We running 2 application on amazon ec2 (backend.abc.com & frontend.abc.com). For that application, we used a paid SSL Certificate. That certificate expiration date at 2021 June. But today, we got an error -
cURL error 60: SSL certificate problem: certificate has expired (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)
We check certificate expiration date, but there was no problem (2021 June). Then we follow this thread - curl: (60) SSL certificate problem: unable to get local issuer certificate (@Dahomz answer)
After that, when we curl abc.com by - curl -v --url https://backend.abc.com --cacert /etc/ssl/ssl.cert/cacert.pem
, It working fine. Response like -
* Rebuilt URL to: https://backend.abc.com/ * Trying 127.0.0.1... * Connected to backend.abc.com (127.0.0.1) port 443 (#0) * found 139 certificates in /etc/ssl/ssl.cert/cacert.pem * found 600 certificates in /etc/ssl/certs * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ******_RSA_***_***_GCM_***** * server certificate verification OK * server certificate status verification SKIPPED * common name: *.abc.com (matched) * server certificate expiration date OK * server certificate activation date OK * certificate public key: RSA * certificate version: #3 * subject: OU=Domain Control Validated,OU=PositiveSSL Wildcard,CN=*.abc.xyz * start date: Mon, 04 May 2019 00:00:00 GMT * expire date: Wed, 07 June 2021 23:59:59 GMT * issuer: C=GB,ST=Greater Manchester,L=Salford,O=Sectigo Limited,CN=Sectigo RSA Domain Validation Secure Server CA * compression: NULL * ALPN, server accepted to use http/1.1
But when we hit from frontend.abc.com to backend.abc.com by curl, it throws this error -
* Rebuilt URL to: https://backend.abc.com/ * Trying 127.0.0.1... * Connected to backend.abc.com (127.0.0.1) port 443 (#0) * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/ssl/ssl.cert/cacert.pem CApath: /etc/ssl/certs * SSL connection using TLSv1.2 / *****-RSA-*****-GCM-****** * ALPN, server accepted to use http/1.1 * Server certificate: * subject: OU=Domain Control Validated; OU=PositiveSSL Wildcard; CN=*.abc.com * start date: Mar 4 00:00:00 2019 GMT * expire date: Apr 7 23:59:59 2021 GMT * issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA * SSL certificate verify result: certificate has expired (10), continuing anyway.
My curl code -
$ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "https://backend.abc.com"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_VERBOSE, 1); curl_setopt($ch, CURLOPT_STDERR, fopen(public_path("c.log"), 'w')); curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE); $output = curl_exec($ch); $error = curl_error($ch); $info = curl_getinfo($ch); curl_close($ch);
The only solution to this problem is to get your host to update the root certificate on your server. So, you need to contact your server host and ask them to insert a new cacert.
How to solve this problem: download and extract cacert. pem following the instructions at https://curl.se/docs/caextract.html. save it on your filesystem somewhere (for example, XAMPP users might use C:\xampp\php\extras\ssl\cacert.
Error “curl: (60) SSL certificate problem: unable to get local issuer certificate” can be seen when the SSL certificate on the server is not verified or properly configured.
To fix the problem, remove the expired root certificate from your domain certificate.
If you're having this issue with "curl" (or similar) on a Ubuntu 16 system, here's how we fixed it:
On the Ubuntu 16 system hosting the curl / app that fails:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With