curl: (60) SSL certificate problem: unable to get local issuer certificate

curl ssl openssl ssl-certificate x509certificate
user3812540 picture user3812540 · Jul 7, 2014 · Viewed 600.4k times · Source 
root@sclrdev:/home/sclr/certs/FreshCerts# curl --ftp-ssl --verbose ftp://{abc}/ -u trup:trup --cacert /etc/ssl/certs/ca-certificates.crt
* About to connect() to {abc} port 21 (#0)
*   Trying {abc}...
* Connected to {abc} ({abc}) port 21 (#0)
< 220-Cerberus FTP Server - Home Edition
< 220-This is the UNLICENSED Home Edition and may be used for home, personal use only
< 220-Welcome to Cerberus FTP Server
< 220 Created by Cerberus, LLC
> AUTH SSL
< 234 Authentication method accepted
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Answer

Dahomz picture Dahomz · Aug 5, 2015

Relating to 'SSL certificate problem: unable to get local issuer certificate' error. It is important to note that this applies to the system sending the CURL request, and NOT the server receiving the request.

  1. Download the latest cacert.pem from https://curl.haxx.se/ca/cacert.pem

  2. Add the following line to php.ini: (if this is shared hosting and you don't have access to php.ini then you could add this to .user.ini in public_html).

    curl.cainfo="/path/to/downloaded/cacert.pem"

    Make sure you enclose the path within double quotation marks!!!

  3. By default, the FastCGI process will parse new files every 300 seconds (if required you can change the frequency by adding a couple of files as suggested here https://ss88.uk/blog/fast-cgi-and-user-ini-files-the-new-htaccess/).

Related questions

Security consequences of disabling CURLOPT_SSL_VERIFYHOST (libcurl/openssl)

What are the security consequences of Enabling CURLOPT_SSL_VERIFYPEER and Disabling CURLOPT_SSL_VERIFYHOST?

Read More
HTTPS and SSL3_GET_SERVER_CERTIFICATE:certificate verify failed, CA is OK

I am using XAMPP for development. Recently I upgraded my installation of xampp from an old version to 1.7.3. Now when I curl HTTPS enabled sites I get the following exception Fatal error: Uncaught exception 'RequestCore_Exception' with message 'cURL resource: …

Read More
Solving sslv3 alert handshake failure when trying to use a client certificate

I'm trying to connect to a service that requires a certificate for authorization. The process is that I send the service a CSR file. The service signs the CSR and sends me a certificate that I use for connection. I …

Read More