to explicitly set it to FALSE to prevent CURL from verifying the certificate.

dresh
  • 383
  • 1
  • 11
  • 18