The David Walsh Blog

PHP, SSL, and cURL SSL3_GET_SERVER_CERTIFICATE Errors

Written by David Walsh on June 9, 2009 · 19 Comments

I recently developed a complex system for a customer that involved PHP, cURL, and a SSL connection to a third party vendor. The third party vendor would validate the security certificate of the source (the system I created) and either allow or reject access. My code looked like this:

$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,'https://thirdparty.com/token.php'); //not the actual site
curl_setopt($ch,CURLOPT_TIMEOUT,60);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch,CURLOPT_POST,1);
curl_setopt($ch,CURLOPT_POSTFIELDS,'customer_id='.$cid.'&password='.$pass);
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,true); 
curl_setopt($ch,CURLOPT_CAINFO,'ca-bundle.crt'); /* problem here! */
$result = curl_exec($ch);
if(empty($result)) { /* error: nothing returned */ } else { /* success! */ }
curl_close($ch);

Unfortunately I was persistently receiving the following error message:

error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

It turns out that the SSL bundle file I was using was old, as was the default bundle that came with the old version of cURL the shared hosting server. Essentially the third party didn't trust that the system's SSL certificate was valid. I downloaded Mozilla's bundle file, named it mozilla.pem and changed my PHP code to: 

$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,'https://thirdparty.com/token.php'); //not the actual site
curl_setopt($ch,CURLOPT_TIMEOUT,60);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch,CURLOPT_POST,1);
curl_setopt($ch,CURLOPT_POSTFIELDS,'customer_id='.$cid.'&password='.$pass);
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,true); 
curl_setopt($ch,CURLOPT_CAINFO,'mozilla.pem'); /* fixed! */
$result = curl_exec($ch);
if(empty($result)) { /* error: nothing returned */ } else { /* success! */ }
curl_close($ch);

I share this with you because it cost me over three hours. Hopefully this will save someone time and frustration in the future.

Comments

  1. Paul Radich June 10, 2009

    Thanks for sharing. That’s going to same someone a great deal of time.

  2. taylan June 15, 2009

    Great post. Thanks…

  3. Bleyder October 28, 2009

    “Hopefully this will save someone time and frustration in the future.”

    Yes, it has saved many time to me. There is, however, a point that you don’t explain in your article: where to put the Mozilla’s bundle file? I develop using WAMP, and this is the code I use:

    curl_setopt($rRequest, CURLOPT_SSL_VERIFYPEER, 1);
    curl_setopt($rRequest, CURLOPT_SSL_VERIFYHOST, 2);
    curl_setopt($rRequest, CURLOPT_CAINFO, “C:\path\sub-path\wamp\www\php\mozilla.pem”);

    The “CURLOPT_SSL_VERIFYHOST” option verify that the name field matches the host name of the server.

    More information:
    Using cURL in PHP to access HTTPS (SSL/TLS) protected sites

  4. SomeDude January 29, 2011

    I still can’t get mine to work. I’m getting this problem with my Facebook app.

    • Koen April 20, 2012

      Dear somedude, did you fix your SSL CURL error that you were experiencing with your Facebook app? I’m experiencing the same thing and cannot get it fixed!

  5. samir March 29, 2011

    My code

    $url ='https://somesecureurl';
    $ch = curl_init($url);
    curl_setopt($ch, CURLOPT_POST, 1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
    curl_setopt($ch, CURLOPT_TIMEOUT, 60);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
    curl_setopt($ch, CURLOPT_VERBOSE, 1);
    curl_setopt($ch, CURLOPT_CAINFO, getcwd() . "/cacert.pem");

    still i cant get the code to work getting error

    SSL peer certificate or SSH remote key was not OK

  6. Romain April 5, 2011

    Dude, you saved my life! ;o)

  7. az August 26, 2011

    Very helpful. Thank you!

  8. rize September 16, 2011

    i am getting this now.
    error setting certificate verify locations:

  9. Neelesh January 19, 2012

    Thanks david… But I don’t understand How its working for common cert file ,that I downloaded from above link..

  10. Weston January 24, 2012

    THANKS YOU SOOOOO MUCH.

    This _did_ save me hours of time!

  11. Alfredo April 2, 2012

    David, thank you for saving me three invaluable hours!

  12. ale July 12, 2012

    mozilla rocks

    thanks dave

  13. yuvraj jain September 19, 2012

    Thanks David, it saved my important hours:). I have faced the same problem and this article solved all the things.

    Keep posting man Thanks again.

  14. Lech October 17, 2012

    Thank you for the info and link, but I think what you mean is that *your* system did not trust the third party’s certificate.

  15. Mohamed January 25, 2013

    Or you could just turn ssl verfication off

    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER,false);

  16. Ferg February 20, 2013

    Thank you so much! I only wish I had found this post sooner.

  17. Abhay April 16, 2013

    Hi David,

    Even after updating the certs, I get same error

    I have also set absolute path for the latest crt file

    curl_setopt($ch, CURLOPT_CAPATH, “/path/to/certfile”);
    curl_setopt($ch, CURLOPT_CAINFO, “cacert.pem”);

    —————-
    successfully set certificate verify locations:
    * CAfile: none
    CApath: /etc/ssl/certs
    * SSL certificate problem, verify that the CA cert is OK. Details:
    error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    * Closing connection #0
    —————-

Be Heard

Tip: Wrap your code in <pre> tags or link to a GitHub Gist!

Use Code Editor
Older
iPhone
Newer
Image Protection Using PHP, the GD Library, JavaScript, and XHTML