Skip to the content...

Welcome to the David Walsh Blog. I'm a MooTools, Dojo, jQuery, CSS, and PHP Web Developer located in Madison, Wisconsin, United States. Please contact me if I can make your experience on my website better.

PHP, SSL, and cURL SSL3_GET_SERVER_CERTIFICATE Errors

5 Responses »

I recently developed a complex system for a customer that involved PHP, cURL, and a SSL connection to a third party vendor. The third party vendor would validate the security certificate of the source (the system I created) and either allow or reject access. My code looked like this:

$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,'https://thirdparty.com/token.php'); //not the actual site
curl_setopt($ch,CURLOPT_TIMEOUT,60);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch,CURLOPT_POST,1);
curl_setopt($ch,CURLOPT_POSTFIELDS,'customer_id='.$cid.'&password='.$pass);
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,true); 
curl_setopt($ch,CURLOPT_CAINFO,'ca-bundle.crt'); /* problem here! */
$result = curl_exec($ch);
if(empty($result)) { /* error: nothing returned */ } else { /* success! */ }
curl_close($ch);

Unfortunately I was persistently receiving the following error message:

error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

It turns out that the SSL bundle file I was using was old, as was the default bundle that came with the old version of cURL the shared hosting server. Essentially the third party didn't trust that the system's SSL certificate was valid. I downloaded Mozilla's bundle file, named it mozilla.pem and changed my PHP code to:

$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,'https://thirdparty.com/token.php'); //not the actual site
curl_setopt($ch,CURLOPT_TIMEOUT,60);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch,CURLOPT_POST,1);
curl_setopt($ch,CURLOPT_POSTFIELDS,'customer_id='.$cid.'&password='.$pass);
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,true); 
curl_setopt($ch,CURLOPT_CAINFO,'mozilla.pem'); /* fixed! */
$result = curl_exec($ch);
if(empty($result)) { /* error: nothing returned */ } else { /* success! */ }
curl_close($ch);

I share this with you because it cost me over three hours. Hopefully this will save someone time and frustration in the future.

Discussion

  1. paul radich
    June 10, 2009 @ 7:02 am

    Thanks for sharing. That’s going to same someone a great deal of time.

    Reply
  2. taylan
    June 15, 2009 @ 2:33 pm

    Great post. Thanks…

    Reply
  3. bleyder
    October 28, 2009 @ 6:31 pm

    “Hopefully this will save someone time and frustration in the future.”

    Yes, it has saved many time to me. There is, however, a point that you don’t explain in your article: where to put the Mozilla’s bundle file? I develop using WAMP, and this is the code I use:

    curl_setopt($rRequest, CURLOPT_SSL_VERIFYPEER, 1);
    curl_setopt($rRequest, CURLOPT_SSL_VERIFYHOST, 2);
    curl_setopt($rRequest, CURLOPT_CAINFO, “C:\path\sub-path\wamp\www\php\mozilla.pem”);

    The “CURLOPT_SSL_VERIFYHOST” option verify that the name field matches the host name of the server.

    More information:
    Using cURL in PHP to access HTTPS (SSL/TLS) protected sites

    Reply

Be Heard!

Share your thoughts with fellow developers of all skill levels! I want to hear from you!

Name*:
Email*:
Website:  
Wrap your code with <code> tags, f00!
The Bottom Line