Error code curl error 60 error message ssl certificate problem certificate has expired - Исправление ошибок и поиск оптимальных решений проблем

We running 2 application on amazon EC2 (backend.example.com & frontend.example.com). For that application, we used a paid SSL Certificate. That certificate expiration date at 2021 June. But today, we got an error —

cURL error 60: SSL certificate problem: certificate has expired (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)

We check certificate expiration date, but there was no problem (2021 June). Then we follow this thread — curl: (60) SSL certificate problem: unable to get local issuer certificate (@Dahomz answer)

After that, when we curl example.com by — curl -v --url https://backend.example.com --cacert /etc/ssl/ssl.cert/cacert.pem, It working fine. Response like —

* Rebuilt URL to: https://backend.example.com/
*   Trying 127.0.0.1...
* Connected to backend.example.com (127.0.0.1) port 443 (#0)
* found 139 certificates in /etc/ssl/ssl.cert/cacert.pem
* found 600 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ******_RSA_***_***_GCM_*****
*    server certificate verification OK
*    server certificate status verification SKIPPED
*    common name: *.example.com (matched)
*    server certificate expiration date OK
*    server certificate activation date OK
*    certificate public key: RSA
*    certificate version: #3
*    subject: OU=Domain Control Validated,OU=PositiveSSL Wildcard,CN=*.example.xyz
*    start date: Mon, 04 May 2019 00:00:00 GMT
*    expire date: Wed, 07 June 2021 23:59:59 GMT
*    issuer: C=GB,ST=Greater Manchester,L=Salford,O=Sectigo Limited,CN=Sectigo RSA Domain Validation Secure Server CA
*    compression: NULL
* ALPN, server accepted to use http/1.1

But when we hit from frontend.example.com to backend.example.com by curl, it throws this error —

* Rebuilt URL to: https://backend.example.com/
*   Trying 127.0.0.1...
* Connected to backend.example.com (127.0.0.1) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/ssl.cert/cacert.pem
  CApath: /etc/ssl/certs
* SSL connection using TLSv1.2 / *****-RSA-*****-GCM-******
* ALPN, server accepted to use http/1.1
* Server certificate:
*    subject: OU=Domain Control Validated; OU=PositiveSSL Wildcard; CN=*.example.com
*    start date: Mar  4 00:00:00 2019 GMT
*    expire date: Apr  7 23:59:59 2021 GMT
*    issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
*    SSL certificate verify result: certificate has expired (10), continuing anyway.

My curl code —

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://backend.example.com");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_VERBOSE, 1);
curl_setopt($ch, CURLOPT_STDERR, fopen(public_path("c.log"), 'w'));
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
$output = curl_exec($ch);
$error = curl_error($ch);
$info = curl_getinfo($ch);
curl_close($ch);

Источник

C 30 сентября 2021 года на сайтах WordPress, для которых был установлен сертификат Let’s Encrypt, могут перестать работать HTTP API запросы.

Например такой запрос будет выдавать ошибку:

$res = wp_remote_get( 'https://wp-kama.ru/' );

if( is_wp_error( $res ) ){
	echo $res->get_error_message();
}

Получим:

cURL error 60: SSL certificate problem: certificate has expired

Такую ошибку можно будет увидеть где угодно, например:

в админке при проверке обновлений WordPress
при проверке обновлений плагинов
при обращении к апи любого сервиса. Например, перестанет работать плагин TinyPNG — JPEG, PNG & WebP image compression и куча других, которые используют какие бы то ни было запросы.

Почему мы видим ошибку certificate has expired?

Почему так происходит подробно расписано на хабре.

Если коротко, то в ядре WP есть файл корневых сертификатов /wp-includes/certificates/ca-bundle.crt который используется для проверки SSL всех запросов созданных через HTTP API. В этом файле просрочен один из корневых сертификатов на основе которого был создан сертификат для вашего сайта. Поэтому запрос не может пройти проверку и выдается такая ошибка.

С очередными обновлениями WP эта ошибка должна пропасть, но вот что делать если решение нужно уже сегодня, или если вы не планируете обновлять WordPress, а рабочие HTTP запросы нужны.

Решение ошибки: cURL error 60: SSL certificate has expired

Вариант 1

Нужно обновить контент файла /wp-includes/certificates/ca-bundle.crt изменить его на контент этого файла https://curl.haxx.se/ca/cacert.pem.

Изменять в данном случае файл ядра допустимо, потому что при следующем обновлении WP проблема исчезнет. См. соответствующий коммит на GitHub.

Это можно сделать вручную:

Скачайте файл по ссылке https://curl.haxx.se/ca/cacert.pem.
Обновите контент /wp-includes/certificates/ca-bundle.crt контентом из скаченного файла.

Или используйте следующий код

Использовать код удобно, когда у вас есть возможность запустить код из админки или как-то еще, например через плагин Code Snippets.

Добавьте следующий код куда угодно и перейдите на страницу http://ВАШСАЙТ.com/?update-wp-ca-bundle.

/**
 * Goto http://yoursite.com/?update-wp-ca-bundle
 */
if( isset( $_GET['update-wp-ca-bundle'] ) ){

	$crt_file = ABSPATH . WPINC . '/certificates/ca-bundle.crt';
	$new_crt_url = 'https://curl.haxx.se/ca/cacert.pem';

	if( is_writable( $crt_file ) ){
		$new_str = file_get_contents( $new_crt_url );

		if( $new_str && strpos( $new_str, 'Bundle of CA Root Certificates' ) ){
			$up = file_put_contents( $crt_file, $new_str );

			echo $up ? 'OK: ca-bundle.crt updated' : 'ERROR: can`t put data to ca-bundle.crt';
		}
		else {
			echo 'ERROR: cant download https://curl.haxx.se/ca/cacert.pem';
		}
	}
	else {
		echo 'ERROR: ca-bundle.crt not writable';
	}

	exit;
}

После использования, код нужно удалить.

Вариант 2

Решить проблему можно через хук http_request_args. Этот хук нужно использовать в MU плагине.

Создайте файл loader.php в папке wp-content/mu-plugins (если такой папки у вас нет, создайте её).
Добавьте следующий код в этот файл:
```
<?php

require_once __DIR__ .'/fix-wp-ca-bundle/main.php';
```
Создайте папку wp-content/mu-plugins/fix-wp-ca-bundle.

Создайте файлы: main.php и ca-bundle.crt в папке fix-wp-ca-bundle.

Добавьте следующий код в эти файлы.

Код файла main.php:

<?php

defined( 'ABSPATH' ) || exit;

/**
 * Update the path to the WordPress trusted root certificates.
 *
 * Actual certificates can be downloaded at this link: http://curl.haxx.se/ca/cacert.pem
 */
add_filter( 'http_request_args', 'http_request_change_sslsertificates' );

function http_request_change_sslsertificates( $parsed_args ){

	$parsed_args[ 'sslcertificates' ] = __DIR__ . '/ca-bundle.crt';

	return $parsed_args;
}

Контент файла ca-bundle.crt:

Скопируйте контент этого файла http://curl.haxx.se/ca/cacert.pem

Должна получится такая структура:

Готово! Теперь все должно работать как и прежде.

Источник

‘cURL error 60 SSL certificate problem’ occurs when we make a cURL call to third party services.

Here at Bobcares, we have seen several such cURL command related errors as part of our Server Management Services for web hosts and online service providers.

Today we’ll take a look at the causes for this error and see the fix.

What causes ‘cURL error 60 SSL certificate problem’ error to occur

Digital certificates are mainly used in transferring sensitive content. These digital certificates are issued by certificate authorities or CA.

When a cURL receives a server CA that is not signed by one of the trusted certificates in the installed CA certificate store, then it will lead to an error: “failed to verify the legitimacy of the server” during the SSL handshake. As a result, SSL will then refuse the communication with the server leading to an SSL error.

In short, this error occurs because cURL makes sure to verify and make a secure connection request using a self-signed certificate. But when it doesn’t find any valid certificate then it throws this error message.

How we fix the error ‘cURL error 60 SSL certificate problem’

Now let’s see how our Support Engineers resolve this error message.

1. Re-download the cURL CA-Bundle from the cURL site to fix this error. Here are the steps for it.

First, download the “cacert.pem” from the link: http://curl.haxx.se/docs/caextract.html
Next copy the complete page and save it as “cacert.pem”
Now, open the php.ini file and add the following line in it.
curl.cainfo = “[pathtofile]cacert.pem”
In, case, if the php.ini file doesn’t have the curl.cainfo line, then just add it to the end of the file. Then add the file path where cacert.pem file is saved.
Finally, restart the web server or on Windows, restart the application pool and try the request again.

2. If the insecure certificate is a self-signed, known-trusted certificate, then load the certificate to your local trusted certificate location for your OS.

[Need any further assistance in fixing curl errors? – We are here to help you.]

Conclusion

In short, this error occurs when cURL doesn’t find any valid certificate to communicate over https. Today, we saw how our Support Engineers fix this error.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = «owonCMyG5nEQ0aD71QM»;

Источник

From September 30, 2021, HTTP API requests may stop working on WordPress sites that have a Let’s Encrypt certificate installed.

For example, a request like this will result in an error:

$res = wp_remote_get( 'https://wp-kama.com/' );

if( is_wp_error( $res ) ){
	echo $res->get_error_message();
}

We get it:

cURL error 60: SSL certificate problem: certificate has expired

Such an error can be seen anywhere, for example:

In the admin panel when checking for WordPress updates.
When checking for plugin updates.
When accessing the api of any service. For example, will stop working plugin TinyPNG — JPEG, PNG & WebP image compression and a bunch of others that use any kind of requests.

Why do we see the error certificate has expired?

In brief, WP core has a file of root certificates /wp-includes/certificates/ca-bundle.crt which is used to check SSL of all requests created through HTTP API. In this file one of the root certificates has expired which was used to create a certificate for your site. Therefore, the request can not pass verification and generates this error.

More detailed explanation:

Without going into too much detail, a couple of words for non-specialists as to why the expiration of a DST Root CA X3 certificate will affect certificates issued by Let’s Encrypt. Each system that validates a certificate has its own repository of trusted root certificates. The system will trust certificates that are signed using the private key of one of these root certificates during validation. Root certificates themselves normally have long expiration dates, are seldom changed and are not used when generating end subject certificates (in this case domain name certificates), instead a public key infrastructure implies using chains of trust — root certificates are used to sign intermediate certificates and already using them to sign end subject certificates (domain certificates). Furthermore, in order for a system to trust an end subject certificate, it must be able to trace the full chain from this certificate to one of the root certificates it trusts.

When Let’s Encrypt appeared, its ISRG Root X1 root certificate (like any new root certificate) could not quickly find its way into the trusted certificate stores of a significant number of systems. At the same time, for the successful functioning of the project the issued certificates from the very beginning had to be trusted by the maximum number of systems «out of the box» (without any additional actions from the users of these systems). In this regard, for certificates Let’s Encrypt began to use the chain of trust leading to the root certificate DST Root CA X3, which is recognized by most systems.

With the next WP update this error disappear, but here’s what to do if you need the solution today, or if you do not plan to update WordPress, but need working HTTP requests.

Solution: cURL error 60: SSL certificate has expired

You need to update the content of /wp-includes/certificates/ca-bundle.crt file. You need to change it to the content of the https://curl.se/ca/cacert.pem file.

Changing the core file in this case is acceptable, because the next time you update WP, the problem will go away. See corresponding commit on GitHub.

It can be done manually

Download this file https://curl.se/ca/cacert.pem.
Update content of /wp-includes/certificates/ca-bundle.crt with content from the downloaded file.
DONE! Everything should now work as before.

Or use the following code to perform this operation programmatically

Using the code is handy when you have the ability to run the code from the admin panel, for example using Code Snippets plugin.

Add the following code into the themes functions.php file (or in Code Snippets plugin):
```
/**
 * Goto http://yoursite.com/?update-wp-ca-bundle
 */
if( isset( $_GET['update-wp-ca-bundle'] ) ){

	$crt_file = ABSPATH . WPINC . '/certificates/ca-bundle.crt';
	$new_crt_url = 'http://curl.haxx.se/ca/cacert.pem';

	if( is_writable( $crt_file ) ){
		$new_str = file_get_contents( $new_crt_url );

		if( $new_str && strpos( $new_str, 'Bundle of CA Root Certificates' ) ){
			$up = file_put_contents( $crt_file, $new_str );

			echo $up ? 'OK: ca-bundle.crt updated' : 'ERROR: can`t put data to ca-bundle.crt';
		}
		else {
			echo 'ERROR: can't download curl.haxx.se/ca/cacert.pem';
		}
	}
	else {
		echo 'ERROR: ca-bundle.crt not writable';
	}

	exit;
}
```
After use, delete this code.
Visit http://YOURSITE.com/?update-wp-ca-bundle the page.

Replace YOURSITE.com to your domain…
DONE! Everything should now work as before.

Источник

“cURL error 60: SSL certificate problem: unable to get local issuer certificate” is a common error that occurs when your website tries to communicate with an external API via HTTPS and the SSL certificate on the server is not verified or properly configured. Although this error can be seen on any server you are more likely to see this issue on a localhost environment running on wampp/xampp.

Contact your web host to make sure that the SSL certificate is properly configured on the server. As of PHP 5.6 if the certificate is not verified you will also get a warning notice on your website.

How to fix cURL error 60: SSL certificate problem: unable to get local issuer certificate on localhost

1. Download the cacert.pem file from the official cURL website here.

2. Go the directory where you have installed xampp and put it in the ssl folder. For example,

C:xamppphpextrassslcacert.pem

D:programxamppphpextrassslcacert.pem

3. Open your php.ini file and search for “curl.cainfo”.

4. Once you have found it, specify the path to the .pem file in the curl.cainfo section. For example,

curl.cainfo = "C:xamppphpextrassslcacert.pem"

The line could be commented out with a semicolon right before curl.cainfo. So make sure to uncomment it and replace ;curl.cainfo = with the line above.

5. Restart Apache so the new changes take effect on your localhost server.

That should fix the cURL error 60 issue on your web server. If you have any other suggestions for fixing this issue feel free to share it in the comments.

Источник

In this article, we see how to fix the cURL error 60 SSL certificate problem. cURL error 60: SSL certificate problem: unable to get local issuer certificate error occurs when we try to call the API with the secure https:// protocol in the request URL.

cURL error 60 SSL certificate problem on localhost in xampp and localhost wamp server. Also, you can face a curl 60 SSL certificate problem on windows, In the laravel guzzle SSL certificate issue.

Why does cURL Error 60 SSL certificate Occur?
Your API call tries to run the request URL with only http:// protocol. You can’t see the error anymore because secure API calls require an SSL certificate or https:// protocol.

This error occurs because the API call makes a secure connection request using the self-signed certificate. When it does not find a valid certificate, it throws an error.

How To Fix cURL Error 60 SSL Certificate Problem?

Open http://curl.haxx.se/ca/cacert.pem or Download the “cacert.pem” free certificate file from the official website http://curl.haxx.se/docs/caextract.html
Save it as a “cacert.pem”.
Paste cacert.pem in WAMP user to C:wamp64binphpcacert.pem, for XAMPP user to C:xamppphpextrassslcacert.pem path.
Open php.ini and find this line

;curl.cainfo

Enter fullscreen mode

Exit fullscreen mode

Now, we need to add the path of the certificate to “curl.cainfo” and remove the semicolon(;) as follows.

curl.cainfo = "C:wamp64binphpcacert.pem"

Enter fullscreen mode

Exit fullscreen mode

The most important step is to save and close your php.ini. Restart your WAMP or XAMPP server and try your request again. If you do not set the right path, then you will experience a cURL 77 error.

Источник

From September 30, 2021, WordPress websites that use Let’s Encrypt certificates are having issues with HTTP API requests.

For example, here is an example that will cause this error:

$res = wp_remote_get( 'https://abcdef.com/' );
if( is_wp_error( $res ) ){
	echo $res->get_error_message();
}

the error message:

cURL error 60: SSL certificate problem: certificate has expired

What causes this error?

WordPress core has a root certificate file /wp-includes/certificates/ca-bundle.crt that is used to check SSL for all requests created via HTTP API. In this file, one of the root certificates used to create the certificate for your site has expired. Therefore, the request fails verification and generates this error.

Detailed explanation from the Let’s Encrypt team:

Without going into details, for non-professionals, a few words about why the expired DST Root CA X3certificate will affect the certificate issued by Let’s Encrypt. Every system that verifies certificates has its own repository of trusted root certificates. The system will trust certificates signed with the private key of one of these root certificates during verification. The root certificate itself usually has a long expiration date, is rarely changed and is not used when generating the final subject certificate (domain name certificate in this case). On the contrary, the public key infrastructure means the use of a chain of trust – the root certificate is used To sign the intermediate certificates and have used them to sign the final subject certificate (domain certificate). In addition, in order for the system to trust the final subject certificate, it must be able to trace the complete chain from that certificate to one of the root certificates it trusts.

When Let’s Encrypt appeared, its ISRG Root X1root certificate (just like any new root certificate) could not quickly enter the trusted certificate store of a large number of systems. At the same time, in order for the project to run successfully, the certificates issued from the beginning must be trusted by the largest number of “out-of-the-box” systems (the users of these systems do not have any additional actions). In this regard, for certificates, Let’s Encrypt began to use the chain of trust leading to the root certificate DST Root CA X3, which is recognized by most systems.

https://docs.certifytheweb.com/docs/kb/kb-202109-letsencrypt/

This issue is resolved in WordPress 5.9, but if you are using some older WP version and don’t plan to update WordPress but need a valid HTTP request, here is a quick workaround:

So far I’ve tested only two solutions and here are they:

A: Manually

Step 1. Download the following file: https://curl.se/ca/cacert.pem

chrome EgrUWYOA8I - How to fix curl error 60: SSL certificate problem: certificate has expired error ✅

Step 2. From your FTP/FileManager navigate to the /wp-includes/certificates folder

chrome pCr65ilTOI - How to fix curl error 60: SSL certificate problem: certificate has expired error ✅

Step 3. Replace the content of the ca-bundle.crt file with the downloaded file from step 1

chrome RaKOZygIxO - How to fix curl error 60: SSL certificate problem: certificate has expired error ✅

B: Code Snippet

Step 1. Add the following code snippet inside your theme functions.php file

/**
 * Goto http://yoursite.com/?update-wp-ca-bundle
 */

if( isset( $_GET['update-wp-ca-bundle'] ) ){

	$crt_file = ABSPATH . WPINC . '/certificates/ca-bundle.crt';
	$new_crt_url = 'http://curl.haxx.se/ca/cacert.pem';

	if( is_writable( $crt_file ) ){
		$new_str = file_get_contents( $new_crt_url );

		if( $new_str && strpos( $new_str, 'Bundle of CA Root Certificates' ) ){
			$up = file_put_contents( $crt_file, $new_str );

			echo $up ? 'OK: ca-bundle.crt updated' : 'ERROR: can`t put data to ca-bundle.crt';
		}
		else {
			echo 'ERROR: can't download curl.haxx.se/ca/cacert.pem';
		}
	}
	else {
		echo 'ERROR: ca-bundle.crt not writable';
	}

	exit;
}

Step 2. Visit http://yoursite.com/?update-wp-ca-bundle

Step 3. Remove the snippet from your functions.php file

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit «Cookie Settings» to provide a controlled consent.

Источник

Today out of a sudden all HTTPS requests, that my Ubuntu 14 server sends to websites with SSL certificates issued by Let’s Encrypt, started to fail. The error produced by cURL is:

curl: (60) SSL certificate problem: certificate has expired

When I inspect the website certificates with this command:

echo -n | openssl s_client -showcerts -connect website.com:443 -servername website.com

I see that all the certificate chain is up to date.

So why do I get the expiration error? How to fix it?

asked Oct 1, 2021 at 5:00

The reason is that the «DST Root CA X3» certificate has expired yesterday.

To fix it, just disable the certificate on your server. Run:

sudo dpkg-reconfigure ca-certificates

On the first screen that prompts «Trust new certificates from certificate authorities?» choose «yes». On the next screen press the down arrow key on your keyboard until you find mozilla/DST_Root_CA_X3.crt, press the space bar to deselect it (the [*] should turn into [ ]) and press Enter.

answered Oct 1, 2021 at 5:00

FinesseFinesse

1,0611 gold badge8 silver badges9 bronze badges

Edit the file /etc/ca-certificates.conf

Find and comment with ! the line like this

!mozilla/DST_Root_CA_X3.crt

Save the file and update certificates with command

sudo update-ca-certificates

answered Oct 1, 2021 at 19:08

mikepmikep

4393 silver badges5 bronze badges

FYI on CentOS like (RPM Based) systems, use:

yum reinstall ca-certificates

answered Oct 1, 2021 at 19:19

So why do I get the expiration error?

Android made a design decision to ignore the expiry on root certificates (it’s arguable that expiry on root certificates doesn’t make much sense in the first place).

«lets encrypt» is a relatively new CA and to support existing systems their root was «cross-signed»* by DST. The DST root certificate has now expired but because of the aforementioned android behavior a cross signature is still useful for supporting clients running old versions of andriod.

When such a chain is used on a system with a modern root certificate list the cross signature should be ignored and the IRSG (lets encrypt) root should be used. Unfortunately openssl 1.0.x does not handle this scenario correctly.

This issue can be worked around by removing the old DST root certificate. When this is done the chain will correctly be built to the IRSG root.

* My understanding is that technically the «cross signature» consists of an «intermediate certificate» with the same content and key as Lets Encrypt’s root certificate.

answered Oct 4, 2021 at 4:58

plugwashplugwash

5,7452 gold badges18 silver badges25 bronze badges

Источник