0

I'm trying to send a curl request to an API and I'm getting the error mentioned in the title. I've seen other posts about this error and I've downloaded the CA certificates from https://curl.se/docs/caextract.html, but I'm still having trouble getting around this error.

My code currently looks like this:

    $request = curl_init($url . $endpoint);
    curl_setopt($request, CURLOPT_URL, $url . $endpoint);
    curl_setopt($request, CURLOPT_HTTPHEADER, $header);
    curl_setopt($request, CURLOPT_USERPWD, $username . ":" . $password);
    curl_setopt ($ch, CURLOPT_CAINFO, [path to CA certificate file, locally stored]);

    $response = curl_exec($request);

Can anyone advise me on what I'm doing wrong here?

Edit: To include it in the question body as requested, here is the error message that I'm seeing in the curl response:

SSL certificate problem: self signed certificate in certificate chain

Edit2: I should also mention that the machine I'm running this on is a Windows machine

B. Allred
  • 419
  • 5
  • 18
  • _"Can anyone advise me on what I'm doing wrong here?"_ - it sounds like you tried to fix the wrong kind of error ...? The error was not about certificates in the chain missing, but about a self-signed certificate being in use. – CBroe Sep 06 '22 at 14:33
  • I just went by what the other posts said to do when handling the error message I mentioned. If you know the right solution here, I'd love to hear it – B. Allred Sep 06 '22 at 14:34
  • Please show error messages in the Question and not the title. Also make sure you show all the error message and not a summary. Its also useful to tell use exactly where the error occured – RiggsFolly Sep 06 '22 at 14:35
  • 1
    It makes no sense to try and add a certificate bundle you downloaded somewhere, when your error is about a self-signed certificate. https://unix.stackexchange.com/q/90450, https://unix.stackexchange.com/q/451207, https://stackoverflow.com/q/27611193/1427878 – CBroe Sep 06 '22 at 14:37
  • @RiggsFolly I've added the error message to the body as you've requested, but that is the entirety of the error message. As for where it occurred, I sent the curl request and this was the error message included in the curl response. That's all I have as far as details. – B. Allred Sep 06 '22 at 14:46
  • Does this answer your question? [PHP CURL CURLOPT\_SSL\_VERIFYPEER ignored](https://stackoverflow.com/questions/15135834/php-curl-curlopt-ssl-verifypeer-ignored) – MikeT Sep 06 '22 at 14:50
  • @MikeT It looks like part of that solution involves setting CURLOPT_SSL_VERIFYHOST to false, which I'm trying to avoid because it's been mentioned in other similar questions that doing so is insecure. – B. Allred Sep 06 '22 at 14:56
  • @RiggsFolly I'm not sure I understand the solutions you've linked to. I know that I'm using a Windows box, so I'm not sure how to implement the Unix based answers. If you have an "explain like I'm five" answer, that would be great. – B. Allred Sep 06 '22 at 15:00
  • its only insecure if you are connecting to an untrusted server, and in that case you wouldn't be accepting an self-signed certificate as you can't trust it is valid – MikeT Sep 06 '22 at 15:01
  • Dont think I linked to any answers Windows based or Linux based – RiggsFolly Sep 06 '22 at 15:02
  • @MikeT Are you sure? Because a lot of the posts on this error message that I've read have mentioned that solution and a lot of other responses have said very explicitly "Don't use that answer because it opens you up to man-in-the-middle attacks". This response for example: https://stackoverflow.com/a/32812595/5650727 – B. Allred Sep 06 '22 at 15:07
  • Sorry but there is not enough information here to fully understand where the problem actually is. Where is this self signed certificate coming from is what you need to know. Maybe if you showed us a [Minimal, Complete and Verifiable Example](http://stackoverflow.com/help/mcve) we could start to approach a solution – RiggsFolly Sep 06 '22 at 15:08
  • @B.Allred, so you are asking how to securely ignore a warning about an unsecure certificate? – MikeT Sep 06 '22 at 15:09

1 Answers1

-1
$request = curl_init($url . $endpoint);
curl_setopt($request, CURLOPT_URL, $url . $endpoint);
curl_setopt($request, CURLOPT_HTTPHEADER, $header);
curl_setopt($request, CURLOPT_USERPWD, $username . ":" . $password);
curl_setopt($request, CURLOPT_SSL_VERIFYPEER, FALSE);

$response = curl_exec($request);
Web Marketing Solution Network
  • 19
  • 6
  • 1
    This is a solution that will get rid of the error message. However, this solution also gets rid of SSL verification entirely, which opens you up to man in the middle attacks as this comment explains: https://stackoverflow.com/questions/21187946/curl-error-60-ssl-certificate-issue-self-signed-certificate-in-certificate-cha/32812595#32812595. I was told that there is a proper way to address this error without dropping SSL verification and I was hoping for people to elaborate on that here – B. Allred Sep 06 '22 at 17:00