2

I have an Ubuntu LAMP server on Digital Ocean and have setup an SSL certificate (which works perfectly fine). The website runs via https (http requests are redirected to https). In one of my PHP scripts, I have to send a cURL request to the local server. I am basically sending a POST request with JSON data that will be used for templating a document at the other end. In short, both ends are hosted at the same site:

  • https://example.com/form.php
  • https://example.com/templates/document.php

The cURL error I get when sending data from form.php to templates/document.php is:

SSL certificate problem: unable to get local issuer certificate

I have read at least 20 articles telling me to add these lines to php.ini at their original line positions:

  • curl.cainfo="/etc/ssl/certs/cacert.pem"
  • openssl.cafile="/etc/ssl/certs/cacert.pem"

The CA certificate is located as described above, but the cURL error persists.

I am able to bypass this error by forcing CURLOPT_SSL_VERIFYPEER to false in the cURL request itself. However, I know this is not an option for a website in production mode.

Is it not possible to do such SSL cURL request to its own host? Or is it so that I can actually disable CURLOPT_SSL_VERIFYPEER for this very specific request since it's just a local request anyway?

Thank you in advance!

EDIT:

Adding a verbose option to the cURL request shows the following information:

  • Trying 123.456.789.01...
  • Connected to example.com (123.456.789.01) port 443 (#0)
  • ALPN, offering http/1.1
  • Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/cacert.pem CApath: /etc/ssl/certs
  • SSL certificate problem: unable to get local issuer certificate
  • Closing connection 0

It doesn't seem to be of any help though.

Nordling Art
  • 857
  • 2
  • 9
  • 19
  • 1
    My guess would be that the cafile might not be readable by the curl-part. Or something is wrong with the cacert.pem itself. Can you connect via command line? Does `curl https://example.com/templates/document.php --verbose --cacert /var/ssl/cacert.pem` work? Does it work if you su to the webuser? – Stefan M Jan 10 '18 at 13:31
  • `Is it not possible to do such SSL cURL request to its own host?` why would it not be possible. But `VERIFYPEER` is more to prevent "man in the middle" type attacks if I am not mistaken. So, it may still not be Ideal. – ArtisticPhoenix Jan 10 '18 at 13:45
  • I'm afraid it's another issue but in my case curl did not connect to 123.456.789.01 but to 127.0.0.1 instead. This was the solution: https://stackoverflow.com/a/9932914 – Dominik Späte Jan 11 '18 at 09:34
  • @DominikSpäte - Just tried it, same result unfortunately. – Nordling Art Jan 11 '18 at 10:26
  • @StefanM That command works, and it even works with the webuser www-data. But not with curl() in PHP. I've double checked that I use the same parameters. – Nordling Art Jan 11 '18 at 11:04

0 Answers0