1

I know something similar to this has already been asked around here but I think my problem is different. I'm trying to make a curl request to a propper SSL website (its not self-signed). I can set the options easily and even imported the CA certificate bundle to the right place. All fine and good I would hope but I'm still getting :

SSL certificate problem: unable to get local issuer certificate

I've looked around here and on google and can't seem to solve the issue. Here's my curl setup:

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST,2);
//curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_AUTOREFERER, true);
curl_setopt($ch, CURLOPT_VERBOSE, true);
curl_setopt($ch, CURLOPT_CERTINFO, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, getcwd()."/cookie_jar");
curl_setopt($ch, CURLOPT_HEADER, true);

$result = curl_exec($ch);

Edit2: Here's the verbose output as requested:

* Adding handle: conn: 0x3472770
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x3472770) send_pipe: 1, recv_pipe: 0
* About to connect() to www.caixagest.pt port 443 (#0)
*   Trying 195.234.134.196...
* Connected to www.caixagest.pt (195.234.134.196) port 443 (#0)
* error setting certificate verify locations:
  CAfile: C:\Winginx\ssl\certs\ca-bundle-old.crt
  CApath: none
* Closing connection 0


error setting certificate verify locations:
  CAfile: C:\Winginx\ssl\certs\ca-bundle-old.crt
  CApath: none
wadge
  • 428
  • 5
  • 18
  • It definitely does not trust the certificate it's being provided - Is this not solved by http://stackoverflow.com/questions/22973701/ssl-errors-using-mailchimps-api/29649024#29649024 ? – Andy Hoffner May 26 '15 at 23:38

1 Answers1

1

It's hard to say without having the URL, the curl version and compile options and the contents of your CA bundle but the most common cases are:

  • Server forgot to include important chain certificates. Look ot for "chain issues" and "extra download" when doing the analysis with SSLLabs.
  • Different trust path with the OpenSSL backend of curl. See https://stackoverflow.com/a/30068150/3081018 for details.
  • Old curl version which does not support SNI, so server sends the wrong certificate.

More detailed help might be available with more information from you.

Community
  • 1
  • 1
Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • Here is the url: https://www.caixagest.pt/Default.aspx php version is 5.6.3 running on xampp and the CA bundle is the latest version from the official website. – wadge May 27 '15 at 07:41
  • The site itself looks fine and the certificate chain too. Can you add the debug information from CURLOPT_VERBOSE to the question? And you don't happen to be behind a SSL-intercepting firewall? – Steffen Ullrich May 27 '15 at 08:11
  • How would I go about doing that (showing the verbose output)? I'm quite new to curl on SSL. At home I'm behind bitdefender Internet Security and the CA certificate being shown is from BitDefender. howevert, at work the result is the same. – wadge May 27 '15 at 09:26
  • The verbose output is probably somewhere in your server logs. And if you have an SSL intercepting CA it needs to be added to the certificate bundle as trusted or the verification will fail. – Steffen Ullrich May 27 '15 at 09:54
  • Added the Verbose output to the question. I'm running this from my work computer which isn't behind any SSL intercepting firewall. – wadge May 27 '15 at 10:34
  • Thanks, now the contents of `C:\Winginx\home\tests\scr/ca-bundle.crt` is the question. Can you provide a copy of the file (pastebin etc)? And are you sure that PHP can deal with the mixed path delimiters, e.g. "/" vs. "\" ? – Steffen Ullrich May 27 '15 at 10:41
  • The contents from the ca-bundle are from here: http://curl.haxx.se/docs/caextract.html. its the that crt file. Yep, I've tested it and it can handle it, if I rename the `curl_setopt($ch, CURLOPT_CAINFO, getcwd()."/ca-bundle.crt");` to something else, curl can't find the file so I assume its actually accessing that file. – wadge May 27 '15 at 10:52
  • Now we might get to the root of the problem. The CA bundle you've used has the 1024 bit certificates removed which is fine for Firefox which uses NSS but OpenSSL has problems with it (see the second point in the answer about different trust path). And the site in question needs a 1024bit CA as root with OpenSSL. Please try with the older bundle referenced from the URL, i.e. https://github.com/bagder/ca-bundle/blob/e9175fec5d0c4d42de24ed6d84a06d504d5e5a09/ca-bundle.crt – Steffen Ullrich May 27 '15 at 10:55
  • I've updated the Question once again with the new output. I didn't know that OpenSSL had issues with certificates without the 1024bit CA root. I've moved the file to a more readable directory and put curl.cainfo in php.ini to avoid any php hiccups. – wadge May 27 '15 at 11:07
  • There are "error setting certificate verify locations: ...", so something is wrong with your configuration. And no, OpenSSL does not have general problems w/o 1024 bit CA, only specific problems. I recommend you read the longer explanation in the answer I've linked too. – Steffen Ullrich May 27 '15 at 11:16
  • Hmm, I only have the bundle downloaded, Do I need to export any certificate from firefox? so that php can use it too? – wadge May 27 '15 at 11:25
  • There is probably something wrong with the path you gave or anything like this. Verify the settings. – Steffen Ullrich May 27 '15 at 11:49
  • Managed to get the configurations working to eliminate the error from before, however, it feels like i'm going in loops (btw, is there a problem that this is from a local dev machine?) Updated the post to reflect the log. – wadge May 27 '15 at 23:16
  • Obviously you still have the problem that it cannot load the CA's. I have no idea what you are doing, but it might be a permission problem, wrong oath, bad contents of the file (did you check the contents?) ... – Steffen Ullrich May 28 '15 at 02:32