The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

curl_exec error 60 SSL certificate problem: unable to get local issuer certificate

Discussion in 'Security' started by vicos, Oct 6, 2016.

Tags:
  1. vicos

    vicos Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    62
    Likes Received:
    0
    Trophy Points:
    6
    Greetings all,

    Our php script which has used curl to talk to PayPal over https for years has mysteriously stopped working yesterday. Debugging reveals:

    "curl_exec error 60 SSL certificate problem: unable to get local issuer certificate"

    I am guessing this relates to PayPal action on 30-SEP:

    Discontinue use of the VeriSign G2 Root Certificate. In accordance with industry standards, PayPal will no longer honor secure connections that require the VeriSign G2 Root Certificate for trust validation. Only secure connection requests that are expecting our certificate/trust chain to be signed by the G5 Root Certificate will result in successful secure connections.

    https://www.paypal-knowledge.com/in...t&widgetview=true&id=FAQ1766&viewlocale=en_US

    Am I correct in assuming that the way to resolve is to update the CA cert data on the server? ( some threads on StackExchange this route, although not specific to Linux/CPanel: stackoverflow.com/questions/29822686/curl-error-60-ssl-certificate-unable-to-get-local-issuer-certificate

    If yes, how is that best accomplished. The more details you can provide the better as SSL is far from my expertise.

    I checked /usr/local/lib/php.ini and I did not even see curl.cainfo.

    P.S. We are using LiteSpeed.

    TIA!
     
    #1 vicos, Oct 6, 2016
    Last edited by a moderator: Oct 10, 2016
  2. vicos

    vicos Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    62
    Likes Received:
    0
    Trophy Points:
    6
    Does anyone from CPANEL have any input on this...how do you update the CA certs that PHP/CURL uses on a CPANEL server?

    phpinfo shows only this option: -with-curl=/opt/curlssl/

    So, what is the path for the "default bundle of CA certificates" ...

    or should one just download a cacert.pem file from source ( as suggested here: stackoverflow.com/questions/29822686/curl-error-60-ssl-certificate-unable-to-get-local-issuer-certificate ), install it somewhere(??) and point to it in php.ini using curl.cainfo=/path/to/cacert.pem ?

    BTW, the specific CA cert we are missing is VeriSign Class 3 Public Primary Certification Authority - G5 root certificate. See: Obtain the VeriSign Class 3 Public Primary Certification Authority - G5 root certificate | Symantec

    I prefer to fix it the best practices way vs just hacking a solution.
     
    #2 vicos, Oct 7, 2016
    Last edited by a moderator: Oct 10, 2016
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    649
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Does this system use EasyApache 3 on CentOS 6 or 7? If so, ensure the "curl-devel" package is installed via YUM, and both Curl and CurlSSL options are disabled in your EasyApache 3 profile. Then, add the following line to /var/cpanel/easy/apache/rawopts/all_php5 (create this file if it doesn't exist):

    Code:
    --with-curl=/usr
    Once you do this, rebuild Apache via EasyApache and verify if the issue persists.

    Note this is unnecessary with Easyapache 4 because PHP curl is compiled against the OS-supplied libcurl.

    Thank you.
     
    eva2000 likes this.
Loading...

Share This Page