PHP - SSL certificate error: unable to get local issuer certificate
Solution 1
Finally got this to work!
Download the certificate bundle.
Put it somewhere. In my case, that was
c:\wamp\
directory (if you are using Wamp 64 bit then it'sc:\wamp64\
).Enable
mod_ssl
in Apache andphp_openssl.dll
inphp.ini
(uncomment them by removing;
at the beginning). But be careful, my problem was that I had twophp.ini
files and I need to do this in both of them. One is the one you get from your WAMP taskbar icon, and another one is, in my case, inC:\wamp\bin\php\php5.5.12\
-
Add these lines to your cert in both
php.ini
files:curl.cainfo="C:/wamp/cacert.pem" openssl.cafile="C:/wamp/cacert.pem"
Restart Wamp services.
Solution 2
Editor's note: disabling SSL verification has security implications. Without verification of the authenticity of SSL/HTTPS connections, a malicious attacker can impersonate a trusted endpoint (such as GitHub or some other remote Git host), and you'll be vulnerable to a Man-in-the-Middle Attack.
Be sure you fully understand the security issues before using this as a solution.
I had the same problem in Mandrill.php file after line number 65 where it says $this->ch = curl_init();
Add following two lines:
curl_setopt($this->ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($this->ch, CURLOPT_SSL_VERIFYPEER, 0);
This solved my problem and also sent email using localhost but I suggest to NOT use it on live version live. On your live server the code should work without this code.
Solution 3
Thanks @Mladen Janjetovic,
Your suggestion worked for me in mac with ampps installed.
Copied: http://curl.haxx.se/ca/cacert.pem
To: /Applications/AMPPS/extra/etc/openssl/certs/cacert.pem
And updated php.ini
with that path and restarted Apache:
[curl]
; A default value for the CURLOPT_CAINFO option. This is required to be an
; absolute path.
curl.cainfo="/Applications/AMPPS/extra/etc/openssl/certs/cacert.pem"
openssl.cafile="/Applications/AMPPS/extra/etc/openssl/certs/cacert.pem"
And applied same setting in windows AMPPS installation and it worked perfectly in it too.
[curl]
; A default value for the CURLOPT_CAINFO option. This is required to be an
; absolute path.
curl.cainfo="C:/Ampps/php/extras/ssl/cacert.pem"
openssl.cafile="C:/Ampps/php/extras/ssl/cacert.pem"
: Same for wamp.
[curl]
; A default value for the CURLOPT_CAINFO option. This is required to be an
; absolute path.
curl.cainfo="C:/wamp/bin/php/php5.6.16/extras/ssl/cacert.pem"
openssl.cafile="C:/wamp/bin/php/php5.6.16/extras/ssl/cacert.pem"
If you are looking for generating new SSL certificate using SAN for localhost, steps on this post worked for me on Centos 7 / Vagrant / Chrome Browser
.
Solution 4
When you view the http://curl.haxx.se/docs/caextract.html page, you will notice in big letters a section called:
RSA-1024 removed
Read it, then download the version of the certificates that includes the 'RSA-1024' certificates. https://github.com/bagder/ca-bundle/blob/e9175fec5d0c4d42de24ed6d84a06d504d5e5a09/ca-bundle.crt
Those will work with Mandrill.
Disabling SSL is a bad idea.
Solution 5
Note: disabling SSL verification has security implications. Without verification of the authenticity of SSL/HTTPS connections, a malicious attacker can impersonate a trusted endpoint (such as GitHub or some other remote Git host), and you'll be vulnerable to a Man-in-the-Middle Attack.
Be sure you fully understand the security issues before using this as a solution.
I found new Solution without any required certification to call curl only add two line code.
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
Related videos on Youtube
Dor Dadush
Updated on January 29, 2022Comments
-
Dor Dadush over 2 years
I'm running PHP Version 5.6.3 as part of XAMPP on Windows 7.
When I try to use the Mandrill API, I'm getting the following error:
Uncaught exception 'Mandrill_HttpError' with message 'API call to messages/send-template failed: SSL certificate problem: unable to get local issuer certificate'
I already tried everything I read on StackOverflow, including adding the following to the php.ini file:
curl.cainfo = "C:\xampp\php\cacert.pem"
And ofcourse downloaded to that location the cacert.pem file from http://curl.haxx.se/docs/caextract.html
but after all that, restarted XAMPP and Apache server but still getting the same error.
I really don't know what else to try.
Can anyone advise on what else can I try?
-
Michal about 9 yearsSee my answere: stackoverflow.com/a/29649024/660410
-
Jon Tan over 8 yearsAlso ensure that you have uncommented that line by removing the starting ';'. it should be curl.cainfo = "C:\xampp\php\cacert.pem" rather than ;curl.cainfo = "C:\xampp\php\cacert.pem"
-
javiniar.leonard over 8 yearsIs using HTTPS over HTTP would also cause this error?
-
-
Dor Dadush about 9 yearsany things I can try to make my developers environment to work without this bypass?
-
Francisco Corrales Morales about 9 yearsfor me, with just setting
CURLOPT_SSL_VERIFYPEER
tofalse
worked. -
Spinal almost 9 yearsWhile you are technically correct, disabling SSL is a bad idea. Even on localhost, it's better to properly load the certificates as mentioned in the other answer.
-
Gerben almost 9 yearsThis fixed a problem with AWS/Guzzle/cURL I have been struggling with all day. Thank you!
-
John almost 9 years@voidstate I know this is old but you can also bypass it in guzzle using this ['verify' => false], for the full doc on ssl/curl/guzzle go here guzzle.readthedocs.org/en/latest/…
-
Arturo Alvarado almost 9 years@John but that would dissable SSL verification which is not what you want to do, so I would not suggest doing that.
-
Gerben almost 9 yearsFor Windows, you'll need to save the files on your server (eg. to C:\curl\curl-ca-bundle.crt), then add the following to your php.ini: [curl] curl.cainfo="C:/curl/curl-ca-bundle.crt" [openssl] openssl.cafile="C:/curl/curl-ca-bundle.crt"
-
Sammaye about 8 yearsI just had this after it worked perfectly for ages (even survived a server change) but I am having trouble understanding exactly what is going on here. Is it that curl or openssl was updated and had it;s ca-bundle changed to one that is incompatible with mailchimp?
-
Manu R S about 8 yearsIn my case that was c:\xamp\ directory and its windows 7 and this solution works perfect..thanks a lot...
-
Simon East over 7 yearsThose words no longer appear at that URL, so I'm not sure if this answer is still relevant, is it?
-
Paul over 7 yearsNewest certificate bundle can be downloaded from the original curl site curl.haxx.se/docs/caextract.html
-
tinonetic about 7 yearsWhile this may work, this isn't recommended at all. You are basically saying, trust all certificates... and it also opens your application up for possible attack if you forget and your code makes it to production with this change...it really isn't much work to download the CA bundle and add point PHP to it.
-
Garry almost 7 yearsThis worked, I just downloaded the cert from here curl.haxx.se/docs/caextract.html
-
Erik Thiart over 6 yearsWhere did you get .crt files? The link gives me cacert.pem ?
-
Mladen Janjetovic over 6 years@ErikThiart - The first link in answer is the link to .crt on github. The second one is for .pem. You can convert .pem to .crt with something like this stackoverflow.com/questions/13732826/convert-pem-to-crt-and-key
-
Rebolon over 6 yearsYou can use pem file if you want (works with PHP7.1 at least, not tested on PHP <7.1) last certificates available here : curl.haxx.se/docs/caextract.html
-
Admin about 6 yearsWhile you a technically correct, disabling SSL is a bad idea. Even if it's vehemently resistant to getting working any other way, better to lose your job than do things the non-proper sys-admin way. @Spinal
-
Manish sharma about 6 yearsthat is curl concept , so whenever you are use curl there add above code
-
otaku almost 6 yearsIn my case the line had a
;
at the beginning and it took me hours to realize that it means it is a comment. so for noobs like me, one needs to remove the;
as well -
treyBake over 5 yearsis there a point answering a 3 yr old question that has an accepted answer with 200+ upvotes?
-
fico7489 over 5 yearsmy answer is simpler than above ones, you will see I will get 10 upvotes for few months...
-
treyBake over 5 yearsI highly doubt it, not seeing any mention of guzzle in OP ... so it's an unrelated answer. It's the same when someone provides a jQuery solution for a JavaScript problem. It's irrelevant.
-
treyBake over 5 yearsthat doesn't change the fact it's not being used here. Would you suggest a Linux solution to a Windows user because it's most used server operating system? Not everyone wants to use Guzzle, I personally have never used it once in my years of using PHP. To me, a HTTP request really isn't that difficult to need a package for it.
-
fico7489 over 5 yearsbehind guzzle is CURL and if someone look into guzzle code he can easily found how to set it for a raw CURL, this answer can be a really help for someone and it not include messing with certificates, but ok you think you are smarter...
-
treyBake over 5 yearsfully aware - it's just not needed.. just read the docs for curl and it's all self-explanatory. It's not about being smarter... it's about answering the question properly
-
Nico Haase over 5 yearsRunning different parts of your code in different environments does not sound like a good concept - it makes debugging harder
-
Suraj Neupane over 5 yearsAny idea how to solve similar problem with symfony framework, or in above case, there is no Apache server and wamp.
-
Mladen Janjetovic over 5 years@SurajNeupane not sure, I spent a lot of time to get this one back then, I use virtual machines, like Homestead and I don't have to deal with this. This was specific case
-
Amr Aly about 5 yearsThis is key
But be careful, my problem was that I had two php.ini files and I need to do this in both of them. One is the one you get from your WAMP taskbar icon, and another one is, in my case, in C:\wamp\bin\php\php5.5.12\
-
Valentine Shi about 4 yearsI did what the answer says. But that was not enough. I had to switch off my Avast antivirus and that what allowed me to send emails. Though this is not sustainable solution as I do not keep my antivirus off.
-
Ben Mack about 4 yearsThere're multiple
php.ini
files. Thephp.ini
you've accessed through WAMP taskbar icon is inapache
folder. You have to browse manually to your php folder (`C:\wamp64\bin\php\php7.3.10` in my case) and edit the php.ini in there. -
Robert Sinclair over 3 yearsi'm confused about the "your server insecure", if I'm pinging an external API with this snippet it makes my client insecure?
-
cooper about 3 yearsI think it is only necessary to add it in the php.ini file of the WAMP tools menu. I work with WAMP 3.1.9
-
Peter over 2 years@MladenJanjetovic thanks for this life-saver
-
miken32 over 2 yearsIf there's anything dumber than editing files in your
vendor
directory, it's not verifying TLS host certificates. -
jerryurenaa over 2 yearsThis solution can lead to man-in-the-middle attacks and it is not recommended.
-
Javed Iqbal over 2 yearsits works for me thanks.