For WAMP, this is what finally worked for me.
While it is similar to others, the solutions mentioned on this page, and other locations on the web did not work. Some «minor» detail differed.
Either the location to save the PEM file mattered, but was not specified clearly enough.
Or WHICH php.ini file to be edited was incorrect. Or both.
I’m running a 2020 installation of WAMP 3.2.0 on a Windows 10 machine.
Link to get the pem file:
http://curl.haxx.se/ca/cacert.pem
Copy the entire page and save it as: cacert.pem, in the location mentioned below.
Save the PEM file in this location
<wamp install directory>binphpphp<version>extrasssl
eg saved file and path: «T:wamp64binphpphp7.3.12extrassslcacert.pem»
*(I had originally saved it elsewhere (and indicated the saved location in the php.ini file, but that did not work).
There might, or might not be, other locations also work. This was the recommended location — I do not know why.)
WHERE
<wamp install directory> = path to your WAMP installation.
eg: T:wamp64
<php version> of php that WAMP is running: (to find out, goto: WAMP icon tray -> PHP <version number>
if the version number shown is 7.3.12, then the directory would be: php7.3.12)
eg: php7.3.12
Which php.ini file to edit
To open the proper php.ini file for editing, goto: WAMP icon tray -> PHP -> php.ini.
eg: T:wamp64binapacheapache2.4.41binphp.ini
NOTE: it is NOT the file in the php directory!
Update:
While it looked like I was editing the file: T:wamp64binapacheapache2.4.41binphp.ini,
it was actually editing that file’s symlink target: T:/wamp64/bin/php/php7.3.12/phpForApache.ini.
Note that if you follow the above directions, you are NOT editing a php.ini file directly. You are actually editing a phpForApache.ini file. (a post with info about symlinks)
If you read the comments at the top of some of the php.ini files in various WAMP directories, it specifically states to NOT EDIT that particular file.
Make sure that the file you do open for editing does not include this warning.
Installing the extension Link Shell Extension allowed me to see the target of the symlink in the file Properites window, via an added tab. here is an SO answer of mine with more info about this extension.
If you run various versions of php at various times, you may need to save the PEM file in each relevant php directory.
The edits to make in your php.ini file:
Paste the path to your PEM file in the following locations.
-
uncomment
;curl.cainfo =and paste in the path to your PEM file.
eg:curl.cainfo = "T:wamp64binphpphp7.3.12extrassslcacert.pem" -
uncomment
;openssl.cafile=and paste in the path to your PEM file.
eg:openssl.cafile="T:wamp64binphpphp7.3.12extrassslcacert.pem"
Credits:
While not an official resource, here is a link back to the YouTube video that got the last of the details straightened out for me: https://www.youtube.com/watch?v=Fn1V4yQNgLs.
If you are using PHP’s cURL functions to connect to an HTTPS URL, then you might come across the following error:
SSL certificate problem: unable to get local issuer certificate. (cURL error code 60)
This is a common error that occurs whenever you attempt to use cURL functions to connect to an HTTPS website.
In plain English, it means that you have not configured cURL to connect to SSL-enabled websites.
The quick fix.
If you do not care about security and are looking for a quick fix, then you can simply disable the following cURL options:
- CURLOPT_SSL_VERIFYHOST: This option tells cURL that it must verify the host name in the server cert.
- CURLOPT_SSL_VERIFYPEER: This option tells cURL to verify the authenticity of the SSL cert on the server.
Disabling these two options disables SSL verification.
To disable these two options, you can use the curl_setopt function like so:
//The URL we are connecting to.
$url = 'https://google.com';
//Initiate cURL.
$ch = curl_init($url);
//Disable CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER by
//setting them to false.
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
//Execute the request.
curl_exec($ch);
//Check for errors.
if(curl_errno($ch)){
throw new Exception(curl_error($ch));
}
The PHP code above essentially tells cURL that we don’t care if the server has a valid SSL cert or not. We want to connect to it anyway.
The problem with this method is that it is insecure and it leaves you open to man-in-the-middle attacks. Simply put, this means that an attacker could potentially intercept the data that you are sending in your cURL requests.
Using a cert with PHP’s cURL functions.
To use a certificate with PHP’s cURL functions, you can download the cacert.pem certificate bundle from the official cURL website.
Once you have downloaded the cacert.pem file, you should move it to whatever directory makes the most sense for you and your setup.
For example, on Windows, I moved my bundle to C:wampcacert.pem
Then, you can simply tell cURL where your certificate bundle is located by using the curl_setopt function:
//Tell cURL where our certificate bundle is located. $certificate = "C:wampcacert.pem"; curl_setopt($ch, CURLOPT_CAINFO, $certificate); curl_setopt($ch, CURLOPT_CAPATH, $certificate);
This allows us to make a secure request to the server and prevent any man-in-the-middle attacks.
Adding the cert to your php.ini file.
If you don’t like the thought of having to specify the location of the certificate bundle in your PHP code, then you can add its path information to your php.ini file like so:
curl.cainfo="C:wampcacert.pem" openssl.cafile="C:wampcacert.pem"
Once you add the above lines to your php.ini file, make sure that you reload the web server / PHP process so that the changes take effect.
Enabling mod_ssl and php_openssl.dll.
If you are using Apache and PHP on Windows, then you might need to enable both mod_ssl and php_openssl.dll.
To enable mod_ssl, you can add the following to your Apache configuration file:
LoadModule ssl_module /usr/lib/httpd/modules/mod_ssl.so
The configuration line above presumes that a file called mod_ssl.so exists in a Linux directory called “/usr/lib/httpd/modules/”.
On Windows, this directory might be something like “C:wampbinapacheapache2.4.9modules“.
You will need to change this line to match your own Apache setup.
To enable php_openssl.dll, you will need to uncomment the following line in your php.ini file:
extension=php_openssl.dll
As always, you should test your configurations and then reload your server for any changes to take effect.
При отправке запроса средствами cUrl вы можете получить следующую ошибку: «SSL certificate problem: unable to get local issuer certificate«.
Можно просто отключить проверку SSL-сертификата. Например, вот так:
$ch = curl_init(); curl_setopt($ch, CURLOPT_URL, 'https://sitkodenis.ru'); ... curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); $result = curl_exec($ch);
А более правильным решением будет добавление сертификата в доверенные. Например, скачать более свежую версию сертификата по адресу https://curl.haxx.se/ca/cacert.pem.
Далее в настройках файла php.ini проверить путь к данному файлу:
[curl] curl.cainfo = /path/to/downloaded/cacert.pem
Спасибо за внимание и до новых встреч.
Если вы нашли ошибку, пожалуйста, выделите фрагмент текста и нажмите Ctrl+Enter.
Edit:
I had updated my root CA certificates from curl.haxx.se .
When I try curl -Iv https://yahoo.com I get an error as unable to get local issuer certificate in the result. However if I try curl -Iv --cacert /etc/ssl/certs/ca-certificates.crt https://yahoo.com I get a result without any error.
Weirdly curl -Iv https://google.com works properly. But curl -Iv https://deb.nodesource.com doesn’t.
Is there any chance to overcome this issue? (by changing curl configuration etc.)
root@ip-172-31-40-176:/var# curl -Iv https://yahoo.com
* Rebuilt URL to: https://yahoo.com/
* Hostname was NOT found in DNS cache
* Trying 206.190.36.45...
* Connected to yahoo.com (206.190.36.45) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
При отправке запроса средствами cURL можно получить ошибку: SSL certificate problem: unable to get local issuer certificate.
Можно просто отключить проверку SSL-сертификата. Например, вот так:
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://site.com');
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
$result = curl_exec($ch);Более правильным решением будет добавление сертификата в доверенные. Скачать свежую версию сертификата по адресу https://curl.haxx.se/ca/cacert.pem. Поместить данный файл на сервер. У меня это директория S:Serverbinphpextrasssl.
Далее в настройках файла php.ini указать путь к данному файлу:
[curl]
curl.cainfo = S:Serverbinphpextrassslcacert.pemПерезапустить apache.
// Находясь в директории bin ( путь/к/файлу/httpd )
httpd -k start
httpd -k restart
httpd -k stop (httpd - k shutdown)
// Работа с apache как со службой Windows
net stop apache2.4
net start apache2.4
// Мой httpd.exe
S:ServerbinApache24binhttpd -k restart