1

I've installed a fresh new copy of Xampp 1.8.3 for windows, which comes with cURL enabled. The test site I'm trying to connect to is https://www.mozilla.org/en-US/. Here is my code:

<?php

// Set the URL to visit
$url = "https://www.mozilla.org/en-US/";

// Set .pem file to use
$certFile = dirname(__FILE__) . '\www.mozilla.org.crt';

// In this example we are referring to a page that handles xml
$headers = array( "Content-Type: text/xml",);

// Initialise Curl
$curl = curl_init($url);
if ($curl === false)
    throw new Exception(' cURL init failed');

// Set up to view correct page type
curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);

// Turn on SSL certificate verfication
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, TRUE);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($curl, CURLOPT_CAPATH, $certFile);

// Tell the curl instance to talk to the server using HTTP POST
curl_setopt($curl, CURLOPT_POST, 1);

// 1 second for a connection timeout with curl
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 5);

// Try using this instead of the php set_time_limit function call
curl_setopt($curl, CURLOPT_TIMEOUT, 60);

// Causes curl to return the result on success which should help us avoid using the writeback option
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);

echo "Connecting to " . $url . "<br/>";
echo "Using " . $certFile . "<br/>";
echo "<br/>";

if(curl_exec($curl) == false)
    echo ("Error: " . curl_errno($curl) . ", " . curl_error($curl) . "<br/>");
else
    echo "Success!" . "<br/>";

?>

Here is the .PEM file that I extracted from the site's certificate using FireFox 24:

-----BEGIN CERTIFICATE-----
MIIFfjCCBGagAwIBAgICKTgwDQYJKoZIhvcNAQEFBQAwgYUxCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxHZW9UcnVzdCBJbmMxMTAvBgNVBAsTKFNlZSB3d3cuZ2VvdHJ1
c3QuY29tL3Jlc291cmNlcy9jcHMgKGMpMDYxLDAqBgNVBAMTI0dlb1RydXN0IEV4
dGVuZGVkIFZhbGlkYXRpb24gU1NMIENBMB4XDTExMTIxNTIwMzU0N1oXDTEzMTIx
NjIxMjMwOFowge0xHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYL
KwYBBAGCNzwCAQMTAlVTMRswGQYLKwYBBAGCNzwCAQITCkNhbGlmb3JuaWExETAP
BgNVBAUTCEMyNTQzNDM2MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
YTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEbMBkGA1UEChMSTW96aWxsYSBGb3Vu
ZGF0aW9uMRYwFAYDVQQLEw1JVCBPcGVyYXRpb25zMRgwFgYDVQQDEw93d3cubW96
aWxsYS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDeOh6yffa6
EUJiq7B3gmqMopyskeIquGSmuz5lpS3ajoUezV24W/xnKHSgn87C0KBzUSjRY46I
x9lHdgfDlptNv1Zt+BoRwVHuZt0IZnGYZeStg05qGY5fsznpDIfyJAWXtOaWmju7
2a1Mpvultu4AkoxD1etPZZgY/FaUSftmpYvpCaHFjL+mLdF88NvUG6OpX4/L/uTv
05OOPcjbLHvL3tw1CerOzqF6BDbB8qOh0DXAN/CF4/OS8LdLWXW2VPDXv+fMq4aw
eCV+nDVn6V4sZH5rplztPXMQdZZoxSMESctd1lpFarXpd7uJ8kzrmMz9D3dIzkhL
/lA9B6Dng/8BAgMBAAGjggGMMIIBiDAfBgNVHSMEGDAWgBQoxOuP8V95kKMrVcNW
Tn1rU3IsGDBuBggrBgEFBQcBAQRiMGAwKgYIKwYBBQUHMAGGHmh0dHA6Ly9FVlNT
TC1vY3NwLmdlb3RydXN0LmNvbTAyBggrBgEFBQcwAoYmaHR0cDovL0VWU1NMLWFp
YS5nZW90cnVzdC5jb20vZXZjYS5jcnQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAnBgNVHREEIDAegg93d3cubW96aWxsYS5v
cmeCC21vemlsbGEub3JnMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6Ly9FVlNTTC1j
cmwuZ2VvdHJ1c3QuY29tL2NybHMvZ3RleHR2YWxjYS5jcmwwDAYDVR0TAQH/BAIw
ADBLBgNVHSAERDBCMEAGCSsGAQQB8CIBBjAzMDEGCCsGAQUFBwIBFiVodHRwOi8v
d3d3Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvY3BzMA0GCSqGSIb3DQEBBQUAA4IB
AQDBO3AEZKza01zLPQiq3wzRXClKwW/u6D1Fznv7v7hU97luVcbkY/kNAiMerqPk
hTfhtnLYIuu9ZFapv2vVdRuzY/hGc3Rieek7f/T8d0tojfjdGgXwwg9M5qaDe35a
0hbsGR1Z1DdWtuGeKPuP6dzDw2zvfcOEf0l14M/ECS2sRU3MX42Rm6BK4xH1cjac
KFz+Ngwe4CivEvU4R0+MjPvmTePTyjazU+rzz5fA1JRQ7CCE00+tAAqAIAzHINlH
maKUEkR+OwUDEhKc+cQUq+EBeS3ILlufJWak1HFkxRAJAnw9za1ubG+y9V7MVheL
rc60KdNJLKwH5EQ0tZSx71jt
-----END CERTIFICATE-----

I had a remote friend try the code with the .pem file from his machine and it worked for him. Is there something I'm missing about my runtime environment that's preventing this? Thanks.

Matt
  • 13
  • 1
  • 1
  • 4
  • Please find the answer here. This is working solution http://stackoverflow.com/a/32095378/268598 – Umanda Mar 14 '16 at 10:51

3 Answers3

11

Try to use the latest "Certificate data from Mozilla" bundle.

http://curl.haxx.se/ca/cacert.pem

Seems like it has most of the common CAs included.

Set in your php.ini

curl.cainfo=<path-to>cacert.pem

And restart XAMPP / Apache Module.

Double check with

phpinfo();

That your curl.cainfo is set correctly.

kaffeeguru
  • 111
  • 1
  • 6
0

I am leaving this answer here for users like me who use hosting from GoDaddy. Here is the scenario

  1. Hosting of website is by Google Compute Engine (GCE)
  2. Certificate is issued by GoDaddy

Whenever I would try and invoke a CURL from an external server to the application on GCE, I would get the error - Unable to get Local Issuer Certificate

How I solved this is by using the following code to invoke my cURL with the use of certificate bundle provided by GoDaddy. Essentially, most bundles available on the net dont have the GoDaddy Certificate Authority and hence the error. If you use the certificate bundle provided by GoDaddy then you dont get the error.

If you are looking for the GoDaddy certificate bundle, it is available in your GoDaddy account under SSL/TSL section

$ch = curl_init("https://my.secure.website");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, TRUE);
curl_setopt($ch, CURLOPT_CAINFO, "/path/to/gd_bundle-g2-g1.crt");
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 30);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);
ChicagoSky
  • 1,290
  • 3
  • 22
  • 50
0

(XAMP) Also make sure your cert/pem file is updated.

To fix the SSL certificate error message “SSL certificate error: unable to get local issuer certificate” try this:

Download: http://curl.haxx.se/ca/cacert.pem

Copy the file cacert.pem to C:\xampp\php\extras\ssl
To check your path open c:\xampp\php\php.ini and Search for the [curl] section

Miguel
  • 3,349
  • 2
  • 32
  • 28