Paypal Access - SSL certificate: unable to get local issuer certificate

php curl ssl paypal

55,427

Solution 1

The correct solution is to fix your PHP setup.. setting CURLOPT_SSL_VERIFYPEER to false is a quick hack, but it's wrong as you disable the certificate validation by it's certificate authority. This exposes you to a man-in-the-middle attack.

It's easy to fix (php 5.3.7 or higher) - Download a list file with an up-to-date certificate authorities, and add this setting to your php.ini
curl.cainfo=<path-to>cacert.pem

Restart your web server, and it'll work !

Solution 2

You may disable SSL verification (which is enabled by default as of cURL 7.10), by adding this:

CURLOPT_SSL_VERIFYPEER, false

to your $options, however the proper way is to keep validation enabled.

SECURITY NOTICE

If remote site uses certificate issued by known CA but validation still fails, then most likely certificate is incorrectly set up on the remote server (lack of intermediate certificates etc.). Alternatively your system got no idea about used Certificate Authority that signed target's certificate. In such case yo should use php.ini's curl.cainfo (documentation) to point to valid PEM file with all supported CAs - that would make your setup properly validate issuer chain.

Please be aware that by setting CURLOPT_SSL_VERIFYPEER to false you are NOT solving the issue! You are working it around. This is all about security so it's fine to do that for a while, but deploying that on production is not wise, politely speaking, as you will become open to Man In The Middle Attack. You have been warned.

Solution 3

I had the same exact problem

Can't connect to PayPal to validate IPN message: SSL certificate: unable to get local issuer certificate

I used the code samples generated on paypal's github found here (I used PHP): https://github.com/paypal/ipn-code-samples

I downloaded both certs and tried testing both from curl: http://curl.haxx.se/docs/caextract.html

After about 2 hours of testing (using paypal's ipn simulator) and googling, found that paypal ipn cannot be tested on localhost, so i pushed the code live and tried testing, but still got the same error (even with permissions set to 777).

When I set CURLOPT_SSL_VERIFYPEER, false, it worked but this would defeat the purpose of having an ssl certificate.

After snooping around on my server's files, I found a curl-ca-bundle.crt file in my PHP folder. I decided to hardcode the CURLOPT_CAINFO in my paypal ipn script to that path. It finally worked!

I noticed this older .crt file included some certificates that weren't on the latest .crt file from the curl website. It was a bunch of certificates from verisign class 1, verisign class 2, verisign class 3 and verisign class 4.

Here's the complete list of the certificate names I added to curl's .crt file:

Verisign Class 1 Public Primary Certification Authority
Verisign Class 1 Public Primary Certification Authority - G2
Verisign Class 1 Public Primary Certification Authority - G3
Verisign Class 2 Public Primary Certification Authority - G2
Verisign Class 2 Public Primary Certification Authority - G3
Verisign Class 3 Public Primary Certification Authority
Verisign Class 4 Public Primary Certification Authority - G2

This may have something to do with what @Andomar was saying - paypal's verisign certificate is not included in the default (by default I mean curl's default) list of safe certificates.

I didn't have the time to debug and figure out exactly which certificate is needed so I just included all of them.

For anyone who experiences this problem in the future, I would suggest to get the latest certs from curl and add one by one the certificates in the list above until the error is gone.

Here's a link for some of those verisign certificates (you may need to google for the others not listed): www.symantec.com/page.jsp?id=roots

Note*: To view paypal's current certificates you can run this command in terminal:

openssl s_client -connect paypal.com:443 -showcerts

If anyone has further insight to this issue, please comment as I spent hours to figure all of the above out.

Solution 4

SSL certificate problem: unable to get local issuer certificate

Means that cUrl doesn't trust Verisign, the certificate authority that vouches for PayPal. As Marc B comments, cUrl no longer ships with trust for any certificate authority.

You can bypass the certificate chain validation with the option:

CURLOPT_SSL_VERIFYPEER => 0

To read how to configure cUrl so that it trusts Verisign, read the cUrl documentation.

View more solutions

55,427

Luca Pennisi

Updated on July 09, 2022

Comments

Luca Pennisi almost 2 years
I'm working with cUrl and PHP to make a request to a server (for paypal access)

Paypal developer website does never mention that an SSL certificate is required to use PayPal access API, however the code that I use to request the token is the following:
```
$options = array(
                CURLOPT_URL => $url,
                CURLOPT_POST => 1,
                CURLOPT_VERBOSE => 1,
                CURLOPT_POSTFIELDS => $postvals,
                CURLOPT_RETURNTRANSFER => 1,
                CURLOPT_SSLVERSION => 3
);

curl_setopt_array($ch, $options);

$response = curl_exec($ch); 
echo curl_error($ch);
```
This echo outputs the following error:
```
SSL certificate problem: unable to get local issuer certificate
```
My questions are:

1) do I need SSL to use paypal access if I need only to get the user email?

2) if I do not need SSL why this error occours?

PS: the endpoint is the following: https://www.sandbox.paypal.com/webapps/auth/protocol/openidconnect/v1/tokenservice
Marc B almost 11 years

not really strange. curl doesn't ship with any CA certs built into it anymore, so by default it doesn't trust ANYONE.
Andomar almost 11 years

@MarcB: Interesting, I was assuming that it used the OS certificate store.
Marc B almost 11 years

that'd be nice, but given how many places that store is kept, probably for the best for curl to just go paranoid and think everyone's out to get it.
Robert over 10 years

I would highly discourage anyone from turning off host/peer verification. Rather, download the cURL CA certs file (curl.haxx.se/ca/cacert.pem) and include it. Just as quick to resolve, and protects you a whole lot better in the long run.
Martin M. over 10 years

I already had a similar file located at /etc/ssl/certs/ca-certificates.crt (Gentoo Linux distribution).
Robin Hood over 10 years

Worked for me on my WAMP server setup. Thank you.
Gras Double almost 10 years

Alternatively, you can specify the certificate at runtime: curl_setopt($ch, CURLOPT_CAINFO, '/path/to/cacert.pem'). Now you have no excuse for disabling verification!
agmezr almost 10 years

Worked on a windows server with xampp. Thanks
mydoglixu over 9 years

^^ why should we trust these certificates. no offense, just sayin'
mydoglixu over 9 years

OMG. i was looking for this all week!
Dave Lancea over 9 years

In order to access login.salesforce.com I had to use a cert file included in my cygwin install. The cert file from haxx.se didn't include the cert they use. Copy this file to your cacert.pem: C:\cygwin\etc\pki\ca-trust\extracted\openssl\ca-bundle.trust‌.crt
DiMono over 9 years

I was able to fix the problem by adding Verisign Class 3 Public Primary CA from symantec.com/content/en/us/enterprise/verisign/roots/… - so apparently that's the missing one.
shpyo about 9 years

Works like a charm :). Thanks!
iconMatrix about 9 years

This just happened 3-24-15 on Micah's PayPal .crt file. A quick update using oori's "Download" link above to the .crt file did the trick
vimuth almost 8 years

great have same issue on dailymotion api and solved it too
JCarlosR over 7 years

I downloaded the caert.pem file and save it in C:\wamp\bin\php\php5.5.12, with the proper extension. Also I have modified and uncomment the line with the curl.cainfo path, but I still get the same error :/
JCarlosR over 7 years

Using wampserver we have to modify C:\wamp\bin\apache\apache2.4.9\bin\ instead of the path mentioned above.
geekbro about 7 years

It worked for me , Just make sure you restart xampp after making changes
Derrick Miller about 7 years

I followed the above steps and still got the same error message. In my case, I was getting the error when connecting to one of my own API endpoints. I ran the SSL diagnostic tool at cryptoreport.rapidssl.com/checker/views/certCheck.jsp and discovered that I had the wrong intermediate cert installed on the API web server. I installed the correct intermediate cert and things started working. It seems to me that the Curl error message is misleading.
Mister Verleg almost 7 years

I don't think a -1 is justified, as the answer clearly states security
Gem almost 6 years

I am using wamp, where i can paste this line?
Bhagwan Parge almost 5 years

Thanks for the solution, for localhost development you have to follow above solution