Question

PHP cURL Fails to Establish Secure Connection with Custom CA Certificates

Hello everyone,

I am facing a challenging issue with a PHP application that involves cURL and SSL. The application is designed to connect to a remote server over HTTPS. This server employs a certificate issued by a custom internal Certificate Authority (CA) rather than a well-known public CA.

When I try accessing the server through a web browser after adding the custom CA certificate to the system trust store, it works fine. However, when I attempt to connect using my PHP script via cURL, I’m met with an SSL certificate problem.

Here is a snippet of the PHP code:

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://my-secure-server.com");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_CAINFO, '/path/to/custom/ca_certificate.pem');
$response = curl_exec($ch);

if($response === false){
    echo 'Error: ' . curl_error($ch);
}

curl_close($ch);

The error I keep getting is:

Error: SSL certificate problem: unable to get local issuer certificate

I’ve confirmed that the path to the CA certificate file is correct, the file is readable by the PHP process, and its format is correct (PEM encoded).

I’ve also attempted to use CURLOPT_CAPATH pointing to the directory of the certificate, but the result is the same. Additionally, I’ve checked that openssl.cafile and curl.cainfo are properly set in my php.ini file.

Could anyone offer some guidance on why my PHP application is not recognizing the SSL certificate even though it’s valid and trusted by the system? I’m using PHP 7.4, cURL 7.68, and OpenSSL 1.1.1.


Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

KFSys
Site Moderator
Site Moderator badge
May 27, 2023
Accepted Answer

Hello,

Given what you’ve already tried, there’s a possibility that the issue lies within the chain of trust from your custom CA to the certificate on your secure server.

Having said that, before I suggest any solutions, I would like to note that you are using some older versions on your software.

  • OpenSSL 1.1.1. : OpenSSL 1.1. 1 was released on 11th September 2018, and so it will be considered EOL on 11th September 2023. It will no longer be receiving publicly available security fixes after that date.
  • PHP 7.4 : The end of life date for PHP 7.4 was November 28, 2022.
  • Curl 7.68 : Was released Jan 8 2020 and current version is 8.1.1

My first suggestion would be to update your system to the latest possible especially if you are building a new application and give it another try. If it doesn’t work we can try exploring more troubleshooting options regarding your CA

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel