Blog

Latest News and Updates

Magento 2: SSL certificate problem: unable to get local issuer certificate (cURL problem)

The message “SSL certificate problem: unable to get local issuer certificate” shows up when trying to connect to Magento Connect or when, generally, you try to use cURL to connect to a remote web site.

This error happens because cURL cannot find a cacert.pem file from which take the trusted signatures.

There are some ways to set this file in cURL:

  1. Pass the cacert.pem file path directly to cURL when making the call;
  2. Set the path to the cacert.pem file in the php.ini.

Other options are to set the environment variable CURL_CA_BUNDLE or to put the cacert.pem file in a defined directory on your filesystem depending on your OS.

But, as we are working with digital certificates with PHP cURL, lets use PHP! ­čÖé

Pass the cacert.pem file path directly to cURL when making the call

To do this, simply pass the cacert.pem file path as parameter to pass to stream_context_create() function:

$contextOptions = [
    'ssl' = [
        'verify_peer' = true,
        'verify_peer_name' = true,
        'allow_self_signed' = false,
        'cafile' = 'path/to/you/cacert.pem',
        'ciphers' = 'HIGH',
        'disable_compression' = true,
        'capture_peer_cert' = true,
        'capture_peer_cert_chain' = true,
        'capture_session_meta' = true,
    ]
];

$context = stream_context_create($contextOptions);

How to set the path to the cacert.pem file path in the php.ini

The other more robust solution is to set the cacert.pem file path directly in the php.ini.

To do this, find the line curl.cainfo:

[curl]
; A default value for the CURLOPT_CAINFO option. This is required to be an
; absolute path.
;curl.cainfo =

[openssl]
; The location of a Certificate Authority (CA) file on the local filesystem
; to use when verifying the identity of SSL/TLS peers. Most users should
; not specify a value for this directive as PHP will attempt to use the
; OS-managed cert stores in its absence. If specified, this value may still
; be overridden on a per-stream basis via the "cafile" SSL stream context
; option.
;openssl.cafile=

; If openssl.cafile is not specified or if the CA file is not found, the
; directory pointed to by openssl.capath is searched for a suitable
; certificate. This value must be a correctly hashed certificate directory.
; Most users should not specify a value for this directive as PHP will
; attempt to use the OS-managed cert stores in its absence. If specified,
; this value may still be overridden on a per-stream basis via the "capath"
; SSL stream context option.
;openssl.capath=

To make cURL work with digital certificates is sufficient to simply set the curl.cainfo parameter:

[curl]
; A default value for the CURLOPT_CAINFO option. This is required to be an
; absolute path.
curl.cainfo = /usr/local/etc/openssl/certs/cacert.pem

Save the php.ini file and restart Apache. Try again and all should work well.

Magento: SSL certificate problem: unable to get local issuer certificate

Obviously, to solve the “SSL certificate problem: unable to get local issuer certificate” error in Magento when trying to connect to MagentoConnect the option we should choose is the second: set the cacert.pem file path directly in the php.ini.

Where to download a cacert.pem file

There isn’t an official cacert.pem, so we have to use the most accredited one, that is the one compiled by Mozilla and that can be downoaded from http://curl.haxx.se/ca/cacert.pem

If you like, here you’ll find other useful php.ini settings for┬álocal web development.

AerendirMagento 2: SSL certificate problem: unable to get local issuer certificate (cURL problem)
Share this post

2 comments

Join the conversation

Join the conversation

Related Posts