cURL error 60 SSL certificate unable to get local issuer certificate

Question

I use WAMP on a local development environment and am trying to charge a credit card but get the error message      cURL error 60  SSL certificate problem  unable to get local issuer certificate   I searched a lot on Google and lots of people are suggesting that I download this file  cacert pem  put it somewhere and reference it in my php ini  This is the part in my php ini   curl cainfo    C  Windows cacert pem    Yet  even after restarting my server several times and changing the path  I get the same error message    I use WAMP from the Apache Modules and have the ssl module enabled  And from the PGP extensions I have php curl enabled   Still the same error message  Why is that happening   Now I am following this fix  How to fix PHP CURL Error 60 SSL  Which suggests that I add these lines to my cURL options   curl setopt  process  CURLOPT CAINFO  dirname   FILE        cacert pem    curl setopt  process  CURLOPT SSL VERIFYPEER  true     Where do I add options to my cURL  Apparently not through the command line  since my CLI doesn t find the command  curl setopt   EDIT  This is the code I am running   public function chargeStripe          stripe   new Stripe       stripe   Stripe  make env  STRIPE PUBLIC KEY           charge    stripe- gt charges  - gt create            amount      gt  2900           customer    gt  Input  get  stripeEmail             currency    gt   EUR                dd  charge           echo  charge Input  get  stripeToken           return Redirect  route  step1

User · Accepted Answer

Working solution assuming your on Windows using XAMPP:

XAMPP server

Similar for other environment
- download and extract for cacert.pem here (a clean file format/data)

https://curl.haxx.se/docs/caextract.html

Put it here in the following directory.

C:\xampp\php\extras\ssl\cacert.pem

In your php.ini put this line in this section ("c:\xampp\php\php.ini"):

;;;;;;;;;;;;;;;;;;;;
; php.ini Options  ;
;;;;;;;;;;;;;;;;;;;;

curl.cainfo = "C:\xampp\php\extras\ssl\cacert.pem"

Restart your webserver/apache
Problem solved!

(Reference: https://laracasts.com/discuss/channels/general-discussion/curl-error-60-ssl-certificate-problem-unable-to-get-local-issuer-certificate)

User · Answer

If you are using PHP 5 6 with Guzzle  Guzzle has switched to using the PHP libraries autodetect for certificates rather than it s process  ref    PHP outlines the changes here  Finding out Where PHP Guzzle is Looking for Certificates You can dump where PHP is looking using the following PHP command   var dump openssl get cert locations      Getting a Certificate Bundle For OS X testing  you can use homebrew to install openssl brew install openssl and then use openssl cafile  usr local etc openssl cert pem in your php ini or Zend Server settings  under OpenSSL   A certificate bundle is also available from curl Mozilla on the curl website  https   curl haxx se docs caextract html Telling PHP Where the Certificates Are Once you have a bundle  either place it where PHP is already looking  which you found out above  or update openssl cafile in php ini    Generally   etc php ini or  etc php 7 0 cli php ini or  etc php php ini on Unix

User · Answer

If you re unable to change php ini you could also point to the cacert pem file from code like this    http   new GuzzleHttp Client   verify    gt    path to cacert pem      client   new Google Client     client- gt setHttpClient  http

User · Answer

when I run  var dump php ini loaded file      I get this output on my page  C  Development bin apache apache2 4 33 bin php ini   length 50    and to get php to load my cert file I had to edit the php ini in this path  C  Development bin apache apache2 4 33 bin php ini  and add openssl cafile  C  Development bin php php7 2 4 extras ssl cacert pem  where I had downloaded and place my cert file from https   curl haxx se docs caextract html  am on windows 10  using drupal 8  wamp and php7 2 4

User · Answer

Be sure that you open the php ini file directly by your Window Explorer   in my case  C  DevPrograms wamp64 bin php php5 6 25     Don t use the shortcut to php ini in the Wamp Xamp icon s menu in the System Tray  This shortcut doesn t work in this case   Then edit that php ini    curl cainfo   C  DevPrograms wamp64 bin php cacert pem     and  openssl cafile  C  DevPrograms wamp64 bin php cacert pem    After saving php ini you don t need to  Restart All Services  in Wamp icon or close re-open CMD

User · Answer

Attention Wamp Wordpress windows users  I had this issue for hours and not even the correct answer was doing it for me  because i was editing the wrong php ini file because the question was answered to XAMPP and not for WAMP users  even though the question was for WAMP    here s what i did  Download the certificate bundle   Put it inside of C  wamp64 bin php your php version extras ssl  Make sure the file mod ssl so is inside of C  wamp64 bin apache apache version  modules  Enable mod ssl in httpd conf inside of Apache directory C  wamp64 bin apache apache2 4 27 conf  Enable php openssl dll in php ini  Be aware my problem was that I had two php ini files and I need to do this in both of them  First one can be located inside of your WAMP taskbar icon here     and the other one is located in C  wamp64 bin php php Version   find the location for both of the php ini files and find the line curl cainfo   and give it a path like this  curl cainfo    C  wamp64 bin php php Version  extras ssl cacert pem   Now save the files and restart your server and you should be good to go

User · Answer

I had this problem appear out-of-the-blue one day  when a Guzzle 5  script was attempting to connect to a host over SSL  Sure  I could disable the VERIFY option in Guzzle Curl  but that s clearly not the correct way to go   I tried everything listed here and in similar threads  then eventually went to terminal with openssl to test against the domain with which I was trying to connect   openssl s client -connect example com 443        and received first few lines indicating   CONNECTED 00000003  depth 0 CN   example com verify error num 20 unable to get local issuer certificate verify return 1 depth 0 CN   example com verify error num 21 unable to verify the first certificate verify return 1        while everything worked fine when trying other destinations  ie  google com  etc   This prompted me to contact the domain I had been trying to connect to  and indeed  they had a problem on THEIR END that had crept up   It was resolved and my script went back to working   So    if you re pulling your hair out  give openssl a shot and see if there s anything up with the response from the location you are attempting to connect  Maybe the issue isn t so  local  after all sometimes

User · Answer

Guzzle  which is used by cartalyst stripe  will do the following to find a proper certificate archive to check a server certificate against    Check if openssl cafile is set in your php ini file  Check if curl cainfo is set in your php ini file  Check if  etc pki tls certs ca-bundle crt exists  Red Hat  CentOS  Fedora  provided by the ca-certificates package  Check if  etc ssl certs ca-certificates crt exists  Ubuntu  Debian  provided by the ca-certificates package  Check if  usr local share certs ca-root-nss crt exists  FreeBSD  provided by the ca root nss package  Check if  usr local etc openssl cert pem  OS X  provided by homebrew  Check if C  windows system32 curl-ca-bundle crt exists  Windows  Check if C  windows curl-ca-bundle crt exists  Windows    You will want to make sure that the values for the first two settings are properly defined by doing a simple test   echo  openssl cafile     ini get  openssl cafile      n   echo  curl cainfo     ini get  curl cainfo      n     Alternatively  try to write the file into the locations indicated by  7 or  8

User · Answer

I found a solution that worked for me  I downgraded from the latest guzzle to version  4 0 and it worked   In composer json add  guzzlehttp guzzle     4 0   Hope it helps someone

User · Answer

What i did was use var dump openssl get cert locations     die  in any php script  which gave me the information about defaults that my local php was using   array  size 8     default cert file    gt  string  c  openssl-1 0 1c ssl cert pem   length 30     default cert file env    gt  string  SSL CERT FILE   length 13     default cert dir    gt  string  c  openssl-1 0 1c ssl certs   length 27     default cert dir env    gt  string  SSL CERT DIR   length 12     default private dir    gt  string  c  openssl-1 0 1c ssl private   length 29     default default cert area    gt  string  c  openssl-1 0 1c ssl   length 21     ini cafile    gt  string  E  xampp php extras ssl cacert pem   length 34     ini capath    gt  string     length 0    As you can notice  i have set the ini cafile or the ini option curl cainfo  But in my case  curl would try to use the  default cert file  which did not exist    I copied the file from https   curl haxx se ca cacert pem into the location for  default cert file   c  openssl-1 0 1c ssl cert pem  and i was able to get it to work    This was the only solution for me

User · Answer

This might be an edge case  but in my case the problem was not the client conf  I already had curl cainfo configured in php ini   but rather the remote server not being configured properly    It did not send any intermediate certs in the chain  There was no error browsing the site using Chrome  but with PHP I got following error      cURL error 60   After including the Intermediate Certs in the remote webserver configuration it worked   You can use this site to check the SSL configuration of your server    https   whatsmychaincert com

User · Answer

I spent too much time to figure out this problem for me   I had PHP version 5 5 and I needed to upgrade to 5 6   In versions  lt  5 6 Guzzle will use it s own cacert pem file  but in higher versions of PHP it will use system s cacert pem file   I also downloaded file from here https   curl haxx se docs caextract html and set it in php ini   Answer found in Guzzles StreamHandler php file https   github com guzzle guzzle blob 0773d442aa96baf19d7195f14ba6e9c2da11f8ed src Handler StreamHandler php L437              PHP 5 6 or greater will find the system cert by default  When             lt  5 6  use the Guzzle bundled cacert

User · Answer

All of the answers are correct   but the most important thing is You have to find the right php ini file   check this command in cmd   php --ini    is not the right answer for finding the right php ini file   if you edit  curl cainfo   PATH cacert pem    and check  var dump openssl get cert locations        then curl cainfo should have a value  if not then that s not right php ini file    I recommend you to search   ini  in wamp bin or xxamp bin or any server you use and change them one by one and check it

User · Answer

if you use WAMP you should also add the certificate line in php ini for Apache  besides the default php ini file     curl  curl cainfo   C  your location cacert pem   works for php5 3

User · Answer

Have you tried   curl setopt  process  CURLOPT SSL VERIFYPEER  false    If you are consuming a trusted source you can skip the verify

User · Answer

I just experienced this same problem with the Laravel 4 php framework which uses the guzzlehttp guzzle composer package  For some reason  the SSL certificate for mailgun stopped validating suddenly and I got that same  error 60  message   If  like me  you are on a shared hosting without access to php ini  the other solutions are not possible  In any case  Guzzle has this client initializing code that would most likely nullify the php ini effects      vendor guzzlehttp guzzle src Client php      settings              allow redirects    gt  true           exceptions         gt  true           decode content     gt  true           verify             gt    DIR       cacert pem           Here Guzzle forces usage of its own internal cacert pem file  which is probably now out of date  instead of using the one provided by cURL s environment  Changing this line  on Linux at least  configures Guzzle to use cURL s default SSL verification logic and fixed my problem            verify             gt  true   You can also set this to false if you don t care about the security of your SSL connection  but that s not a good solution   Since the files in vendor are not meant to be tampered with  a better solution would be to configure the Guzzle client on usage  but this was just too difficult to do in Laravel 4   Hope this saves someone else a couple hours of debugging

User · Answer

For WAMP  this is what finally worked for me  While it is similar to others  the solutions mentioned on this page  and other locations on the web did not work  Some  quot minor quot  detail differed  Either the location to save the PEM file mattered  but was not specified clearly enough  Or WHICH php ini file to be edited was incorrect  Or both  I m running a 2020 installation of WAMP 3 2 0 on a Windows 10 machine  Link to get the pem file  http   curl haxx se ca cacert pem Copy the entire page and save it as  cacert pem  in the location mentioned below  Save the PEM file in this location  lt wamp install directory gt  bin php php lt version gt  extras ssl eg saved file and path   quot T  wamp64 bin php php7 3 12 extras ssl cacert pem quot    I had originally saved it elsewhere  and indicated the saved location in the php ini file  but that did not work   There might  or might not be  other locations also work  This was the recommended location - I do not know why   WHERE  lt wamp install directory gt    path to your WAMP installation  eg   T  wamp64   lt php version gt  of php that WAMP is running   to find out  goto  WAMP icon tray - gt   PHP    lt version number gt  if the version number shown is 7 3 12  then the directory would be  php7 3 12  eg  php7 3 12 Which php ini file to edit To open the proper php ini file for editing  goto  WAMP icon tray - gt   PHP - gt  php ini  eg  T  wamp64 bin apache apache2 4 41 bin php ini NOTE  it is NOT the file in the php directory  Update  While it looked like I was editing the file    T  wamp64 bin apache apache2 4 41 bin php ini  it was actually editing that file s symlink target   T  wamp64 bin php php7 3 12 phpForApache ini  Note that if you follow the above directions  you are NOT editing a php ini file directly   You are actually editing a phpForApache ini file    a post with info about symlinks  If you read the comments at the top of some of the php ini files in various WAMP directories  it specifically states to NOT EDIT that particular file  Make sure that the file you do open for editing does not include this warning  Installing the extension  Link Shell Extension allowed me to see the target of the symlink in the file Properites window  via an added tab   here is an SO answer of mine with more info about this extension  If you run various versions of php at various times  you may need to save the PEM file in each relevant php directory  The edits to make in your php ini file  Paste the path to your PEM file in the following locations   uncomment  curl cainfo   and paste in the path to your PEM file  eg  curl cainfo    quot T  wamp64 bin php php7 3 12 extras ssl cacert pem quot   uncomment  openssl cafile  and paste in the path to your PEM file  eg  openssl cafile  quot T  wamp64 bin php php7 3 12 extras ssl cacert pem quot    Credits  While not an official resource  here is a link back to the YouTube video that got the last of the details straightened out for me  https   www youtube com watch v Fn1V4yQNgLs

User · Answer

I have a proper solution of this problem  lets try and understand the root cause of this issue  This issue comes when remote servers ssl cannot be verified using root certificates in your system s certificate store or remote ssl is not installed along with chain certificates  If you have a linux system with root ssh access  then in this case you can try updating your certificate store with below command   update-ca-certificates  If still  it doesn t work then you need to add root and interim certificate of remote server in your cert store  You can download root and intermediate certs and add them in  usr local share ca-certificates directory and then run command update-ca-certificates  This should do the trick  Similarly for windows you can search how to add root and intermediate cert   The other way you can solve this problem is by asking remote server team to add ssl certificate as a bundle of domain root cert  intermediate cert and root cert

User · Answer

As you are using Windows  I think your path separator is      and     on Linux    Try using the constant DIRECTORY SEPARATOR  Your code will be more portable    Try   curl setopt  process  CURLOPT CAINFO  dirname   FILE      DIRECTORY SEPARATOR    cacert pem      EDIT  and write the full path  I had some issues with relative paths  perhaps curl is executed from another base directory

[php] cURL error 60: SSL certificate: unable to get local issuer certificate

Examples related to php

Examples related to ssl

Examples related to curl

Examples related to wamp

Examples related to stripe-payments