Paypal Access - SSL certificate: unable to get local issuer certificate
Solution 1
The correct solution is to fix your PHP setup.. setting CURLOPT_SSL_VERIFYPEER to false is a quick hack, but it's wrong as you disable the certificate validation by it's certificate authority. This exposes you to a man-in-the-middle attack.
It's easy to fix (php 5.3.7 or higher) -
Download a list file with an up-to-date certificate authorities, and add this setting to your php.ini
curl.cainfo=<path-to>cacert.pem
Restart your web server, and it'll work !
Solution 2
You may disable SSL verification (which is enabled by default as of cURL 7.10), by adding this:
CURLOPT_SSL_VERIFYPEER, false
to your $options
, however the proper way is to keep validation enabled.
SECURITY NOTICE
If remote site uses certificate issued by known CA but validation still fails, then most likely certificate is incorrectly set up on the remote server (lack of intermediate certificates etc.). Alternatively your system got no idea about used Certificate Authority that signed target's certificate. In such case yo should use php.ini
's curl.cainfo
(documentation) to point to valid PEM file with all supported CAs - that would make your setup properly validate issuer chain.
Please be aware that by setting CURLOPT_SSL_VERIFYPEER
to false
you are NOT solving the issue! You are working it around. This is all about security so it's fine to do that for a while, but deploying that on production is not wise, politely speaking, as you will become open to Man In The Middle Attack. You have been warned.
Solution 3
I had the same exact problem
Can't connect to PayPal to validate IPN message: SSL certificate: unable to get local issuer certificate
I used the code samples generated on paypal's github found here (I used PHP): https://github.com/paypal/ipn-code-samples
I downloaded both certs and tried testing both from curl: http://curl.haxx.se/docs/caextract.html
After about 2 hours of testing (using paypal's ipn simulator) and googling, found that paypal ipn cannot be tested on localhost
, so i pushed the code live and tried testing, but still got the same error (even with permissions set to 777).
When I set CURLOPT_SSL_VERIFYPEER, false
, it worked but this would defeat the purpose of having an ssl certificate.
After snooping around on my server's files, I found a curl-ca-bundle.crt
file in my PHP folder. I decided to hardcode the CURLOPT_CAINFO
in my paypal ipn script to that path. It finally worked!
I noticed this older .crt file included some certificates that weren't on the latest .crt file from the curl website. It was a bunch of certificates from verisign class 1, verisign class 2, verisign class 3 and verisign class 4
.
Here's the complete list of the certificate names I added to curl's .crt file:
- Verisign Class 1 Public Primary Certification Authority
- Verisign Class 1 Public Primary Certification Authority - G2
- Verisign Class 1 Public Primary Certification Authority - G3
- Verisign Class 2 Public Primary Certification Authority - G2
- Verisign Class 2 Public Primary Certification Authority - G3
- Verisign Class 3 Public Primary Certification Authority
- Verisign Class 4 Public Primary Certification Authority - G2
This may have something to do with what @Andomar was saying - paypal's verisign certificate is not included in the default (by default I mean curl's default) list of safe certificates.
I didn't have the time to debug and figure out exactly which certificate is needed so I just included all of them.
For anyone who experiences this problem in the future, I would suggest to get the latest certs from curl and add one by one the certificates in the list above until the error is gone.
Here's a link for some of those verisign certificates (you may need to google for the others not listed): www.symantec.com/page.jsp?id=roots
Note*: To view paypal's current certificates you can run this command in terminal:
openssl s_client -connect paypal.com:443 -showcerts
If anyone has further insight to this issue, please comment as I spent hours to figure all of the above out.
Solution 4
SSL certificate problem: unable to get local issuer certificate
Means that cUrl doesn't trust Verisign, the certificate authority that vouches for PayPal. As Marc B comments, cUrl no longer ships with trust for any certificate authority.
You can bypass the certificate chain validation with the option:
CURLOPT_SSL_VERIFYPEER => 0
To read how to configure cUrl so that it trusts Verisign, read the cUrl documentation.
Related videos on Youtube
Luca Pennisi
Updated on July 09, 2022Comments
-
Luca Pennisi almost 2 years
I'm working with cUrl and PHP to make a request to a server (for paypal access)
Paypal developer website does never mention that an SSL certificate is required to use PayPal access API, however the code that I use to request the token is the following:
$options = array( CURLOPT_URL => $url, CURLOPT_POST => 1, CURLOPT_VERBOSE => 1, CURLOPT_POSTFIELDS => $postvals, CURLOPT_RETURNTRANSFER => 1, CURLOPT_SSLVERSION => 3 ); curl_setopt_array($ch, $options); $response = curl_exec($ch); echo curl_error($ch);
This echo outputs the following error:
SSL certificate problem: unable to get local issuer certificate
My questions are:
1) do I need SSL to use paypal access if I need only to get the user email?
2) if I do not need SSL why this error occours?
PS: the endpoint is the following: https://www.sandbox.paypal.com/webapps/auth/protocol/openidconnect/v1/tokenservice
-
Marc B almost 11 yearsnot really strange. curl doesn't ship with any CA certs built into it anymore, so by default it doesn't trust ANYONE.
-
Andomar almost 11 years@MarcB: Interesting, I was assuming that it used the OS certificate store.
-
Marc B almost 11 yearsthat'd be nice, but given how many places that store is kept, probably for the best for curl to just go paranoid and think everyone's out to get it.
-
Robert over 10 yearsI would highly discourage anyone from turning off host/peer verification. Rather, download the cURL CA certs file (curl.haxx.se/ca/cacert.pem) and include it. Just as quick to resolve, and protects you a whole lot better in the long run.
-
Martin M. over 10 yearsI already had a similar file located at /etc/ssl/certs/ca-certificates.crt (Gentoo Linux distribution).
-
Robin Hood over 10 yearsWorked for me on my WAMP server setup. Thank you.
-
Gras Double almost 10 yearsAlternatively, you can specify the certificate at runtime:
curl_setopt($ch, CURLOPT_CAINFO, '/path/to/cacert.pem')
. Now you have no excuse for disabling verification! -
agmezr almost 10 yearsWorked on a windows server with xampp. Thanks
-
mydoglixu over 9 years^^ why should we trust these certificates. no offense, just sayin'
-
mydoglixu over 9 yearsOMG. i was looking for this all week!
-
Dave Lancea over 9 yearsIn order to access login.salesforce.com I had to use a cert file included in my cygwin install. The cert file from haxx.se didn't include the cert they use. Copy this file to your cacert.pem:
C:\cygwin\etc\pki\ca-trust\extracted\openssl\ca-bundle.trust.crt
-
DiMono over 9 yearsI was able to fix the problem by adding Verisign Class 3 Public Primary CA from symantec.com/content/en/us/enterprise/verisign/roots/… - so apparently that's the missing one.
-
shpyo about 9 yearsWorks like a charm :). Thanks!
-
iconMatrix about 9 yearsThis just happened 3-24-15 on Micah's PayPal .crt file. A quick update using oori's "Download" link above to the .crt file did the trick
-
vimuth almost 8 yearsgreat have same issue on dailymotion api and solved it too
-
JCarlosR over 7 yearsI downloaded the caert.pem file and save it in
C:\wamp\bin\php\php5.5.12
, with the proper extension. Also I have modified and uncomment the line with thecurl.cainfo
path, but I still get the same error :/ -
JCarlosR over 7 yearsUsing wampserver we have to modify
C:\wamp\bin\apache\apache2.4.9\bin\
instead of the path mentioned above. -
geekbro about 7 yearsIt worked for me , Just make sure you restart xampp after making changes
-
Derrick Miller about 7 yearsI followed the above steps and still got the same error message. In my case, I was getting the error when connecting to one of my own API endpoints. I ran the SSL diagnostic tool at cryptoreport.rapidssl.com/checker/views/certCheck.jsp and discovered that I had the wrong intermediate cert installed on the API web server. I installed the correct intermediate cert and things started working. It seems to me that the Curl error message is misleading.
-
Mister Verleg almost 7 yearsI don't think a -1 is justified, as the answer clearly states security
-
Gem almost 6 yearsI am using wamp, where i can paste this line?
-
Bhagwan Parge almost 5 yearsThanks for the solution, for localhost development you have to follow above solution