Trying to use a local pem/crt for curl

esassaman

PHP Tools for Visual Studio 2022 1.85.17447
I'm attempting to verify that my web host has a DigiCert global certificate installed, so I'm making a PHP 8.3 curl call using a downloaded root certificate from DigiCert, but for the life of me I can't get past the "SSL certificate problem: unable to get local issuer certificate" error. I'm pretty sure this is some kind of config problem as all the suggestions I've extensively researched have failed.

I've tried setting the [curl] curl.cainfo and [openssl] openssl.cafile in php.ini to no avail. It's always able to find the file, it just can't read it for some reason. Is this an issue with the curl lib on windows that PHP tools is using not being able to read a local pem file? I set security on the pem file to "everyone". I also tried copying it to the same folder that the php.ini lives. No love.

<?php
$url = "https://mywebsite.com"; // Replace with the target URL
$certPath = "C:\\Users\\xxx\\Desktop\\DigiCertGlobalRootG2.crt.pem"; // Path to the DigiCert certificate

// Initialize cURL
$ch = curl_init();

// Set cURL options
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); // Enable SSL certificate verification
curl_setopt($ch, CURLOPT_CAINFO, $certPath); // Path to the DigiCert certificate
curl_setopt($ch, CURLOPT_VERBOSE, true); // Enable verbose output
// Open a file to log verbose output
$verboseLog = fopen('php://temp', 'w+');
curl_setopt($ch, CURLOPT_STDERR, $verboseLog);
$response = curl_exec($ch);
// Check for errors
if (curl_errno($ch)) {
	echo "cURL error: " . curl_error($ch);
} else {
	echo "Response: " . $response;
	// Retrieve verbose output
}
rewind($verboseLog);
$verboseOutput = stream_get_contents($verboseLog);
echo "<pre>" . htmlspecialchars($verboseOutput) . "</pre>";
curl_close($ch);
fclose($verboseLog);
?>

Output:

cURL error: SSL certificate problem: unable to get local issuer certificate
* Host mywebsitewhatevers.com:443 was resolved.
* IPv6: (none)
* IPv4: 111.111.111.111
*   Trying 111.111.111.111:443...
* Connected to mywebsitewhatevers.com: (111.111.111.111) port 443
* ALPN: curl offers h2,http/1.1
*  CAfile: C:\Users\xxx\Desktop\DigiCertGlobalRootG2.crt.pem
*  CApath: none
* SSL certificate problem: unable to get local issuer certificate
* Closing connection

The local pem file looks like this:

I exported the same DigiCert Global Root G2 certificate from my windows cert store and it exported the exact same thing so that looks correct. Or is that the wrong format for curl??

JakubMisek

esassaman I can point you to a similar question at https://stackoverflow.com/questions/28858351/php-ssl-certificate-error-unable-to-get-local-issuer-certificate

esassaman

Thanks. I went through that carefully and tried everything that made sense to try - obviously WAMP is different from the Devsense tools so WAMP specific solutions aren't going to work but as I notied in my post I tried every suggestion I could fine. From what people are saying my code SHOULD work but refuses to. It finds the certificate - if it's not there or inaccessible for any reason, I get a different error about the file just not being found. But that's not the error I'm getting, it's finding the crt/pem file... it just refuses to recognize it. Is it an issue with the Devsense PHP curl extension being used?This is easy to test, copy my code, save the certificate I posted or export your own DigiCert Global Root G2 from your cert store and use that.

JakubMisek

esassaman please note, that we don't have any "DEVSENSE" curl extension - the php is unmodified official installation from https://www.php.net/downloads.php

cURL error: SSL certificate problem: unable to get local issuer certificate

means that cURL was not able to verify the SSL certificate of the remote server because it could not find a trusted Certificate Authority (CA) certificate to validate the server’s SSL certificate.

Causes:

Your PHP/cURL does not know which CA certificates to trust because it doesn't have an up-to-date CA certificate bundle configured.
The cacert.pem file (the CA bundle) is missing or not correctly referenced.
On some systems, the CA bundle is outdated.