Certificate verify failed SSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE

Question

I want to use SMTP service to send an email and a CURL service to verify google recaptcha. Both of those services throw error in production but work fine in localhost, that is because in production I have ssl installed on my website. I can disable ssl security and everything works but I don't want to disable SSL instead configure certificate to allow ssl based CURL and SMTP request.

I am trying to resolve below issue for past 2 days now:

Connection failed. stream_socket_enable_crypto(): SSL operation failed with code 1. 
OpenSSL Error messages: error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I get above error when submitting contact form. The form uses CURL, PhpMailer and SMTP protocol.

CURL and SMTP code both throws "certificate verify failed" error.

If I put below code, then CURL and SMTP no more throw error, but its a bad practice:

curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);

and

$mail->SMTPOptions = array(
  'ssl' => array(
      'verify_peer' => false,
      'verify_peer_name' => false,
      'allow_self_signed' => true,
  )
);

I am using CURL to verify google recaptcha

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://www.google.com/recaptcha/api/siteverify');
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$response = curl_exec($ch);

And SMTP code:

$mail = new PHPMailer(true);

//Set PHPMailer to use SMTP.
$mail->isSMTP();

//Set SMTP host name                          
$mail->Host = $_ENV['MAIL_HOST'];

//Set this to true if SMTP host requires authentication to send email
$mail->SMTPAuth = true;

//Provide username and password     
$mail->Username = $_ENV['MAIL_USERNAME'];
$mail->Password = $_ENV['MAIL_PASSWORD'];

//If SMTP requires TLS encryption then set it
$mail->SMTPSecure = $_ENV['MAIL_ENCRYPTION'];

//Set TCP port to connect to
$mail->Port = $_ENV['MAIL_PORT'];

$mail->From = $_POST['email'];
$mail->FromName = $_POST['name'];

$mail->addAddress($_ENV['MAIL_TO'], "Website Name");

$mail->isHTML(true);

$mail->Subject = "Contact Form";
$mail->Body = <html>
$mail->send();

I have bought free 90 days ssl certificate, which had the "private key", "certificate" and "cabundle" files. I uploaded those files using cPanel "SSL/TLS Manager" to install new SSL. It was installed succcessfully.

And then I retrieved the CA file using the command below:

openssl s_client -showcerts -servername <domain-name> -connect <domain-name>:443 > cacert.pem

I then put cacert.pem file to /etc/pki/ca-trust/source/anchors

I ran:

update-ca-trust

When I ran update-ca-trust I get below:

p11-kit: overriding trust for anchor in blacklist: addtrust-external-root.p11-kit
p11-kit: overriding trust for anchor in blacklist: addtrust-external-root.p11-kit
p11-kit: overriding trust for anchor in blacklist: addtrust-external-root.p11-kit
p11-kit: overriding trust for anchor in blacklist: addtrust-external-root.p11-kit
p11-kit: overriding trust for anchor in blacklist: addtrust-external-root.p11-kit

I also put the file path in php.ini file (/usr/local/lib/php.ini)

curl.cainfo="/etc/pki/ca-trust/source/anchors/cacert.pem"
openssl.cafile="/etc/pki/ca-trust/source/anchors/cacert.pem"

but it does not seem to fix above error.

Server details

Centos 7
Php version: 5.6.33
Server version: Apache/2.4.29 (Unix)
Server built:   Jan 30 2018 10:32:28
Cpanel::Easy::Apache v3.34.21 rev9999

I also, tried several other solutions found on web but no success.

OPENSSL OUTPUT

CONNECTED(00000003)
depth=3 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = www.google.com
verify return:1
---
Certificate chain
 0 s:/CN=www.google.com
   i:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
 1 s:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
   i:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
 2 s:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFUzCCBDugAwIBAgIQY/HSXP552oIKvzC2e5+gWjANBgkqhkiG9w0BAQsFADBG
MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM
QzETMBEGA1UEAxMKR1RTIENBIDFDMzAeFw0yMjA4MTUwODI1MjNaFw0yMjExMDcw
ODI1MjJaMBkxFzAVBgNVBAMTDnd3dy5nb29nbGUuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAmh1Nv9Nd/Y3yfSqoHCsAzLf/EDeWGC8IJr30znmi
E2MzjKg1Lecn/jpCTskJheyPbiSF4F5BWOzD/EGM5vERCX+GYK9adSvLHjNgXBtX
J0n74ZkmlFxIv9/Qbkrdr/zirebJk4aH0haPkqklQbJw+ibml03ehggUAM0ZyIQD
82LRP3caNQ/WQx/7xj8uwJlbL2byEMqGYgGIBdEZvSOvxRYM9zQJgG9n+2nWGvvz
NTjLspZ+zjbYsFz68ELN6hB7HGz5LW6kkr9BLt2TrYhqq5JbTVojNQpo0RH3JTxM
TvUCl1CNl4h6hpXkrFHkhn9IY/UJdcobA6CIkL7tkFWUyQIDAQABo4ICaDCCAmQw
DgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQC
MAAwHQYDVR0OBBYEFA5/01TT9+y5OCeWcGkXxfwvV+o7MB8GA1UdIwQYMBaAFIp0
f6+Fze6VzT2c0OJGFPNxNR0nMGoGCCsGAQUFBwEBBF4wXDAnBggrBgEFBQcwAYYb
aHR0cDovL29jc3AucGtpLmdvb2cvZ3RzMWMzMDEGCCsGAQUFBzAChiVodHRwOi8v
cGtpLmdvb2cvcmVwby9jZXJ0cy9ndHMxYzMuZGVyMBkGA1UdEQQSMBCCDnd3dy5n
b29nbGUuY29tMCEGA1UdIAQaMBgwCAYGZ4EMAQIBMAwGCisGAQQB1nkCBQMwPAYD
VR0fBDUwMzAxoC+gLYYraHR0cDovL2NybHMucGtpLmdvb2cvZ3RzMWMzL21vVkRm
SVNpYTJrLmNybDCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3ACl5vvCeOTkh8FZz
n2Old+W+V32cYAr4+U1dJlwlXceEAAABgqDSeZ4AAAQDAEgwRgIhAKKGxMYRJmw7
8HYDZTkTjvFKJY2PgmJLlI/dfTgeKFbaAiEAhHxsWLaoTYQjSayvcX4i//k1ZvC0
hyc1sWMfsHBM6NUAdgBByMqx3yJGShDGoToJQodeTjGLGwPr60vHaPCQYpYG9gAA
AYKg0nnVAAAEAwBHMEUCIGdndS2LXjVvzH0GgcgnH0WE6eOm/ZVy1Yu/eU7/CbKD
AiEA27EAYpx7fRXiLhNvS9fmuhmf7xGIIeItZJRAg8GBoxUwDQYJKoZIhvcNAQEL
BQADggEBAC8jaxCFKS5JfUHlPjBGE+ujfpKeQcA0uYxz+mm42hN/HaKx57TCaSAG
D8bIGZ4DzAJGKm2WSW9QwYMvOvVfElvYk1LPx1VSxKB2w08X7ZZB6xd4b71Jn1wQ
3sRDVKxGc+G6Twm4QgvZ0K9YTmW8fiGr5ExYVfycocOFIEZj56/tk5OkBtbZ4UVO
6MxCSGsWl9m84tHmpUqRC3MY7hNeaPgjVUNlH87/FK3dhcIAVGwzAHPv9YxquMoN
pWj0SPhDmlwdKXfgnH0b01Ojx6W6HIEMQHzUgCd/9lAZ+jvZkApkfOnkdVe5e+Te
sEvFB/y+bdC5KeUR3vmjVYGvry20iYw=
-----END CERTIFICATE-----
subject=/CN=www.google.com
issuer=/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 4905 bytes and written 373 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 8A52A18E387F9631EE0AFA834011DDCF75482A903AE89C97D530E1A8B5E5DAE8
    Session-ID-ctx: 
    Master-Key: EAA26CCDCD2164763B4D9BCAE033767D992B004613E0C336F7881FC3144BDBC17863C35774BB423838B3FC91376937E7
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 02 92 85 e3 18 4d 5a c1-38 45 ac 34 7c ee a6 53   .....MZ.8E.4|..S
    0010 - d9 6c 8f 07 bb 03 6e 0d-d7 02 e6 a6 0a 26 af f8   .l....n......&..
    0020 - 3f 51 7b 15 28 fe 5a ac-ee 86 cf 28 b1 c9 04 6b   ?Q{.(.Z....(...k
    0030 - 75 c3 3c 40 19 2a c2 49-70 c4 3e 50 d2 24 7b c3   u.<@.*.Ip.>P.${.
    0040 - 8d a0 63 6e a6 c5 85 28-53 bd 5e 73 57 29 89 49   ..cn...(S.^sW).I
    0050 - 9b 42 f8 98 43 be 00 6b-6a af 83 64 a2 d5 ef 69   .B..C..kj..d...i
    0060 - cf 7d c1 2d 22 aa f9 b3-19 9e 65 fc a5 1d 72 51   .}.-".....e...rQ
    0070 - 6c 74 a8 26 49 12 ec a9-c1 6b 3b 72 e4 13 77 1e   lt.&I....k;r..w.
    0080 - 90 4e fe 3b 0a 8d 4e 0c-3a 3d 09 d8 2d 6c fa 20   .N.;..N.:=..-l. 
    0090 - 68 9f 0c 4a c5 28 7d e1-ff b4 5b 68 ae e9 7b 2f   h..J.(}...[h..{/
    00a0 - 4f 0e 2e 0b 06 8c 9b 18-f0 2f 7a ab 81 5a 15 bb   O......../z..Z..
    00b0 - 70 24 b4 ef 18 68 c4 33-72 cd 41 07 96 0a a3 6b   p$...h.3r.A....k
    00c0 - 27 4a 03 91 14 b5 03 c9-0b 73 e8 6d bc f2 6b 4e   'J.......s.m..kN
    00d0 - 0c 22 77 85 07 4c 48 52-12 eb 30 c2 fd e7 99 93   ."w..LHR..0.....

    Start Time: 1662466836
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
quit
HTTP/1.0 400 Bad Request
Content-Type: text/html; charset=UTF-8
Referrer-Policy: no-referrer
Content-Length: 1555
Date: Tue, 06 Sep 2022 12:20:41 GMT

<!DOCTYPE html>
<html lang=en>
  <meta charset=utf-8>
  <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
  <title>Error 400 (Bad Request)!!1</title>
  <style>
    *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}
  </style>
  <a href=//www.google.com/><span id=logo aria-label=Google></span></a>
  <p><b>400.</b> <ins>That’s an error.</ins>
  <p>Your client has issued a malformed or illegal request.  <ins>That’s all we know.</ins>
read:errno=0