php SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Question

I'm running PHP Version 5.6 as part of XAMPP in MacOSx El Capitan and having error on few https sites. e.g: https://www.google.com/

file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

But no SSL error returned on these sites:

1. GitHub
2. Composer
3. PayPal TLS Test

Please find the list first what i've tried so far but nothing works.

Tried Google first:

1. SSL error SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2. PHP - SSL certificate error: unable to get local issuer certificate
3. HTTPS and SSL3_GET_SERVER_CERTIFICATE:certificate verify failed, CA is OK

Manual

1. Updated cert.pem file

php -r 'print_r(openssl_get_cert_locations());'

and result was.

Array
(
    [default_cert_file] => /Applications/XAMPP/xamppfiles/share/openssl/cert.pem
    [default_cert_file_env] => SSL_CERT_FILE
    [default_cert_dir] => /Applications/XAMPP/xamppfiles/share/openssl/certs
    [default_cert_dir_env] => SSL_CERT_DIR
    [default_private_dir] => /Applications/XAMPP/xamppfiles/share/openssl/private
    [default_default_cert_area] => /Applications/XAMPP/xamppfiles/share/openssl
    [ini_cafile] => /Applications/XAMPP/xamppfiles/share/openssl/cert.pem
    [ini_capath] =>
)

Saved this file cacert.pem in /Applications/XAMPP/xamppfiles/share/openssl/cert.pem

Updated php.ini with following

openssl.cafile = /Applications/XAMPP/xamppfiles/share/openssl/cert.pem
curl.cainfo    = /Applications/XAMPP/xamppfiles/share/openssl/cert.pem

Restarted Apache but no succes. Tried to read pem file (no error returned)

echo file_get_contents("/Applications/XAMPP/xamppfiles/share/openssl/cert.pem");

Test Case

It works fine on github.com getcomposer.org paypal.com but not on google.com (google.com works as well on my windows system)

php -r '$ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "https://tlstest.paypal.com/"); var_dump(curl_exec($ch)); var_dump(curl_error($ch));'

Result: PayPal_Connection_OKbool(true)

But on google.com

php -r '$ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "https://www.google.com/"); var_dump(curl_exec($ch)); var_dump(curl_error($ch));'

Result: string(63) "SSL certificate problem: unable to get local issuer certificate"

P.S: Disabling peer verification won't be acceptable.

Answer 1

In my case, making sure that the correct cert.pem file exists was not sufficient. You need to also set your time zone in your php.ini to your actual time zone using the date.timezone key (in my case, I set it to America/Los Angeles). Otherwise, PHP will default to using UTC and your system clock will appear to be off. This solved the issue for me on Mac OS X El Capitan (10.11.2).