cURL is a great library created by Daniel Stenberg, that allows you to connect and communicate to many different types of servers using many different types of protocols. In particular, it’s used heavily in PHP to communicate to Payment Gateways and fetch XML feeds from other sites whilst being ‘transparent’ to web page visitors.
The particular secret I would like to share involves establishing connections to secure sites (SSL-enabled ones in particular). When you browse to an SSL–enabled site in your web browser, a few things happen… One of the things that happen is that your browser checks to see if the site’s security certificate is trusted. It does this by checking the entity that signed the certificate against it’s built in book of trusted signatures and if it finds a match, onto the next step. However, if your browser can’t find a match the certificate will be invalid and it will complain that the site could potentially be a fake or insecure.
The ‘book of trusted signatures’ is known as a Certificate Authority bundle and usually comes built in with most web browsers. If you install cURL (the standalone version that can be run from the command–line), chances are it will come with the cURL Certificate Authority bundle and you won’t need to do a thing as the cURL functions within PHP will use this as it’s book of trusted signatures. However, on Windows the cURL functions within PHP are pre–built and included in the standard PHP setup, thus do not include this bundle. Chances are if you don’t know this you’ll probably spend a good amount of your time screaming at your webpage as it mocks you with error number 60! I know I spent quite a good few hours wondering why it worked on my Linux PC but not on the Windows server!
CURL Error 60: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Luckily the fix is quite easy…
Download standalone cURL for Windows (make sure it is the SSL version).
Download the .pem file from the cURL site and rename the extension to .crt- Extract curl-ca-bundle.crt from the download and copy to your web server folder.
- Add the following line to your code: –
curl_setopt($ch, CURLOPT_CAINFO, "c:/path/to/ca-bundle.crt");
- Remember to change $ch to the variable you’ve assigned your curl connection to and “c:/path/to/ca-bundle.crt” to the location of where you have copied the ca-bundle.crt.
- Check the server has permission to read this file.
If you are getting started with cURL, here is some sample code I’ve written that should get you started. It outputs the contents of the secure server to a string, which is echoed out to your page.
// Set up cURL connection
$url = 'https://www.verisign.com/';
$ca = 'c:/path/to/ca-bundle.crt';
$ch = curl_init();
// Apply various settings
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0); // Don’t return the header, just the html
curl_setopt($ch, CURLOPT_CAINFO, $ca); // Set the location of the CA-bundle
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); // Return contents as a string
$result = curl_exec ($ch);
curl_close($ch);
echo $result;That’s it! You should now be able to connect successfully to SSL-enabled websites using the cURL functions of PHP on your Windows server.
UPDATE 2010/08/20: Apparently the certificates aren’t shipped with the archived versions any more. To get the latest certificate bundle that’s been extracted from the Mozilla browser you can download the .pem file from the cURL site and rename the extension to .crt.
You sir get a gold star. Thanks for stopping my yelling at my webserver.
Thanks for this post. It has saved me a bunch of time getting some localhost curl things working!
I’m glad I could help Bob.
Awesome! Helped tonnes. Thank you.
Hello, thanks for the post! I was just struggling with the same problem myself. But, I’m also having this problem in my Linux machine, with a different explanation:
SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:func(144):reason(134)
Do you know how to fix it in Linux?
It’s seems to work for CURL but what about other PHP functions like fope, file_get_contents and the stream functions?
Thanks
Thanks so much! I don’t know why they don’t just include this critical piece with the PHP install.
You saved me a lot of time!
Jim
Thanks for the great post; and highly useful update! The error “60” had me going, particularly since we do most of our development on Linux boxes.
Thank you thank you!
thank you very much sir…
you saved my life ;)
Thank you!!!!! Your guidance here helped me tremendously!
Thanks. Great content and saved me a lot of time :)
i have downloaded the file cacert.pem file and rename it now how can i Extract curl-ca-bundle.crt…
My OS is Windows7.
Please Advice me….
Thank You Sir,
you made my day ;)
Thank You,
Very useful information !
Thank You! saved me a bunch of time testing a code snippet that will eventually run on a unix box.
I am getting this error for my wordpress while installing the plugin .
Please can you enlighten on how to follow these below steps : 2 -4 , i am all confused, where to extract the file and where to add the code …its all very confusing.
thanks, i use it on SoundCloud API, and work.
it worked…Thaks a lot….Awesome work !!! keep it up.
Thanks! Very useful!
Great post mate.
This fixed my problem trying to run the PHP SDK for Amazon Web Services from my local development machine.
Very useful post :)
Np Ben. Did you find this link via Google? I wrote this blog post almost 5 years ago now. Amazed anyone still finds this link!
Thankx Richards. you saved my day too..
Hello Richard,
Im working with nusoap, and ssl, with a selfsigned certificate, i set those variables:
$oSoap->scheme=”https”;
$oSoap->authtype = ‘certificate’;
$oSoap->certRequest[‘cainfofile’]=”/etc/pki/tls/certs/ca-bundle.crt”;
$oSoap->certRequest[‘verifypeer’]=true;
$oSoap->certRequest[‘verifyhost’]=2;
in ca-budnle file i concatenate the certificate from the site i want to has access.
and im reciving:
Error [HTTP Error: cURL ERROR: 60: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
The thing is i must go trough https, because is a secured server and only works in that way.
Can You give me an advice?
I’d double-check that the certificate file has the right permissions and that the script can access it.
Thanks for the information. saved me lot of time from shifting from linux to windows
The document is very helpful. It get me out from problem.
Really this helped me to fix the issue with WordPress on Windows. Thanks mate
Thank you thank you! Thank you thank you! Thank you thank you! Thank you thank you! Thank you thank you! Thank you thank you! Thank you thank you!
Hi, i have this error.
but i didnt solve my problem. Please help me.
“SSL certificate problem, verify that the CA cert is OK. Retrying with the CA cert bundle from google-api-php-client.
”
error
Although this describes a fix in a Windows environment, might a procedure similar to this resolve this problem in a Linux-based environment using CentOS?
Yes, this works great in Unix, Linux and Mac environments too.
Just another tip: the path to the crt or pem file needs to be absolute, relative paths don’t work. You can use realpath(); to overcome this
This is great, I stumbled upon to this post by link at google group, yes, about 5 years ago :)
Thank you very much!
I LOVE U !
Thanks for you help I was trying to figure out why cURL was working on my test server but not my dev laptop. Spent a good 1/2 a day on this before reading your site
Thank you so very much! You saved my ass man!
Thank Yooooooooooooooou
Thank you a ton for this well written article. It saved me some hair pulling!
Thanks Richard, after wasting few hours on this issue, we found your solution and voila! it worked.
Thanks for a great fix, luckily you come up high when searching, cheers for your work…
Search was on google.co.uk for:
php curl https local machine
5th result…
Thanks for saving me such a major headache.
If only the error message said your need the “certificate file stored locally on your pc and which php param to set”
Thanks for that hint. Worked perfect for me.
Thank you sir it saved my time with my AWS setup.
Thank you, this is what worked for me after lots of head-scratching.