Guzzle curl error 60 ssl certificate problem unable to get local issuer certificate

672

votes

Answer

Solution:

If you are using PHP 5.6 with Guzzle, Guzzle has switched to using the PHP libraries autodetect for certificates rather than it’s process (ref). PHP outlines the changes here.

Finding out Where PHP/Guzzle is Looking for Certificates

You can dump where PHP is looking using the following PHP command:

 var_dump(openssl_get_cert_locations());

Getting a Certificate Bundle

For OS X testing, you can use homebrew to install opensslbrew install openssl and then useopenssl.cafile=/usr/local/etc/openssl/cert.pem in your php.ini or Zend Server settings (under OpenSSL).

A certificate bundle is also available from curl/Mozilla on the curl website: https://curl.haxx.se/docs/caextract.html

Telling PHP Where the Certificates Are

Once you have a bundle, either place it where PHP is already looking (which you found out above) or updateopenssl.cafile in php.ini. (Generally,/etc/php.ini or/etc/php/7.0/cli/php.ini or/etc/php/php.ini on Unix.)

630

votes

Answer

Solution:

Guzzle, which is used by cartalyst/stripe, will do the following to find a proper certificate archive to check a server certificate against:

1. Check ifopenssl.cafile is set in your php.ini file.
2. Check ifcurl.cainfo is set in your php.ini file.
3. Check if/etc/pki/tls/certs/ca-bundle.crt exists (Red Hat, CentOS, Fedora; provided by the ca-certificates package)
4. Check if/etc/ssl/certs/ca-certificates.crt exists (Ubuntu, Debian; provided by the ca-certificates package)
5. Check if/usr/local/share/certs/ca-root-nss.crt exists (FreeBSD; provided by the ca_root_nss package)
6. Check if/usr/local/etc/openssl/cert.pem (OS X; provided by homebrew)
7. Check ifC:windowssystem32curl-ca-bundle.crt exists (Windows)
8. Check ifC:windowscurl-ca-bundle.crt exists (Windows)

You will want to make sure that the values for the first two settings are properly defined by doing a simple test:

echo "openssl.cafile: ", ini_get('openssl.cafile'), "n";
echo "curl.cainfo: ", ini_get('curl.cainfo'), "n";

Alternatively, try to write the file into the locations indicated by #7 or #8.

113

votes

Answer

Solution:

If you’re unable to change php.ini you could also point to the cacert.pem file from code like this:

$http = new GuzzleHttpClient(['verify' => '/path/to/cacert.pem']);
$client = new Google_Client();
$client->setHttpClient($http);

617

votes

Answer

Solution:

What i did was usevar_dump(openssl_get_cert_locations()); die; in any php script, which gave me the information about defaults that my local php was using:

array (size=8)
  'default_cert_file' => string 'c:/openssl-1.0.1c/ssl/cert.pem' (length=30)
  'default_cert_file_env' => string 'SSL_CERT_FILE' (length=13)
  'default_cert_dir' => string 'c:/openssl-1.0.1c/ssl/certs' (length=27)
  'default_cert_dir_env' => string 'SSL_CERT_DIR' (length=12)
  'default_private_dir' => string 'c:/openssl-1.0.1c/ssl/private' (length=29)
  'default_default_cert_area' => string 'c:/openssl-1.0.1c/ssl' (length=21)
  'ini_cafile' => string 'E:xamppphpextrassslcacert.pem' (length=34)
  'ini_capath' => string '' (length=0)

As you can notice, i have set the ini_cafile or the ini option curl.cainfo. But in my case, curl would try to use the «default_cert_file» which did not exist.

I copied the file from https://curl.haxx.se/ca/cacert.pem into the location for «default_cert_file» (c:/openssl-1.0.1c/ssl/cert.pem) and i was able to get it to work.

This was the only solution for me.

368

votes

Answer

Solution:

I had this problem appear out-of-the-blue one day, when a Guzzle(5) script was attempting to connect to a host over SSL. Sure, I could disable the VERIFY option in Guzzle/Curl, but that’s clearly not the correct way to go.

I tried everything listed here and in similar threads, then eventually went to terminal with openssl to test against the domain with which I was trying to connect:

openssl s_client -connect example.com:443 

… and received first few lines indicating:

CONNECTED(00000003)
depth=0 CN = example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = example.com
verify error:num=21:unable to verify the first certificate
verify return:1 

… while everything worked fine when trying other destinations (ie: google.com, etc)

This prompted me to contact the domain I had been trying to connect to, and indeed, they had a problem on THEIR END that had crept up. It was resolved and my script went back to working.

So… if you’re pulling your hair out, give openssl a shot and see if there’s anything up with the response from the location you are attempting to connect. Maybe the issue isn’t so ‘local’ after all sometimes.

905

votes

Answer

Solution:

I found a solution that worked for me. I downgraded from the latest guzzle to version ~4.0 and it worked.

In composer.json add «guzzlehttp/guzzle»: «~4.0»

Hope it helps someone

418

votes

Answer

Solution:

Be sure that you open thephp.ini file directly by your Window Explorer. (in my case:C:DevProgramswamp64binphpphp5.6.25).

Don’t use the shortcut tophp.ini in the Wamp/Xamp icon’s menu in the System Tray. This shortcut doesn’t work in this case.

Then edit thatphp.ini :

curl.cainfo ="C:/DevPrograms/wamp64/bin/php/cacert.pem" 

and

openssl.cafile="C:/DevPrograms/wamp64/bin/php/cacert.pem"

After savingphp.ini you don’t need to «Restart All Services» in Wamp icon or close/re-open CMD.

711

votes

Answer

Solution:

Have you tried..

curl_setopt($process, CURLOPT_SSL_VERIFYPEER, false);

If you are consuming a trusted source you can skip the verify.

667

votes

Answer

Solution:

For WAMP, this is what finally worked for me.
While it is similar to others, the solutions mentioned on this page, and other locations on the web did not work. Some «minor» detail differed.
Either the location to save the PEM file mattered, but was not specified clearly enough.
Or WHICHphp.ini file to be edited was incorrect. Or both.
I’m running a 2020 installation of WAMP 3.2.0 on a Windows 10 machine.

Link to get the pem file:

http://curl.haxx.se/ca/cacert.pem
Copy the entire page and save it as:cacert.pem, in the location mentioned below.

Save the PEM file in this location

<wamp install directory>binphpphp<version>extrasssl
eg saved file and path: «T:wamp64binphpphp7.3.12extrassslcacert.pem»

*(I had originally saved it elsewhere (and indicated the saved location in the php.ini file, but that did not work).
There might, or might not be, other locations also work. This was the recommended location — I do not know why.)

WHERE
<wamp install directory> = path to your WAMP installation.
eg:T:wamp64

<php version> of php that WAMP is running: (to find out, goto:WAMP icon tray -> PHP <version number>
if the version number shown is 7.3.12, then the directory would be: php7.3.12)
eg:php7.3.12

Which php.ini file to edit

To open the properphp.ini file for editing, goto:WAMP icon tray -> PHP -> php.ini.
eg:T:wamp64binapacheapache2.4.41binphp.ini
NOTE: it is NOT the file in the php directory!

Update:
While it looked like I was editing the file:T:wamp64binapacheapache2.4.41binphp.ini,
it was actually editing that file’s symlink target:T:/wamp64/bin/php/php7.3.12/phpForApache.ini.

Note that if you follow the above directions, you are NOT editing aphp.ini file directly. You are actually editing aphpForApache.ini file. (a post with info about symlinks)

If you read the comments at the top of some of thephp.ini files in various WAMP directories, it specifically states to NOT EDIT that particular file.
Make sure that the file you do open for editing does not include this warning.

Installing the extension Link Shell Extension allowed me to see the target of the symlink in the file Properites window, via an added tab. here is an SO answer of mine with more info about this extension.

If you run various versions of php at various times, you may need to save the PEM file in each relevant php directory.

The edits to make in your php.ini file:

Paste the path to your PEM file in the following locations.

• uncomment;curl.cainfo = and paste in the path to your PEM file.
  eg:curl.cainfo = "T:wamp64binphpphp7.3.12extrassslcacert.pem"

• uncomment;openssl.cafile= and paste in the path to your PEM file.
  eg:openssl.cafile="T:wamp64binphpphp7.3.12extrassslcacert.pem"

Credits:

While not an official resource, here is a link back to the YouTube video that got the last of the details straightened out for me: https://www.youtube.com/watch?v=Fn1V4yQNgLs.

36

votes

Answer

Solution:

All of the answers are correct ; but the most important thing is You have to find the right php.ini file.
check this command in cmd » php —ini » is not the right answer for finding the right php.ini file.

if you edit

curl.cainfo ="PATH/cacert.pem"

and check

var_dump(openssl_get_cert_locations()); 

then curl.cainfo should have a value. if not then that’s not right php.ini file;

*I recommend you to search *.ini in wamp/bin or xxamp/bin or any server you use and change them one by one and check it. *

370

votes

Answer

Solution:

I just experienced this same problem with the Laravel 4 php framework which uses theguzzlehttp/guzzle composer package. For some reason, the SSL certificate for mailgun stopped validating suddenly and I got that same «error 60» message.

If, like me, you are on a shared hosting without access tophp.ini, the other solutions are not possible. In any case, Guzzle has this client initializing code that would most likely nullify thephp.ini effects:

// vendor/guzzlehttp/guzzle/src/Client.php
    $settings = [
        'allow_redirects' => true,
        'exceptions'      => true,
        'decode_content'  => true,
        'verify'          => __DIR__ . '/cacert.pem'
    ];

Here Guzzle forces usage of its own internal cacert.pem file, which is probably now out of date, instead of using the one provided by cURL’s environment. Changing this line (on Linux at least) configures Guzzle to use cURL’s default SSL verification logic and fixed my problem:

        'verify'          => true

You can also set this tofalse if you don’t care about the security of your SSL connection, but that’s not a good solution.

Since the files invendor are not meant to be tampered with, a better solution would be to configure the Guzzle client on usage, but this was just too difficult to do in Laravel 4.

Hope this saves someone else a couple hours of debugging…

314

votes

Answer

Solution:

This might be an edge case, but in my case the problem was not the client conf (I already had curl.cainfo configured in php.ini), but rather the remote server not being configured properly:

It did not send any intermediate certs in the chain. There was no error browsing the site using Chrome, but with PHP I got following error.

cURL error 60

After including the Intermediate Certs in the remote webserver configuration it worked.

You can use this site to check the SSL configuration of your server:

https://whatsmychaincert.com/

235

votes

Answer

Solution:

when I run'var_dump(php_ini_loaded_file());'
I get this output on my page'C:Developmentbinapacheapache2.4.33binphp.ini' (length=50)'

and to get php to load my cert file I had to edit the php.ini in this path'C:Developmentbinapacheapache2.4.33binphp.ini'
and addopenssl.cafile="C:/Development/bin/php/php7.2.4/extras/ssl/cacert.pem" where I had downloaded and place my cert file from https://curl.haxx.se/docs/caextract.html

am on windows 10, using drupal 8, wamp and php7.2.4

964

votes

Answer

Solution:

I’m using Centos 7 with the free version of virtualmin. With Virtualmin you can create a wordpress website. There is functionality that will automatically update your ssl certificate for you. I noticed that /etc/httpd/conf/httpd.conf did not contain an entry for SSLCertificateChainFile. Which should be set to something like /home/websitename/ssl.combined. Updating that file accordingly and restarting apache fix this problem for me. I discovered my issue trying to install a jetpack plugin for wordpress. A search on the internet led me to realize that I didn’t have SSL Configured. I followed Redhat’s instructions on how to install a certificate. I hope this was useful to someone.

626

votes

Answer

Solution:

Guzzle Version 5

This default config is working good for mine. It will disable https required.

  $options = [
    'defaults' => ['verify' => false],
  ];
  new GuzzleClient($options);

In other case, you want to set path of ca, change to:

['verify' => '/path/to/cacert.pem']

814

votes

Answer

Solution:

For those of you who are trying to use WordPress’s application password functionality on your local machine. You need to update thewp-includescertificatesca-bundle.crt

Open this file in a text editor and append your server’s certificate.

1. Open your self-signed certificate(.crt) file and

2. Copy all between and including

—-BEGIN CERTIFICATE——

——END CERTIFICATE——

1. Paste at the end of thewp-includescertificatesca-bundle.crt

771

votes

Answer

Solution:

I have a proper solution of this problem, lets try and understand the root cause of this issue. This issue comes when remote servers ssl cannot be verified using root certificates in your system’s certificate store or remote ssl is not installed along with chain certificates. If you have a linux system with root ssh access, then in this case you can try updating your certificate store with below command:

update-ca-certificates

If still, it doesn’t work then you need to add root and interim certificate of remote server in your cert store. You can download root and intermediate certs and add them in /usr/local/share/ca-certificates directory and then run command update-ca-certificates. This should do the trick. Similarly for windows you can search how to add root and intermediate cert.

The other way you can solve this problem is by asking remote server team to add ssl certificate as a bundle of domain root cert, intermediate cert and root cert.

606

votes

Answer

Solution:

As you are using Windows, I think your path separator is » (and ‘/’ on Linux).
Try using the constantDIRECTORY_SEPARATOR. Your code will be more portable.

Try:

curl_setopt($process, CURLOPT_CAINFO, dirname(__FILE__) . DIRECTORY_SEPARATOR . 'cacert.pem');

EDIT: and write the full path. I had some issues with relative paths (perhaps curl is executed from another base directory?)

532

votes

Answer

Solution:

if you use WAMP you should also add the certificate line in php.ini for Apache (besides the default php.ini file):

[curl]
curl.cainfo = C:your_locationcacert.pem

works for php5.3+

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED