PHP - SSL certificate error: unable to get local issuer certificate

问题

I\'m running PHP Version 5.6.3 as part of XAMPP on Windows 7.

When I try to use the Mandrill API, I\'m getting the following error:

Uncaught exception \'Mandrill_HttpError\' with message \'API call to messages/send-template failed: SSL certificate problem: unable to get local issuer certificate\'

I already tried everything I read on StackOverflow, including adding the following to the php.ini file:

curl.cainfo = \"C:\\xampp\\php\\cacert.pem\"

And ofcourse downloaded to that location the cacert.pem file from http://curl.haxx.se/docs/caextract.html

but after all that, restarted XAMPP and Apache server but still getting the same error.

I really don\'t know what else to try.

Can anyone advise on what else can I try?

回答1:

Finally got this to work!

1. Download the certificate bundle.

2. Put it somewhere. In my case, that was c:\wamp\ directory (if you are using Wamp 64 bit then it's c:\wamp64\).

3. Enable mod_ssl in Apache and php_openssl.dll in php.ini (uncomment them by removing ; at the beginning). But be careful, my problem was that I had two php.ini files and I need to do this in both of them. One is the one you get from your WAMP taskbar icon, and another one is, in my case, in C:\wamp\bin\php\php5.5.12\

4. Add these lines to your cert in both php.ini files:

   curl.cainfo="C:/wamp/cacert.pem"
   openssl.cafile="C:/wamp/cacert.pem"
   

5. Restart Wamp services.

回答2:

Disclaimer: This code makes your server insecure.

I had the same problem in Mandrill.php file after line number 65 where it says $this->ch = curl_init();

Add following two lines:

curl_setopt($this->ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($this->ch, CURLOPT_SSL_VERIFYPEER, 0);

This solved my problem and also sent email using localhost but I suggest to NOT use it on live version live. On your live server the code should work without this code.

回答3:

Thanks @Mladen Janjetovic,

Your suggestion worked for me in mac with ampps installed.

Copied: http://curl.haxx.se/ca/cacert.pem

To: /Applications/AMPPS/extra/etc/openssl/certs/cacert.pem

And updated php.ini with that path and restarted Apache:

[curl]
; A default value for the CURLOPT_CAINFO option. This is required to be an
; absolute path.
curl.cainfo="/Applications/AMPPS/extra/etc/openssl/certs/cacert.pem"
openssl.cafile="/Applications/AMPPS/extra/etc/openssl/certs/cacert.pem"

And applied same setting in windows AMPPS installation and it worked perfectly in it too.

[curl]
; A default value for the CURLOPT_CAINFO option. This is required to be an
; absolute path.
curl.cainfo="C:/Ampps/php/extras/ssl/cacert.pem"
openssl.cafile="C:/Ampps/php/extras/ssl/cacert.pem"

: Same for wamp.

[curl]
; A default value for the CURLOPT_CAINFO option. This is required to be an
; absolute path.
curl.cainfo="C:/wamp/bin/php/php5.6.16/extras/ssl/cacert.pem"
openssl.cafile="C:/wamp/bin/php/php5.6.16/extras/ssl/cacert.pem"

If you are looking for generating new SSL certificate using SAN for localhost, steps on this post worked for me on Centos 7 / Vagrant / Chrome Browser.

回答4:

When you view the http://curl.haxx.se/docs/caextract.html page, you will notice in big letters a section called:

RSA-1024 removed

Read it, then download the version of the certificates that includes the 'RSA-1024' certificates. https://github.com/bagder/ca-bundle/blob/e9175fec5d0c4d42de24ed6d84a06d504d5e5a09/ca-bundle.crt

Those will work with Mandrill.

Disabling SSL is a bad idea.

回答5:

The above steps, though helpful, didnt work for me on Windows 8. I don't know the co-relation, but the below steps worked. Basically a change in the cacert.pem file. Hope this helps someone.

• Download cacert.pem file from here: http://curl.haxx.se/docs/caextract.html
• Save the file in your PHP installation folder. (eg: If using xampp – save it in c:\Installation_Dir\xampp\php\cacert.pem).
• Open your php.ini file and add these lines:
• curl.cainfo=”C:\Installation_Dir\xampp\php\cacert.pem” openssl.cafile=”C:\Installation_Dir\xampp\php\cacert.pem”
• Restart your Apache server and that should fix it (Simply stop and start the services as needed).

回答6:

I found new Solution without any required certification to call curl only add two line code.

curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

回答7:

If you don't have access to php.ini, adding this code (after your $ch = curl_init(); line) works for me:

$certificate_location = "C:\Program Files (x86)\EasyPHP-Devserver-16.1\ca-bundle.crt"; // modify this line accordingly (may need to be absolute)
curl_setopt($ch, CURLOPT_CAINFO, $certificate_location);
curl_setopt($ch, CURLOPT_CAPATH, $certificate_location);

Then, you will just need to download ca-bundle.crt and save it to location you specified in $certificate_location.

回答8:

elaborating on the above answers for server deployment.

$hostname = gethostname();
if($hostname=="mydevpc")
{
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
}

should do the trick for development environment without compromising the server when deployed.

回答9:

I had the same issue during building my app in AppVeyor.

• Download https://curl.haxx.se/ca/cacert.pem to c:\php
• Enable openssl echo extension=php_openssl.dll >> c:\php\php.ini
• Locate certificateecho curl.cainfo=c:\php\cacert.pem >> c:\php\php.ini

回答10:

If none of the solutions above are working for you try updating your XAMPP installation to a newer version.

I was running XAMPP with php 5.5.11, the same exact code didn't work, I upgraded to XAMPP with php 5.6.28 and the solutions above worked.

Additionally only updating PHP didn't work either seems like a combination of apache and php settings on that version of XAMPP.

Hope it helps someone.

回答11:

I have Very Simple Solution of this problem. You can do this without any certificate file..

Go on Laravel Root Folder -> Vender -> guzzlehttp -> guzzle -> src

open Client.php

find $defaults Array . that look like this way ..

$defaults = [
    'allow_redirects' => RedirectMiddleware::$defaultSettings,
    'http_errors'     => true,
    'decode_content'  => true,
    'verify'          => true,
    'cookies'         => false
];

Now main Job is to change value of verify key ..

'verify'          => false,

So After this it will not check SSL Certificate for CURL Request... This Solution is work for me. I find this solution after many research ...

回答12:

I tried this it works

open

vendor\guzzlehttp\guzzle\src\Handler\CurlFactory.php

and change this

 $conf[CURLOPT_SSL_VERIFYHOST] = 2;
 `enter code here`$conf[CURLOPT_SSL_VERIFYPEER] = true;

to this

$conf[CURLOPT_SSL_VERIFYHOST] = 0;
$conf[CURLOPT_SSL_VERIFYPEER] = FALSE;

回答13:

I got the error like :

failed loading cafile stream: `C:\xamppPhp\apache\bin\curl-ca-bundle.crt`

I am using windows machine. So I followed the below steps.

1. I have downloaded .pem file from " https://curl.haxx.se/docs/caextract.html "

2. Then I kept the downloaded file inside  "C:/xamppPhp/apache/bin/" folder and renamed the same downloaded file to "curl-ca-bundle.crt".

3. I restarted XAMPP and cleared the cache.
4. It's done.

Hope it may help someone

回答14:

for guzzle you can try this :

$client = new Client(env('API_HOST'));
$client->setSslVerification(false);

tested on guzzle/guzzle 3.*

来源：https://stackoverflow.com/questions/28858351/php-ssl-certificate-error-unable-to-get-local-issuer-certificate