curl_exec error 60 SSL certificate problem: unable to get local issuer certificate

[vicos]

Greetings all,

Our php script which has used curl to talk to PayPal over https for years has mysteriously stopped working yesterday. Debugging reveals:

"curl_exec error 60 SSL certificate problem: unable to get local issuer certificate"

I am guessing this relates to PayPal action on 30-SEP:

Discontinue use of the VeriSign G2 Root Certificate. In accordance with industry standards, PayPal will no longer honor secure connections that require the VeriSign G2 Root Certificate for trust validation. Only secure connection requests that are expecting our certificate/trust chain to be signed by the G5 Root Certificate will result in successful secure connections.​

https://www.paypal-knowledge.com/in...t&widgetview=true&id=FAQ1766&viewlocale=en_US

Am I correct in assuming that the way to resolve is to update the CA cert data on the server? ( some threads on StackExchange this route, although not specific to Linux/CPanel: stackoverflow.com/questions/29822686/curl-error-60-ssl-certificate-unable-to-get-local-issuer-certificate

If yes, how is that best accomplished. The more details you can provide the better as SSL is far from my expertise.

I checked /usr/local/lib/php.ini and I did not even see curl.cainfo.

P.S. We are using LiteSpeed.

TIA!

 

[vicos]

Does anyone from CPANEL have any input on this...how do you update the CA certs that PHP/CURL uses on a CPANEL server?

When negotiating a TLS or SSL connection, the server sends a certificate indicating its identity. Curl verifies whether the certificate is authentic, i.e. that you can trust that the server is who the certificate says it is. This trust is based on a chain of digital signatures, rooted in certification authority (CA) certificates you supply. curl uses a default bundle of CA certificates (the path for that is determined at build time)...

curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html
curl.haxx.se/docs/sslcerts.html']cURL - SSL CA Certificates

phpinfo shows only this option: -with-curl=/opt/curlssl/

So, what is the path for the "default bundle of CA certificates" ...

or should one just download a cacert.pem file from source ( as suggested here: stackoverflow.com/questions/29822686/curl-error-60-ssl-certificate-unable-to-get-local-issuer-certificate ), install it somewhere(??) and point to it in php.ini using curl.cainfo=/path/to/cacert.pem ?

BTW, the specific CA cert we are missing is VeriSign Class 3 Public Primary Certification Authority - G5 root certificate. See: Obtain the VeriSign Class 3 Public Primary Certification Authority - G5 root certificate | Symantec

I prefer to fix it the best practices way vs just hacking a solution.

 

[cPanelMichael]

Hello,

Does this system use EasyApache 3 on CentOS 6 or 7? If so, ensure the "curl-devel" package is installed via YUM, and both Curl and CurlSSL options are disabled in your EasyApache 3 profile. Then, add the following line to /var/cpanel/easy/apache/rawopts/all_php5 (create this file if it doesn't exist):

--with-curl=/usr

Once you do this, rebuild Apache via EasyApache and verify if the issue persists.

Note this is unnecessary with Easyapache 4 because PHP curl is compiled against the OS-supplied libcurl.

Thank you.