Guzzle Curl Error 60 SSL unable to get local issuer

Question

Trying to use the YouTube API v3 to get some video(s) information, using Guzzle in Symfony2 using Service Descriptors.

When I run the script, I get this:

[curl] 60: SSL certificate problem: unable to get local issuer certificate [url] https://www.googleapis.com/youtube/v3/videos?id=2xbVbCoHBgA&part=snippet&key={MY_KEY}

500 Internal Server Error - CurlException

My descriptor looks like this:

{
    "name": "YouTube",
    "baseUrl": "https://www.googleapis.com",
    "apiVersion": "v3",
    "description": "YouTube GData Graph API",
    "operations": {
        "GetVideos": {
            "httpMethod": "GET",
            "uri": "/youtube/v3/videos",
            "parameters": {
                "id": {
                    "type":"string",
                    "location":"query",
                    "required": true
                },
                "part": {
                    "location": "query",
                    "default": "snippet"
                },
                "key": {
                    "location": "query",
                    "default": "{MY KEY}",
                    "static": true
                },
                "maxResults": {
                    "location": "query",
                    "default": 50
                }
            }
        }
    }
}

This is running on a local Ubuntu 14.04 development environment with a very basic LAMP stack going on.

Any ideas as to what might be causing this?

For dev env, this answer might help you - http://stackoverflow.com/a/32095378/178163 — George Kagan, Nov 28 '16 at 20:33
The cleanest solution is the one below by Pinto (https://stackoverflow.com/a/53823135/8195190). Apparently it came a bit late so it has less upvotes at the time of writing. — Falk Tandetzky, Mar 16 '22 at 14:20

score 24 · Answer 1 · answered Sep 24 '14 at 06:10

24

It can be that it is looking for the SSL certificate of your site.

If this is the case, try to disable the SSL certification:

$client->setDefaultOption('verify', false);

answered Sep 24 '14 at 06:10

reshetech

853
7
10

39

Sure, let's just ignore the whole reason SSL certificates *exist*, and blindly trust whatever the server tells us its name is. What could go wrong? – cHao Dec 26 '14 at 11:47
9

@cHao although you are technically right, you're also wrong and I don't understand why people are down voting. Yes, trusting blindly is wrong, but sometimes you simply need to either test things out or just try out something new. – tftd Aug 19 '15 at 18:09
9

@tftd: People are downvoting because it's actually an annoyingly common thing to disable certificate checking. But it defeats the point of certificates, and leaves you vulnerable to MITM attacks, so it's not something that should be suggested without a Big Bold Warning of some kind. Otherwise some poor schmuck is going to end up doing it when they have trouble with, say, authorize.net. – cHao Aug 25 '15 at 19:51
6

I agree that this can be reckless but if you are developing something locally which uses Guzzle (i.e. building a REST client to talk to a local app) this is a very handy tip. But for the love god people DO NOT DO THIS IN PRODUCTION! – niczak Oct 20 '16 at 14:38
4

not a solution but a workaround that is lowering security standards. not recommended. – iDoc Aug 25 '20 at 06:29
Do not do this in Production. The cleanest solution is the one below by Pinto (https://stackoverflow.com/a/53823135/8195190). Apparently it came a bit late so it has less upvotes at the time of writing. – Falk Tandetzky Mar 16 '22 at 14:21

John Ballinger · Answer 2 · 2023-05-07T23:46:54.563

17

If the service you're using doesn't have a valid SSL cert, you can tell Guzzle 6+ that you want to ignore invalid or missing SSL certs. You can do this by setting 'verify' to false in your request.

$response = $client->request('GET', 'https://example.com/v1/WebHooks', 
            ['verify' => false,
            'headers' => ['Authorization' => "ApiKey $apiKey"]
        ]);

edited May 07 '23 at 23:46

answered Sep 22 '15 at 03:41

John Ballinger

7,380
5
41
51

6

Then what's the purpose of SSL certificates if you ignore requests verification? – Alaeddine Feb 19 '19 at 13:40
Do not do this in Production. The cleanest solution is the one below by Pinto (stackoverflow.com/a/53823135/8195190). Apparently it came a bit late so it has less upvotes at the time of writing. – Falk Tandetzky Mar 16 '22 at 14:22

score 14 · Answer 3 · edited Dec 17 '18 at 21:41

14

The best option is

https://github.com/composer/ca-bundle

$client = new \GuzzleHttp\Client([
    \GuzzleHttp\RequestOptions::VERIFY => \Composer\CaBundle\CaBundle::getSystemCaRootBundlePath()
]);

edited Dec 17 '18 at 21:41

Taher A. Ghaleb

5,120
5
31
44

answered Dec 17 '18 at 21:19

Thiago Roberto Gaspar Pinto

141
1
2

That is indeed the cleanest answer here. One thing that could be added is how to install the package (as described in the linked repo): ```composer require composer/ca-bundle``` – Falk Tandetzky Mar 16 '22 at 14:14

jww · Accepted Answer · 2014-07-24T13:09:45.720

[curl] 60: SSL certificate problem: unable to get local issuer certificate

Well, from the outside looking in, it looks like the server certificate is bad. It does not include the name "googleapis.com".

First, fetch the certificate with openssl s_client:

openssl s_client -connect googleapis.com:443

Then save the certificate to a file. The certificate starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----.

Next, print the certificate with openssl x509 (shown below). Its missing googleapis.com.

You probably need to accept the name mismatch, and pin the server's public key. Google rotates their certificates every 30 days or so to keep CRLs small for mobile clients. That means you can't pin the certificate. However, Google re-certifies the same public key, so key continuity schemes like public key pinning work.

There's a smaller, second issue when using openssl s_client. s_client needs the option CAfile using Google Internet Authority G2. The missing CA is causing the error unable to get local issuer certificate below. You can download Google's CA file at pki.google.com.

$ openssl s_client -connect googleapis.com:443
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

You could also use Equifax Secure Certificate Authority as the root of trust because it appears Equifax cross-certified Google's CA.

But the name mismatch is a deal breaker. That's the one thing an X509 certificate is supposed to do: bind a entity, like a server name or user, to a public key through a trusted authority. It does not matter who signed the broken certificate (I could have signed it).

$ openssl x509 -in googleapis-com.txt -inform PEM -text -noout 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 9106978240760957072 (0x7e627c7589c4c890)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2
        Validity
            Not Before: Jul  2 13:04:27 2014 GMT
            Not After : Sep 30 00:00:00 2014 GMT
        Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=google.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ab:02:29:67:f1:08:cc:f0:5c:63:ff:75:b3:bd:
                    41:62:c6:83:0c:3b:e6:1b:9a:41:0d:dc:5a:b3:34:
                    db:a3:37:6f:4f:bf:f5:8a:01:39:6a:91:b7:d1:a6:
                    83:6d:c6:28:60:79:c9:07:f2:ad:23:00:f2:31:74:
                    b0:a3:d0:d6:ac:5a:f4:31:c8:98:9c:49:c6:20:0b:
                    ce:81:2b:51:b6:54:0f:65:54:f2:b3:08:c9:c0:c8:
                    ca:a6:ec:bb:fc:8e:a5:64:70:6b:dc:08:45:9c:14:
                    cd:cd:aa:49:fd:e9:a5:f1:7d:c6:f8:5d:52:e8:d8:
                    3d:21:81:46:49:ba:f7:bd:7d:07:42:31:cf:79:61:
                    b1:47:2c:ba:ce:5a:cd:52:4a:5f:d2:b6:88:d0:a2:
                    94:53:e2:65:d6:66:80:43:17:e1:2e:43:ab:ca:2f:
                    79:e6:11:8b:4a:35:fa:e1:43:e3:49:66:5a:1f:e0:
                    a3:1c:5e:1c:6e:aa:de:0d:ba:cb:20:e3:3d:9e:66:
                    47:32:25:3c:01:22:b3:69:a6:96:0e:2e:13:c7:fd:
                    70:c6:61:7e:a9:f0:ad:a4:a6:41:13:36:8c:46:74:
                    c8:a5:ac:b0:b5:17:00:b8:0e:62:79:1a:fc:7e:7c:
                    2b:f7:2e:c0:ab:07:fc:8e:46:3c:8f:f2:e5:6e:8f:
                    83:17
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name: 

                DNS:google.com, DNS:*.2mdn.net, DNS:*.android.com, DNS:*.appengine.google.com, 
DNS:*.au.doubleclick.net, DNS:*.cc-dt.com, DNS:*.cloud.google.com, DNS:*.de.doubleclick.net, 
DNS:*.doubleclick.com, DNS:*.doubleclick.net, DNS:*.fls.doubleclick.net, DNS:*.fr.doubleclick.net, 
DNS:*.google-analytics.com, DNS:*.google.ac, DNS:*.google.ad, DNS:*.google.ae, DNS:*.google.af, 
DNS:*.google.ag, DNS:*.google.al, DNS:*.google.am, DNS:*.google.as, DNS:*.google.at, 
DNS:*.google.az, DNS:*.google.ba, DNS:*.google.be, DNS:*.google.bf, DNS:*.google.bg, 
DNS:*.google.bi, DNS:*.google.bj, DNS:*.google.bs, DNS:*.google.bt, DNS:*.google.by, 
DNS:*.google.ca, DNS:*.google.cat, DNS:*.google.cc, DNS:*.google.cd, DNS:*.google.cf, 
DNS:*.google.cg, DNS:*.google.ch, DNS:*.google.ci, DNS:*.google.cl, DNS:*.google.cm, 
DNS:*.google.cn, DNS:*.google.co.ao, DNS:*.google.co.bw, DNS:*.google.co.ck, DNS:*.google.co.cr, 
DNS:*.google.co.hu, DNS:*.google.co.id, DNS:*.google.co.il, DNS:*.google.co.im, DNS:*.google.co.in, 
DNS:*.google.co.je, DNS:*.google.co.jp, DNS:*.google.co.ke, DNS:*.google.co.kr, DNS:*.google.co.ls, 
DNS:*.google.co.ma, DNS:*.google.co.mz, DNS:*.google.co.nz, DNS:*.google.co.th, DNS:*.google.co.tz, 
DNS:*.google.co.ug, DNS:*.google.co.uk, DNS:*.google.co.uz, DNS:*.google.co.ve, DNS:*.google.co.vi, 
DNS:*.google.co.za, DNS:*.google.co.zm, DNS:*.google.co.zw, DNS:*.google.com, DNS:*.google.com.af, 
DNS:*.google.com.ag, DNS:*.google.com.ai, DNS:*.google.com.ar, DNS:*.google.com.au, 
DNS:*.google.com.bd, DNS:*.google.com.bh, DNS:*.google.com.bn, DNS:*.google.com.bo, 
DNS:*.google.com.br, DNS:*.google.com.by, DNS:*.google.com.bz, DNS:*.google.com.cn, 
DNS:*.google.com.co, DNS:*.google.com.cu, DNS:*.google.com.cy, DNS:*.google.com.do, 
DNS:*.google.com.ec, DNS:*.google.com.eg, DNS:*.google.com.et, DNS:*.google.com.fj, 
DNS:*.google.com.ge, DNS:*.google.com.gh, DNS:*.google.com.gi, DNS:*.google.com.gr, 
DNS:*.google.com.gt, DNS:*.google.com.hk, DNS:*.google.com.iq, DNS:*.google.com.jm, 
DNS:*.google.com.jo, DNS:*.google.com.kh, DNS:*.google.com.kw, DNS:*.google.com.lb, 
DNS:*.google.com.ly, DNS:*.google.com.mm, DNS:*.google.com.mt, DNS:*.google.com.mx, 
DNS:*.google.com.my, DNS:*.google.com.na, DNS:*.google.com.nf, DNS:*.google.com.ng, 
DNS:*.google.com.ni, DNS:*.google.com.np, DNS:*.google.com.nr, DNS:*.google.com.om, 
DNS:*.google.com.pa, DNS:*.google.com.pe, DNS:*.google.com.pg, DNS:*.google.com.ph, 
DNS:*.google.com.pk, DNS:*.google.com.pl, DNS:*.google.com.pr, DNS:*.google.com.py, 
DNS:*.google.com.qa, DNS:*.google.com.ru, DNS:*.google.com.sa, DNS:*.google.com.sb, 
DNS:*.google.com.sg, DNS:*.google.com.sl, DNS:*.google.com.sv, DNS:*.google.com.tj, 
DNS:*.google.com.tn, DNS:*.google.com.tr, DNS:*.google.com.tw, DNS:*.google.com.ua, 
DNS:*.google.com.uy, DNS:*.google.com.vc, DNS:*.google.com.ve, DNS:*.google.com.vn, DNS:*.google.cv, 
DNS:*.google.cz, DNS:*.google.de, DNS:*.google.dj, DNS:*.google.dk, DNS:*.google.dm, 
DNS:*.google.dz, DNS:*.google.ee, DNS:*.google.es, DNS:*.google.fi, DNS:*.google.fm, 
DNS:*.google.fr, DNS:*.google.ga, DNS:*.google.ge, DNS:*.google.gg, DNS:*.google.gl, 
DNS:*.google.gm, DNS:*.google.gp, DNS:*.google.gr, DNS:*.google.gy, DNS:*.google.hk, 
DNS:*.google.hn, DNS:*.google.hr, DNS:*.google.ht, DNS:*.google.hu, DNS:*.google.ie, 
DNS:*.google.im, DNS:*.google.info, DNS:*.google.iq, DNS:*.google.ir, DNS:*.google.is, 
DNS:*.google.it, DNS:*.google.it.ao, DNS:*.google.je, DNS:*.google.jo, DNS:*.google.jobs, 
DNS:*.google.jp, DNS:*.google.kg, DNS:*.google.ki, DNS:*.google.kz, DNS:*.google.la, 
DNS:*.google.li, DNS:*.google.lk, DNS:*.google.lt, DNS:*.google.lu, DNS:*.google.lv, 
DNS:*.google.md, DNS:*.google.me, DNS:*.google.mg, DNS:*.google.mk, DNS:*.google.ml, 
DNS:*.google.mn, DNS:*.google.ms, DNS:*.google.mu, DNS:*.google.mv, DNS:*.google.mw, 
DNS:*.google.ne, DNS:*.google.ne.jp, DNS:*.google.net, DNS:*.google.ng, DNS:*.google.nl, 
DNS:*.google.no, DNS:*.google.nr, DNS:*.google.nu, DNS:*.google.off.ai, DNS:*.google.pk, 
DNS:*.google.pl, DNS:*.google.pn, DNS:*.google.ps, DNS:*.google.pt, DNS:*.google.ro, 
DNS:*.google.rs, DNS:*.google.ru, DNS:*.google.rw, DNS:*.google.sc, DNS:*.google.se, 
DNS:*.google.sh, DNS:*.google.si, DNS:*.google.sk, DNS:*.google.sm, DNS:*.google.sn, 
DNS:*.google.so, DNS:*.google.sr, DNS:*.google.st, DNS:*.google.td, DNS:*.google.tg, 
DNS:*.google.tk, DNS:*.google.tl, DNS:*.google.tm, DNS:*.google.tn, DNS:*.google.to, 
DNS:*.google.tt, DNS:*.google.us, DNS:*.google.uz, DNS:*.google.vg, DNS:*.google.vu, 
DNS:*.google.ws, DNS:*.googleapis.cn, DNS:*.googlecommerce.com, DNS:*.googlevideo.com, 
DNS:*.gstatic.com, DNS:*.gvt1.com, DNS:*.jp.doubleclick.net, DNS:*.metric.gstatic.com, 
DNS:*.uk.doubleclick.net, DNS:*.urchin.com, DNS:*.url.google.com, DNS:*.youtube-nocookie.com, 
DNS:*.youtube.com, DNS:*.youtubeeducation.com, DNS:*.ytimg.com, DNS:ad.mo.doubleclick.net, 
DNS:android.com, DNS:doubleclick.net, DNS:g.co, DNS:goo.gl, DNS:google-analytics.com, DNS:google.ac, 
DNS:google.ad, DNS:google.ae, DNS:google.af, DNS:google.ag, DNS:google.al, DNS:google.am, 
DNS:google.as, DNS:google.at, DNS:google.az, DNS:google.ba, DNS:google.be, DNS:google.bf, 
DNS:google.bg, DNS:google.bi, DNS:google.bj, DNS:google.bs, DNS:google.bt, DNS:google.by, 
DNS:google.ca, DNS:google.cat, DNS:google.cc, DNS:google.cd, DNS:google.cf, DNS:google.cg, 
DNS:google.ch, DNS:google.ci, DNS:google.cl, DNS:google.cm, DNS:google.cn, DNS:google.co.ao, 
DNS:google.co.bw, DNS:google.co.ck, DNS:google.co.cr, DNS:google.co.hu, DNS:google.co.id, 
DNS:google.co.il, DNS:google.co.im, DNS:google.co.in, DNS:google.co.je, DNS:google.co.jp, 
DNS:google.co.ke, DNS:google.co.kr, DNS:google.co.ls, DNS:google.co.ma, DNS:google.co.mz, 
DNS:google.co.nz, DNS:google.co.th, DNS:google.co.tz, DNS:google.co.ug, DNS:google.co.uk, 
DNS:google.co.uz, DNS:google.co.ve, DNS:google.co.vi, DNS:google.co.za, DNS:google.co.zm, 
DNS:google.co.zw, DNS:google.com.af, DNS:google.com.ag, DNS:google.com.ai, DNS:google.com.ar, 
DNS:google.com.au, DNS:google.com.bd, DNS:google.com.bh, DNS:google.com.bn, DNS:google.com.bo, 
DNS:google.com.br, DNS:google.com.by, DNS:google.com.bz, DNS:google.com.cn, DNS:google.com.co, 
DNS:google.com.cu, DNS:google.com.cy, DNS:google.com.do, DNS:google.com.ec, DNS:google.com.eg, 
DNS:google.com.et, DNS:google.com.fj, DNS:google.com.ge, DNS:google.com.gh, DNS:google.com.gi, 
DNS:google.com.gr, DNS:google.com.gt, DNS:google.com.hk, DNS:google.com.iq, DNS:google.com.jm, 
DNS:google.com.jo, DNS:google.com.kh, DNS:google.com.kw, DNS:google.com.lb, DNS:google.com.ly, 
DNS:google.com.mm, DNS:google.com.mt, DNS:google.com.mx, DNS:google.com.my, DNS:google.com.na, 
DNS:google.com.nf, DNS:google.com.ng, DNS:google.com.ni, DNS:google.com.np, DNS:google.com.nr, 
DNS:google.com.om, DNS:google.com.pa, DNS:google.com.pe, DNS:google.com.pg, DNS:google.com.ph, 
DNS:google.com.pk, DNS:google.com.pl, DNS:google.com.pr, DNS:google.com.py, DNS:google.com.qa, 
DNS:google.com.ru, DNS:google.com.sa, DNS:google.com.sb, DNS:google.com.sg, DNS:google.com.sl, 
DNS:google.com.sv, DNS:google.com.tj, DNS:google.com.tn, DNS:google.com.tr, DNS:google.com.tw, 
DNS:google.com.ua, DNS:google.com.uy, DNS:google.com.vc, DNS:google.com.ve, DNS:google.com.vn, 
DNS:google.cv, DNS:google.cz, DNS:google.de, DNS:google.dj, DNS:google.dk, DNS:google.dm, 
DNS:google.dz, DNS:google.ee, DNS:google.es, DNS:google.fi, DNS:google.fm, DNS:google.fr, 
DNS:google.ga, DNS:google.ge, DNS:google.gg, DNS:google.gl, DNS:google.gm, DNS:google.gp, 
DNS:google.gr, DNS:google.gy, DNS:google.hk, DNS:google.hn, DNS:google.hr, DNS:google.ht, 
DNS:google.hu, DNS:google.ie, DNS:google.im, DNS:google.info, DNS:google.iq, DNS:google.ir, 
DNS:google.is, DNS:google.it, DNS:google.it.ao, DNS:google.je, DNS:google.jo, DNS:google.jobs, 
DNS:google.jp, DNS:google.kg, DNS:google.ki, DNS:google.kz, DNS:google.la, DNS:google.li, 
DNS:google.lk, DNS:google.lt, DNS:google.lu, DNS:google.lv, DNS:google.md, DNS:google.me, 
DNS:google.mg, DNS:google.mk, DNS:google.ml, DNS:google.mn, DNS:google.ms, DNS:google.mu, 
DNS:google.mv, DNS:google.mw, DNS:google.ne, DNS:google.ne.jp, DNS:google.net, DNS:google.ng, 
DNS:google.nl, DNS:google.no, DNS:google.nr, DNS:google.nu, DNS:google.off.ai, DNS:google.pk, 
DNS:google.pl, DNS:google.pn, DNS:google.ps, DNS:google.pt, DNS:google.ro, DNS:google.rs, 
DNS:google.ru, DNS:google.rw, DNS:google.sc, DNS:google.se, DNS:google.sh, DNS:google.si, 
DNS:google.sk, DNS:google.sm, DNS:google.sn, DNS:google.so, DNS:google.sr, DNS:google.st, 
DNS:google.td, DNS:google.tg, DNS:google.tk, DNS:google.tl, DNS:google.tm, DNS:google.tn, 
DNS:google.to, DNS:google.tt, DNS:google.us, DNS:google.uz, DNS:google.vg, DNS:google.vu, 
DNS:google.ws, DNS:googlecommerce.com, DNS:gstatic.com, DNS:urchin.com, DNS:youtu.be, 
DNS:youtube.com, DNS:youtubeeducation.com
            Authority Information Access: 
                CA Issuers - URI:http://pki.google.com/GIAG2.crt
                OCSP - URI:http://clients1.google.com/ocsp

            X509v3 Subject Key Identifier: 
                71:D7:BB:09:DE:42:EB:E5:E0:75:3D:49:64:97:E5:9A:8D:6E:C3:8E
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier: 
                keyid:4A:DD:06:16:1B:BC:F6:68:B5:76:F5:81:B6:BB:62:1A:BA:5A:81:2F

            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.11129.2.5.1

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://pki.google.com/GIAG2.crl

    Signature Algorithm: sha1WithRSAEncryption
         8f:f3:ec:dd:ca:45:d2:20:12:40:cd:ce:72:10:42:b5:ac:4b:
         8c:45:15:15:d7:9f:fb:01:e7:84:63:c6:41:b4:93:8b:79:ab:
         51:56:b9:3f:07:74:5b:c7:38:ad:f0:ee:97:53:3b:f8:2d:bc:
         94:23:ca:2e:1f:0c:5b:21:82:ae:b8:0f:55:43:1a:58:8f:4d:
         25:0a:80:32:a6:c9:ff:3f:43:f5:1f:39:63:9f:a6:82:20:b4:
         74:d4:e1:ef:e0:f9:92:c5:63:b6:e2:61:e4:e7:4e:c7:a3:dd:
         44:1b:32:e0:06:7f:84:b6:45:20:57:6a:71:07:c2:54:b0:69:
         9c:a2:f6:3f:5f:52:ca:9e:ba:77:b3:0b:4f:2a:b7:14:ca:c9:
         7a:6c:f3:ce:2b:aa:c1:0d:ea:33:8f:e6:39:24:83:84:dc:3c:
         ac:f0:83:2e:98:9f:2f:54:de:c4:c5:b0:05:a3:e3:ca:a5:13:
         9c:28:ba:6b:e9:ee:e0:10:41:4a:d7:78:cd:60:0f:79:0f:0a:
         e3:76:46:ce:7a:b4:84:1b:07:91:21:83:23:17:7a:77:e8:32:
         3b:14:7c:3a:a8:fb:d6:c2:bf:18:4a:ad:d7:c1:d6:30:cd:67:
         b4:8f:7d:27:43:97:b8:12:9d:0b:7e:ae:de:27:83:fa:89:29:
         d9:be:e4:43

if you add 'www' to the URL then it has the correct CN: openssl s_client -connect www.googleapis.com:443 — Pete, Feb 20 '17 at 16:16
I followed your steps but it doesn't work yet for me. I am using the trello api. Any idea what else I could try? — molerat, Jul 05 '18 at 14:53
This answers what is causing the issue but does not clearly show how to fix. — Akira Yamamoto, Jan 21 '21 at 03:41

score 9 · Answer 5 · edited Feb 24 '18 at 15:44

9

Rather than disabling verification entirely, this can likely be fixed by providing proper CA bundle file. See verify in Guzzle documentation.

In my system I was able to reuse one bundled with Git:

$client = new \GuzzleHttp\Client();
$client->setDefaultOption('verify', 'C:\Program Files (x86)\Git\bin\curl-ca-bundle.crt');

edited Feb 24 '18 at 15:44

Andrew

18,680
13
103
118

answered Dec 26 '14 at 15:29

Rarst

2,335
16
26

3

Not valid for the current Guzzle version. – Slawa Jun 11 '19 at 16:07

score 7 · Answer 6 · answered Jun 16 '20 at 09:43

7

If you are using Facades Http then you can pass verify false in withOptions method :

Http::withOptions(['verify' => false,])->withHeaders($headers)->get($endpoint);

answered Jun 16 '20 at 09:43

Syed Husain Ahmad

97
1
2

Karim Samir · Answer 7 · 2018-04-17T19:38:37.457

5

this really helps me

Follow this link: http://curl.haxx.se/ca/cacert.pem Copy the entire page and save it is "cacert.pem"

Then in your php.ini file insert or edit the

;;;;;;;;;;;;;;;;;;;;
; php.ini Options  ;
;;;;;;;;;;;;;;;;;;;;

curl.cainfo = "[pathtothisfile]\cacert.pem"

Problem solved (Not recommended in a production environment)

edited Apr 17 '18 at 19:38

answered Aug 28 '17 at 12:44

Karim Samir

1,470
17
17

2

If you use self-signed ssl, this is probably your choice. Disabling ssl verification is not a good idea and Setting default options is useless on production. So this is a really good one when self-signed ssl on develop environment. You should be aware that you will need to set both php-fpm and php-cli's php.ini for web and command line to work. – cwhsu Apr 16 '18 at 08:28
1

I use this in development only – Karim Samir Apr 17 '18 at 19:37

samehanwar · Answer 8 · 2019-04-21T00:19:24.817

4

you can also try this in guzzle 6+

$client = new \GuzzleHttp\Client(
                  array( 
                         'curl'   => array( CURLOPT_SSL_VERIFYPEER => false ),
                         'verify' => false
                       )
                   );

edited Apr 21 '19 at 00:19

answered Nov 21 '17 at 14:24

samehanwar

3,280
2
23
26

score 3 · Answer 9 · answered Feb 24 '18 at 15:52

3

1) Save the contents of this ca bundle file to your system, eg to: C:/ca-bundle.crt

2) Update php.ini property openssl.cafile like so: openssl.cafile="C:/ca-bundle.crt"

3) restart server/ done / should now work

more info here: http://guzzle.readthedocs.io/en/stable/request-options.html#verify

answered Feb 24 '18 at 15:52

Andrew

18,680
13
103
118

Set this, but guzzle ignores this... – Sebi2020 Jun 21 '22 at 08:49
1

This worked for me on my local dev Windows 11, PHP 8.1.8, Laravel 10, Guzzle 7.5.0 – ChrisDeDavidMindflowAU Mar 05 '23 at 12:53

score 0 · Answer 10 · answered Nov 28 '19 at 11:33

0

Guzzle 6
  $response = $client->request('POST', $url, [
                                                'verify' => false,
                                                 'body'=>json_encode($postData)
                                            ]);


                    $body = $response->getBody()->getContents();

answered Nov 28 '19 at 11:33

youssef simon

19
1

2

When answering an old question, your answer would be much more useful to other StackOverflow users if you included some context to explain how your answer helps, particularly for a question that already has an accepted answer. See: [How do I write a good answer](https://stackoverflow.com/help/how-to-answer). – David Buck Nov 28 '19 at 11:53

score -1 · Answer 11 · edited Jan 30 '21 at 11:03

I faced a same issue with guzzel like

GuzzleHttp\Exception\RequestException::wrapException(Object(GuzzleHttp\Psr7\Request), Object(RuntimeException))
      /mnt/application/lms-backend/vendor/guzzlehttp/guzzle/src/Handler/StreamHandler.php:67

  2   RuntimeException::("Error creating resource: [message] fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:1408F10B:SSL routines:ssl3_get_record:wrong version number
[file] /mnt/application/lms-backend/vendor/guzzlehttp/guzzle/src/Handler/StreamHandler.php
[line] 323
[message] fopen(): Failed to enable crypto
[file] /mnt/application/lms-backend/vendor/guzzlehttp/guzzle/src/Handler/StreamHandler.php
[line] 323

Please make sure you are requesting the url with http or else pass the pass token.

score -1 · Answer 12 · answered Aug 02 '21 at 07:08

-1

$this->client = new Client(
    [
       'base_uri' => $this->baseUrl,
       'verify' => false,
   ]
);

answered Aug 02 '21 at 07:08

Lysak

333
1
4
7

score -2 · Answer 13 · answered Nov 16 '18 at 11:12

-2

I use guzzle/guzzle 3.* and this code works for me :

$client = new Client(env('API_HOST'));
$client->setSslVerification(false);

answered Nov 16 '18 at 11:12

fico7489

7,931
7
55
89

Guzzle Curl Error 60 SSL unable to get local issuer

13 Answers13

Linked