PHP - SSL certificate error: unable to get local issuer certificate

php ssl curl xampp mandrill

338,057

Solution 1

Finally got this to work!

Download the certificate bundle.
Put it somewhere. In my case, that was c:\wamp\ directory (if you are using Wamp 64 bit then it's c:\wamp64\).
Enable mod_ssl in Apache and php_openssl.dll in php.ini (uncomment them by removing ; at the beginning). But be careful, my problem was that I had two php.ini files and I need to do this in both of them. One is the one you get from your WAMP taskbar icon, and another one is, in my case, in C:\wamp\bin\php\php5.5.12\

Add these lines to your cert in both php.ini files:

curl.cainfo="C:/wamp/cacert.pem"
openssl.cafile="C:/wamp/cacert.pem"

Restart Wamp services.

Solution 2

Editor's note: disabling SSL verification has security implications. Without verification of the authenticity of SSL/HTTPS connections, a malicious attacker can impersonate a trusted endpoint (such as GitHub or some other remote Git host), and you'll be vulnerable to a Man-in-the-Middle Attack.

Be sure you fully understand the security issues before using this as a solution.

I had the same problem in Mandrill.php file after line number 65 where it says $this->ch = curl_init();

Add following two lines:

curl_setopt($this->ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($this->ch, CURLOPT_SSL_VERIFYPEER, 0);

This solved my problem and also sent email using localhost but I suggest to NOT use it on live version live. On your live server the code should work without this code.

Solution 3

Thanks @Mladen Janjetovic,

Your suggestion worked for me in mac with ampps installed.

Copied: http://curl.haxx.se/ca/cacert.pem

To: /Applications/AMPPS/extra/etc/openssl/certs/cacert.pem

And updated php.ini with that path and restarted Apache:

[curl]
; A default value for the CURLOPT_CAINFO option. This is required to be an
; absolute path.
curl.cainfo="/Applications/AMPPS/extra/etc/openssl/certs/cacert.pem"
openssl.cafile="/Applications/AMPPS/extra/etc/openssl/certs/cacert.pem"

And applied same setting in windows AMPPS installation and it worked perfectly in it too.

[curl]
; A default value for the CURLOPT_CAINFO option. This is required to be an
; absolute path.
curl.cainfo="C:/Ampps/php/extras/ssl/cacert.pem"
openssl.cafile="C:/Ampps/php/extras/ssl/cacert.pem"

: Same for wamp.

[curl]
; A default value for the CURLOPT_CAINFO option. This is required to be an
; absolute path.
curl.cainfo="C:/wamp/bin/php/php5.6.16/extras/ssl/cacert.pem"
openssl.cafile="C:/wamp/bin/php/php5.6.16/extras/ssl/cacert.pem"

If you are looking for generating new SSL certificate using SAN for localhost, steps on this post worked for me on Centos 7 / Vagrant / Chrome Browser.

Solution 4

When you view the http://curl.haxx.se/docs/caextract.html page, you will notice in big letters a section called:

RSA-1024 removed

Read it, then download the version of the certificates that includes the 'RSA-1024' certificates. https://github.com/bagder/ca-bundle/blob/e9175fec5d0c4d42de24ed6d84a06d504d5e5a09/ca-bundle.crt

Those will work with Mandrill.

Disabling SSL is a bad idea.

Solution 5

Note: disabling SSL verification has security implications. Without verification of the authenticity of SSL/HTTPS connections, a malicious attacker can impersonate a trusted endpoint (such as GitHub or some other remote Git host), and you'll be vulnerable to a Man-in-the-Middle Attack.

Be sure you fully understand the security issues before using this as a solution.

I found new Solution without any required certification to call curl only add two line code.

curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

View more solutions

338,057

Dor Dadush

Updated on January 29, 2022

Comments

Dor Dadush over 2 years
I'm running PHP Version 5.6.3 as part of XAMPP on Windows 7.

When I try to use the Mandrill API, I'm getting the following error:

Uncaught exception 'Mandrill_HttpError' with message 'API call to messages/send-template failed: SSL certificate problem: unable to get local issuer certificate'

I already tried everything I read on StackOverflow, including adding the following to the php.ini file:
```
curl.cainfo = "C:\xampp\php\cacert.pem"
```
And ofcourse downloaded to that location the cacert.pem file from http://curl.haxx.se/docs/caextract.html

but after all that, restarted XAMPP and Apache server but still getting the same error.

I really don't know what else to try.

Can anyone advise on what else can I try?
- Michal about 9 years
  
  See my answere: stackoverflow.com/a/29649024/660410
- Jon Tan over 8 years
  
  Also ensure that you have uncommented that line by removing the starting ';'. it should be curl.cainfo = "C:\xampp\php\cacert.pem" rather than ;curl.cainfo = "C:\xampp\php\cacert.pem"
- javiniar.leonard over 8 years
  
  Is using HTTPS over HTTP would also cause this error?
Dor Dadush about 9 years

any things I can try to make my developers environment to work without this bypass?
Francisco Corrales Morales about 9 years

for me, with just setting CURLOPT_SSL_VERIFYPEER to false worked.
Spinal almost 9 years

While you are technically correct, disabling SSL is a bad idea. Even on localhost, it's better to properly load the certificates as mentioned in the other answer.
Gerben almost 9 years

This fixed a problem with AWS/Guzzle/cURL I have been struggling with all day. Thank you!
John almost 9 years

@voidstate I know this is old but you can also bypass it in guzzle using this ['verify' => false], for the full doc on ssl/curl/guzzle go here guzzle.readthedocs.org/en/latest/…
Arturo Alvarado almost 9 years

@John but that would dissable SSL verification which is not what you want to do, so I would not suggest doing that.
Gerben almost 9 years

For Windows, you'll need to save the files on your server (eg. to C:\curl\curl-ca-bundle.crt), then add the following to your php.ini: [curl] curl.cainfo="C:/curl/curl-ca-bundle.crt" [openssl] openssl.cafile="C:/curl/curl-ca-bundle.crt"
Sammaye about 8 years

I just had this after it worked perfectly for ages (even survived a server change) but I am having trouble understanding exactly what is going on here. Is it that curl or openssl was updated and had it;s ca-bundle changed to one that is incompatible with mailchimp?
Manu R S about 8 years

In my case that was c:\xamp\ directory and its windows 7 and this solution works perfect..thanks a lot...
Simon East over 7 years

Those words no longer appear at that URL, so I'm not sure if this answer is still relevant, is it?
Paul over 7 years

Newest certificate bundle can be downloaded from the original curl site curl.haxx.se/docs/caextract.html
tinonetic about 7 years

While this may work, this isn't recommended at all. You are basically saying, trust all certificates... and it also opens your application up for possible attack if you forget and your code makes it to production with this change...it really isn't much work to download the CA bundle and add point PHP to it.
Garry almost 7 years

This worked, I just downloaded the cert from here curl.haxx.se/docs/caextract.html
Erik Thiart over 6 years

Where did you get .crt files? The link gives me cacert.pem ?
Mladen Janjetovic over 6 years

@ErikThiart - The first link in answer is the link to .crt on github. The second one is for .pem. You can convert .pem to .crt with something like this stackoverflow.com/questions/13732826/convert-pem-to-crt-and-‌key
Rebolon over 6 years

You can use pem file if you want (works with PHP7.1 at least, not tested on PHP <7.1) last certificates available here : curl.haxx.se/docs/caextract.html
Admin about 6 years

While you a technically correct, disabling SSL is a bad idea. Even if it's vehemently resistant to getting working any other way, better to lose your job than do things the non-proper sys-admin way. @Spinal
Manish sharma about 6 years

that is curl concept , so whenever you are use curl there add above code
otaku almost 6 years

In my case the line had a ; at the beginning and it took me hours to realize that it means it is a comment. so for noobs like me, one needs to remove the ; as well
treyBake over 5 years

is there a point answering a 3 yr old question that has an accepted answer with 200+ upvotes?
fico7489 over 5 years

my answer is simpler than above ones, you will see I will get 10 upvotes for few months...
treyBake over 5 years

I highly doubt it, not seeing any mention of guzzle in OP ... so it's an unrelated answer. It's the same when someone provides a jQuery solution for a JavaScript problem. It's irrelevant.
treyBake over 5 years

that doesn't change the fact it's not being used here. Would you suggest a Linux solution to a Windows user because it's most used server operating system? Not everyone wants to use Guzzle, I personally have never used it once in my years of using PHP. To me, a HTTP request really isn't that difficult to need a package for it.
fico7489 over 5 years

behind guzzle is CURL and if someone look into guzzle code he can easily found how to set it for a raw CURL, this answer can be a really help for someone and it not include messing with certificates, but ok you think you are smarter...
treyBake over 5 years

fully aware - it's just not needed.. just read the docs for curl and it's all self-explanatory. It's not about being smarter... it's about answering the question properly
Nico Haase over 5 years

Running different parts of your code in different environments does not sound like a good concept - it makes debugging harder
Suraj Neupane over 5 years

Any idea how to solve similar problem with symfony framework, or in above case, there is no Apache server and wamp.
Mladen Janjetovic over 5 years

@SurajNeupane not sure, I spent a lot of time to get this one back then, I use virtual machines, like Homestead and I don't have to deal with this. This was specific case
Amr Aly about 5 years

This is key But be careful, my problem was that I had two php.ini files and I need to do this in both of them. One is the one you get from your WAMP taskbar icon, and another one is, in my case, in C:\wamp\bin\php\php5.5.12\
Valentine Shi about 4 years

I did what the answer says. But that was not enough. I had to switch off my Avast antivirus and that what allowed me to send emails. Though this is not sustainable solution as I do not keep my antivirus off.
Ben Mack about 4 years

There're multiple php.ini files. The php.ini you've accessed through WAMP taskbar icon is in apache folder. You have to browse manually to your php folder (`C:\wamp64\bin\php\php7.3.10` in my case) and edit the php.ini in there.
Robert Sinclair over 3 years

i'm confused about the "your server insecure", if I'm pinging an external API with this snippet it makes my client insecure?
cooper about 3 years

I think it is only necessary to add it in the php.ini file of the WAMP tools menu. I work with WAMP 3.1.9
Peter over 2 years

@MladenJanjetovic thanks for this life-saver
miken32 over 2 years

If there's anything dumber than editing files in your vendor directory, it's not verifying TLS host certificates.
jerryurenaa over 2 years

This solution can lead to man-in-the-middle attacks and it is not recommended.
Javed Iqbal over 2 years

its works for me thanks.