Question

PHP cURL Fails to Establish Secure Connection with Custom CA Certificates

Posted on May 27, 2023
PHP
Asked by Josep Esposito

Hello everyone,

I am facing a challenging issue with a PHP application that involves cURL and SSL. The application is designed to connect to a remote server over HTTPS. This server employs a certificate issued by a custom internal Certificate Authority (CA) rather than a well-known public CA.

When I try accessing the server through a web browser after adding the custom CA certificate to the system trust store, it works fine. However, when I attempt to connect using my PHP script via cURL, I’m met with an SSL certificate problem.

Here is a snippet of the PHP code:

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://my-secure-server.com");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_CAINFO, '/path/to/custom/ca_certificate.pem');
$response = curl_exec($ch);

if($response === false){
    echo 'Error: ' . curl_error($ch);
}

curl_close($ch);

The error I keep getting is:

Error: SSL certificate problem: unable to get local issuer certificate

I’ve confirmed that the path to the CA certificate file is correct, the file is readable by the PHP process, and its format is correct (PEM encoded).

I’ve also attempted to use CURLOPT_CAPATH pointing to the directory of the certificate, but the result is the same. Additionally, I’ve checked that openssl.cafile and curl.cainfo are properly set in my php.ini file.

Could anyone offer some guidance on why my PHP application is not recognizing the SSL certificate even though it’s valid and trusted by the system? I’m using PHP 7.4, cURL 7.68, and OpenSSL 1.1.1.

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

KFSys

Site Moderator

• May 27, 2023

Accepted Answer

Hello,

Given what you’ve already tried, there’s a possibility that the issue lies within the chain of trust from your custom CA to the certificate on your secure server.

Having said that, before I suggest any solutions, I would like to note that you are using some older versions on your software.

OpenSSL 1.1.1. : OpenSSL 1.1. 1 was released on 11th September 2018, and so it will be considered EOL on 11th September 2023. It will no longer be receiving publicly available security fixes after that date.
PHP 7.4 : The end of life date for PHP 7.4 was November 28, 2022.
Curl 7.68 : Was released Jan 8 2020 and current version is 8.1.1

My first suggestion would be to update your system to the latest possible especially if you are building a new application and give it another try. If it doesn’t work we can try exploring more troubleshooting options regarding your CA