Curl causes SSL: unable to get local issuer certificate

Question

After installing Homebrew PHP 5.5 on Mac OS Yosemite following this answers steps, I found that I could connect to the external SSL hosts which prompted me a 'Error Number:56 Error String:SSLRead() return error -9806' before. This problem has been fixed.

But now, at my day job I run into another SSL issue with another HOST: Canvas API.

Running the following Curl on terminal (using OSX native curl)

curl -v -H "Accept: application/json" -H "Content-type: application/json" -X GET \
  -d '{"userid": "mohit", "password":"password"}' https://canvas.instructure.com/api/v1/accounts

work fine, but through PHP I am getting SSL certificate problem: unable to get local issuer certificate.

So my original issue is fixed now that I use OpenSSL in PHP Curling, but I got this new issue.

I did try to add a PEM file to my php.ini, curl.cainfo = "/usr/local/cacert.pem" but that triggered another error

error setting certificate verify locations: CAfile: /usr/local/cacert.pem CApath: none.

I am a bit puzzled. I need to have the Brew PHP Curl version working for both API's. Now the one who wasn't working is working, but the other one which was working isn't. (throwing the unable to get local issuer certiciface message). Any wisdom would be appreciated.

EDIT: Curl output from php -i:

cURL support => enabled
cURL Information => 7.38.0
Age => 3
Features
AsynchDNS => No
CharConv => No
Debug => No
GSS-Negotiate => No
IDN => No
IPv6 => Yes
krb4 => No
Largefile => Yes
libz => Yes
NTLM => Yes
NTLMWB => Yes
SPNEGO => No
SSL => Yes
SSPI => No
TLS-SRP => Yes
Protocols => dict, file, ftp, ftps, gopher, http, https, imap, imaps, ldap, ldaps,
             pop3, pop3s, rtsp, smtp, smtps, telnet, tftp
Host => x86_64-apple-darwin14.0.0
SSL Version => OpenSSL/1.0.1j
ZLib Version => 1.2.5

Answer 1

This looks to be a bug in homebrew's curl formula for which I have just submitted a fix. https://canvas.instructure.com/ has a certificate issued by GoDaddy and those don't seem to be working with a brewed curl that uses a brewed openssl. If/when the maintainers of homebrew accept my patch, you'll be able to simply get this fix with:

$ brew rm curl # remove your broken brewed curl
$ brew update
$ brew install --with-openssl curl

Until that happens, you can install the fix directly from my pull request like this:

$ brew rm curl # remove your broken brewed curl
$ brew install --with-openssl https://raw.githubusercontent.com/asaph/homebrew/curl-openssl-godaddy-ca-bug/Library/Formula/curl.rb

Update:

The homebrew maintainers merged my patch so the fix is officially in homebrew now. So just run the first 3 commands I described above. No need to install from the pull request anymore.