unable to get local issuer certificate even with bundle installed

问题

I know something similar to this has already been asked around here but I think my problem is different. I'm trying to make a curl request to a propper SSL website (its not self-signed). I can set the options easily and even imported the CA certificate bundle to the right place. All fine and good I would hope but I'm still getting :

SSL certificate problem: unable to get local issuer certificate

I've looked around here and on google and can't seem to solve the issue. Here's my curl setup:

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST,2);
//curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_AUTOREFERER, true);
curl_setopt($ch, CURLOPT_VERBOSE, true);
curl_setopt($ch, CURLOPT_CERTINFO, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, getcwd()."/cookie_jar");
curl_setopt($ch, CURLOPT_HEADER, true);

$result = curl_exec($ch);

Edit2: Here's the verbose output as requested:

* Adding handle: conn: 0x3472770
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x3472770) send_pipe: 1, recv_pipe: 0
* About to connect() to www.caixagest.pt port 443 (#0)
*   Trying 195.234.134.196...
* Connected to www.caixagest.pt (195.234.134.196) port 443 (#0)
* error setting certificate verify locations:
  CAfile: C:\Winginx\ssl\certs\ca-bundle-old.crt
  CApath: none
* Closing connection 0


error setting certificate verify locations:
  CAfile: C:\Winginx\ssl\certs\ca-bundle-old.crt
  CApath: none

回答1:

It's hard to say without having the URL, the curl version and compile options and the contents of your CA bundle but the most common cases are:

Server forgot to include important chain certificates. Look ot for "chain issues" and "extra download" when doing the analysis with SSLLabs.
Different trust path with the OpenSSL backend of curl. See https://stackoverflow.com/a/30068150/3081018 for details.
Old curl version which does not support SNI, so server sends the wrong certificate.

More detailed help might be available with more information from you.

来源：https://stackoverflow.com/questions/30470015/unable-to-get-local-issuer-certificate-even-with-bundle-installed

标签

php

ssl

curl