35

I am trying to download the content of a secure (uses https) webpage using php and curl libraries.

However, reading failed and I get error 60: "SSL certificate problem, verify that the CA cert is OK."

also "Details: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"

So...pretty self explanatory error msg's.

My question is: How do I send an SSL certificate (the right one?) and get this page to verify it and let me in?

Also, here is my options array in case you are wondering:

    $options = array(
        CURLOPT_RETURNTRANSFER => true,     // return web page
        CURLOPT_HEADER         => false,    // don't return headers
        CURLOPT_FOLLOWLOCATION => true,     // follow redirects
        CURLOPT_ENCODING       => "",       // handle all encodings
        CURLOPT_USERAGENT      => "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:x.x.x) Gecko/20041107 Firefox/x.x", // who am i
        CURLOPT_AUTOREFERER    => true,     // set referer on redirect
        CURLOPT_CONNECTTIMEOUT => 120,      // timeout on connect
        CURLOPT_TIMEOUT        => 120,      // timeout on response
        CURLOPT_MAXREDIRS      => 10,       // stop after 10 redirects
        CURLOPT_SSL_VERIFYHOST => 1,
    );

Any suggestions would be great, Andrew

Andrew
  • 3,650
  • 9
  • 31
  • 32

7 Answers7

51

It sounds like you might be misinterpreting the error. It looks to me like the site you're connecting to is self-signed or some other common problem. Just like the usual browser warning, you're easiest work around is to disable the checks.

You'll need to set CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST to FALSE. This should disable the two main checks. They may not both be required, but this should at least get you going.

To be clear, this disables a feature designed to protect you. Only do this if you have verified the certificate and server by some other means.

More info on the PHP site: curl_setopt()

Ryann Graham
  • 8,079
  • 2
  • 29
  • 32
  • ya,...i read that article before,....but setting both these values to false didn't really make sense to me...i guess i dont' really know what's going on. however it worked perfectly. so thanks :) – Andrew Feb 06 '09 at 18:14
  • 1
    @MattS it certainly is! I'm going to edit the answer to make that more obvious. – Ryann Graham Sep 18 '13 at 19:42
  • This is not solving anything. This is dangerous behaviour @Ryan, and you should really stop teaching people this. SSL exists for a reason. Not validating certs is defeating the point of having SSL. Make sure you understand why this error is happening. Not how you can make it go away. – Ruben Feb 17 '14 at 02:40
  • 1
    @Ruben feel free to edit the answer if you feel the existing **bold** disclaimer is not sufficient. – Ryann Graham Feb 18 '14 at 02:48
  • https://web.archive.org/web/20150223140338/http://docforge.com/wiki/PHP/Curl archive of the old page. – Passer by Feb 08 '17 at 10:43
23

If you want to use SSL peer verification (turning it off is not always good idea) you may use next solution on Windows globally for all applications:

  1. Download file with root certificates from here: http://curl.haxx.se/docs/caextract.html
  2. Add to php.ini:

curl.cainfo=C:/path/to/cacert.pem

that's all magic, CURL can now verify certificates.

(as I know there is no such problem on Linux, at least on Ubuntu)

WayFarer
  • 1,040
  • 11
  • 19
  • 1
    This did it! I was having this issue on Centos 6... so it seems that not all distros are immune :) – Ben D Dec 17 '14 at 21:11
6

Even after following advice on SO.. You may still have problems with an error like:

error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

the problem is with the SSL version. Use the following for version 3

curl_setopt($ch, CURLOPT_SSLVERSION,3)

I am assuming that u have enabled verification of peer and host as well and are pointing to an actual certificate file. Eg.

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); 
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); 
curl_setopt($ch, CURLOPT_CAINFO, getcwd() . "/cacert.pem");
pkanane
  • 2,545
  • 2
  • 18
  • 17
2

This is a "problem" with openssl and VeriSign.

I had a similar problem and my openssl was missing the intermediate ssl certificate used by VeriSign to sign the server certificate.

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR657

I had to import these intermediate certificates from the VeriSign Homepage or Firefox cert-database-export into my local ca-certificates list and after this step I was able to use wget/curl to use the protected connection without any errors.

Comradin
  • 194
  • 1
  • 5
  • 1
    Could you please help with http://stackoverflow.com/questions/10102225/curl-ssl-certificates – MrPHP Apr 11 '12 at 08:31
0

If it's a developer machine - you can also add this certificate in you system. Something like this - https://www.globalsign.com/support/intermediate/intermediate_windows.php It's for WinXP, but it works also on other versions of windows.

Paul Seleznev
  • 672
  • 1
  • 11
  • 24
-1

This is apparently on openssl bug. Tomcat can be configured to work around this in /etc/tomcat7/server.xml by restricting the available cipher list:

<Connector protocol="HTTP/1.1" SSLEnabled="true" ... ciphers="SSL_RSA_WITH_RC4_128_SHA"/>
Sreedhar GS
  • 2,694
  • 1
  • 24
  • 26
-1

You're not SENDing the SSL cert. It appears there's a problem with the SSL cert as it is installed on the host you are contacting. Use option -k or --insecure, to get past the complaint.

Ah. See Ryan Graham's answer

PartialOrder
  • 2,870
  • 3
  • 36
  • 44