How to fix Curl error 60 without downloading cert

Question

I'm using Rackspace API in PHP, and it just stopped working (everything worked fine 3 days ago). It uses guzzle, who uses curl. And curl just stopped working.

[Thu Jun 21 14:55:36 2018] [error] [client xxx.xx.xxx.xx] PHP Fatal error:  Uncaught exception 'Guzzle\\Http\\Exception\\CurlException' with message '[curl] 60:  [url] https://identity.api.rackspacecloud.com/v2.0/tokens' in 

/var/www/passline.com/vendor/guzzle/http/Guzzle/Http/Curl/CurlMulti.php:359\nStack trace:\n#0

/var/www/passline.com/vendor/guzzle/http/Guzzle/Http/Curl/CurlMulti.php(292): Guzzle\\Http\\Curl\\CurlMulti->isCurlException(Object(Guzzle\\Http\\Message\\EntityEnclosingRequest), Object(Guzzle\\Http\\Curl\\CurlHandle), Array)\n#1    

/var/www/passline.com/vendor/guzzle/http/Guzzle/Http/Curl/CurlMulti.php(257): Guzzle\\Http\\Curl\\CurlMulti->processResponse(Object(Guzzle\\Http\\Message\\EntityEnclosingRequest), 
Object(Guzzle\\Http\\Curl\\CurlHandle), Array)\n#2     

/var/www/passline.com/vendor/guzzle/http/Guzzle/Http/Curl/CurlMulti.php(240): Guzzle\\Http\\Curl\\CurlMulti->processMessages()\n#3    

/var/www/passline.com/vendor/guzzle/http/Guzzle/Http/Curl/CurlMulti.php(224): Guzzle\\Http\\Curl\\CurlMulti->executeHandles()\n#4

/var/www/passline.com/vendor/guzzle/http/Guzzle/Http/Curl/CurlMulti.php(111)

The important part from the error is the following:

[curl] 60: [url] https://identity.api.rackspacecloud.com/v2.0/tokens

I get an error 60 from Curl, who means is an SSL cert error. Most answer say's the solution to this problem is: deactivate ssl or download a new cert.

curl: (60) SSL certificate : unable to get local issuer certificate

https://es.stackoverflow.com/questions/174276/curl-60-ssl-certificate-problem-unable-to-get-local-issuer-certificate-url-h

I won't deactivate SSL, I can't use http instead of https and I want to avoid having to get into the machine and downloading a new cert.

If someday I have an old cert again, my site is going to stop working. What is the correct way to fix this?

This server has CenOs 6, We're using PHP 5.3.3 and curl 7.19.7

---- Edit ----

So, my problem is because of the change in the certificates of curl. From https://curl.haxx.se/docs/caextract.html

This bundle was generated at Wed Jun 20 03:12:06 2018 GMT .

There is a tool on linux called update-ca-certificates who solves this problem, also, the curl site say's you can run

curl --remote-name --time-cond cacert.pem https://curl.haxx.se/ca/cacert.pem

But, I don't know, someday I'll see the system stop working properly, I gonna get into the machine an run this command, and, that's all?, What doest the other people do?, set a cron with this command? or what?

Answer 1

Older versions of Guzzle made use of their own CA file that was bundled with the Guzzle library. It would use that file instead of system's (/etc/pki/tls/certs).

If you can get things working with cURL from the command line but get this error in Guzzle that is likely the culprit.

Things were changed to use the system CA bundle by default in late 2014.

https://github.com/guzzle/guzzle/issues/623

https://github.com/guzzle/guzzle/pull/800

The behaviour of newer (> 3.0 ?) versions is described here (see verify configuration flag):

1. Check if openssl.cafile is set in your php.ini file.
2. Check if curl.cainfo is set in your php.ini file.
3. Check if /etc/pki/tls/certs/ca-bundle.crt exists (Red Hat, CentOS, Fedora; provided by the ca-certificates package)
4. Check if /etc/ssl/certs/ca-certificates.crt exists (Ubuntu, Debian; provided by the ca-certificates package)
5. Check if /usr/local/share/certs/ca-root-nss.crt exists (FreeBSD; provided by the ca_root_nss package)
6. Check if /usr/local/etc/openssl/cert.pem (OS X; provided by homebrew)
7. Check if C:\windows\system32\curl-ca-bundle.crt exists (Windows)
8. Check if C:\windows\curl-ca-bundle.crt exists (Windows)

Answer 2

If someday I have an old cert again, my site is going to stop working. Curl should download a new cert by himself? isn't it?.

The concept of TLS is that the server sends its certificate to the client, shows a prove that it actually owns the private key belonging to the certificate and then the client checks if the certificate is considered trusted. Trusted means among others that the certificate was issued by a locally trusted CA (certificate authority).

Typically the client has a set of CA it trusts, i.e. CA like Let's Encrypt. If the certificate was issued by such an already trusted CA no changes to the client are needed whenever the certificate is changed as long as the issuer CA is still trusted and the server is configured properly to provide all intermediate CA certificates which are needed to build the trust path.

If instead you have a self-signed certificate or a certificate signed by some private CA the client has no kind of trust anchor it can use to verify the certificate. In this you need to provide the necessary trust anchor to the client. In case of a private CA it is sufficient to setup the client once with this private CA and it will accept also later certificates issued by this CA. But in case of a self-signed certificate this means that you need to update the expected certificate at the client whenever you update the certificate at the server. There is no automatic way to do it - because how should the client verify that it gets the correct new certificate without having an established trust to the party providing the new certificate?

Answer 3

This issue was caused by the change in the certificates of curl. From https://curl.haxx.se/docs/caextract.html

This bundle was generated at Wed Jun 20 03:12:06 2018 GMT .

There is a tool on linux called update-ca-certificates who solves this problem, also, the curl site say's you can run

curl --remote-name --time-cond cacert.pem https://curl.haxx.se/ca/cacert.pem

Just consider any of these commands may be needed to run again in the future if the certificates are renovated again.