2

I am trying to use the Mailchimp API Wrapper which they provide. It uses the PHP Curl extension and on my development environment (PHP, Apache and Ubuntu) everything worked fine.

Now I am trying to get it to work on the live environment which is PHP 5.6.7 on IIS 7.5. phpinfo tells me that I'm using CURL 7.40.0. Whatever I do I keep getting the same error SSL certificate problem: unable to get local issuer certificate

I have had a look around lots of similar questions to try to find the answer. A common theme is to download the CA Bundle (I've tried both the HTTP from curl.haxx.se and the HTTPS from github versions) and then either modify the code to include 

curl_setopt($ch, CURLOPT_CAINFO, "C:\path\to\cacert.pem");

or my preferred option which is to add to the php.ini file

curl.cainfo="C:\path\to\cacert.pem"

but neither of those have fixed the problem. I have also tried the

ini_set('openssl.cafile', '\path\to\cacert');

as suggested here, and this also doesn't work.

I'm wondering if the problem could be file permissions (so I've been giving everybody read access to cacert.pem to eliminate that possibility), or if the problem has something to do with needing to escape the \ characters in PHP (so I've tried both the c:\path\to\cacert.pem and c:\path\to\cacert.pem varieties) but regardless of what I do I haven't found any combinations that will make it work, except for setting CURLOPT_SSL_VERIFYPEER to false which I obviously don't want to do.

I'm wondering if this is the same problem as in this question, the main difference being that I'm using IIS and not XAMPP.

Is there anything I'm missing - any reason why this setup won't work?

Thanks in advance for any suggestions.

Community
  • 1
  • 1
ec2011
  • 570
  • 6
  • 20
  • Are you restarting IIS after changing the php.ini? – TooMuchPete Mar 27 '15 at 02:26
  • No, but I know that the changes to the php.ini are effective because if I put in an invalid path I get a different error message about being unable to find the certificates bundle. Also the `curl_setopt` method should not require a restart of IIS. – ec2011 Mar 27 '15 at 12:10

2 Answers2

1

The certificate MailChimp are currently still using (for compatibility reasons they told me) is the GTE CyberTrust Global Root (note GTE was bought by Digicert), so you don't need to replace the entire bundle, just add or force PHP to read this certificate:

https://gte-cybertrust-global-root.digicert.com/info/index.html

Unfortunately I only use Linux so I can't give you any help with IIS.

William Turrell
  • 3,227
  • 7
  • 39
  • 57
1

This thread has been very useful for a similar problem I encountered when trying to communicate through the Mailchimp API using Windows Azure. I finally got it to work using the following steps:

1. Download & modify cacert.pem

I've downloaded cacert.pem from https://curl.haxx.se/ca/cacert.pem. This wasn't working for me either. This certificate does not include the correct GTE Cybertrust Global Root info so I've pasted it in:

-----BEGIN CERTIFICATE----- MIICWjCCAcMCAgGlMA0GCSqGSIb3DQEBBAUAMHUxCzAJBgNVBAYTAlVTMRgwFgYD VQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNv bHV0aW9ucywgSW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJv b3QwHhcNOTgwODEzMDAyOTAwWhcNMTgwODEzMjM1OTAwWjB1MQswCQYDVQQGEwJV UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds b2JhbCBSb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVD6C28FCc6HrH iM3dFw4usJTQGz0O9pTAipTHBsiQl8i4ZBp6fmw8U+E3KHNgf7KXUwefU/ltWJTS r41tiGeA5u2ylc9yMcqlHHK6XALnZELn+aks1joNrI1CqiQBOeacPwGFVw1Yh0X4 04Wqk2kmhXBIgD8SFcd5tB8FLztimQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAG3r GwnpXtlR22ciYaQqPEh346B8pt5zohQDhT37qw4wxYMWM4ETCJ57NE7fQMh017l9 3PR2VX2bY1QY6fDq81yx2YtCHrnAlU66+tXifPVoYb+O7AWXX1uw16OFNMQkpw0P lZPvy5TYnh+dXIVtx6quTx8itc2VrbqnzPmrC3p/ -----END CERTIFICATE-----

2. Upload the certificate

E.g. in "D:\home\site\cacert.pem" - as long as you remember the path

3. Change the system configuration setting for curl.cainfo

This info is from a document by Microsoft:

  1. Add an App Setting to your Web App with the key PHP_INI_SCAN_DIR and value d:\home\site\ini

  2. Create an settings.ini file using Kudu Console (http://[site-name].scm.azurewebsite.net) in the d:\home\site\ini directory.

  3. Add configuration settings to the settings.ini file using the same syntax you would use in a php.ini file.

Here we add: curl.cainfo = "D:\home\site\cacert.pem"

  1. Restart your Web App to load the changes.

You can check if your custom .ini was picked up by using phpinfo() - it should show up under "Additional .ini files parsed"

This is what got it working for me on Windows Azure!

(please note I couldn't paste more than 2 links due to my lack of reputation, I just signed up)

StefanLu
  • 26
  • 2
  • 1
    Thanks for those detailed instructions. I am no longer involved in the project that required this but if I ever run into this problem again I'll know where to come to look for a solution! – ec2011 Mar 17 '16 at 20:30
  • No problem! I also added it for anyone who will find this through Google, as I did :-) – StefanLu Mar 21 '16 at 12:05