PHP + cURL + SSL query

[imcjd]

Hi,

I have a query with using cURL (SSL version) with PHP + cPanel. Using cURL with SSL you supposedly need to provide a bundle of trustable root certificates.

Using the following code:

curl_setopt($curlSession, CURLOPT_SSL_VERIFYPEER, 1);

I am not providing a certificate bundle and it still seems to work. So that's weird for starters?

Regardless I provide a bundle from /etc/pki/tls/certs/ca-bundle.crt:

curl_setopt($curlSession, CURLOPT_CAINFO, '/etc/pki/tls/certs/ca-bundle.crt');

Now my question is, is it safe to use the ca-bundle.crt in this directory? Does cPanel update this as and when required?

Thanks

 

[cPanelMichael]

Hello

Yes, it's acceptable to use the /etc/pki/tls/certs/ca-bundle.crt file for cURL. cURL should use this file by default, but you can verify this by running a test cURL command with the verbose flag on your server. EX:

curl -v 'https://test.domain.tld/index.php' > test.index.html

Could you elaborate more on the question about the update of this file from cPanel? What's the behavior you are expecting?

Thank you.

 

[imcjd]

Hi Michael,

Thanks for the response.

I just wondered if cPanel ever takes responsibility for updating the ca-bundle.crt file or it's left to the OS? As I understand it, the root certificates referenced in that file get updated semi-regularly thus the file needs to be kept up-to-date?

 

[cPanelMichael]

Hello

The file you are referring to is controlled and updated by your operating system. For example, here's the output that shows which package is associated with the file:

# rpm -qf /etc/pki/tls/certs/ca-bundle.crt
ca-certificates-2015.2.6-70.1.el7_2.noarch

As far as automatically populating the CABundle field when installing a SSL certificate through cPanel/WHM, that's handled through an external cPanel repository.

Thank you.