Laravel Guzzle : curl error 77 error setting certificate verify locations

Question

• OS: Ubuntu 16.04
• PHP : 7.2
• CURL : curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3
• Guzzle: 6.3

My project currently is using some packages that depends on Guzzle, e.g: AWS, Mailgun...However, it often threw out this error:

error: cURL error 77: error setting certificate verify locations:
CAfile: /etc/ssl/certs
CApath: /etc/ssl/certs (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)

Below is part of my php.ini

[curl]
; A default value for the CURLOPT_CAINFO option. This is required to be an
; absolute path.
curl.cainfo='/etc/ssl/certs/ca-certificates.crt'

[openssl]
; The location of a Certificate Authority (CA) file on the local     filesystem
; to use when verifying the identity of SSL/TLS peers. Most users should
; not specify a value for this directive as PHP will attempt to use the
; OS-managed cert stores in its absence. If specified, this value may still
; be overridden on a per-stream basis via the "cafile" SSL stream context
; option.
openssl.cafile='/etc/ssl/certs/ca-certificates.crt'

; If openssl.cafile is not specified or if the CA file is not found, the
; directory pointed to by openssl.capath is searched for a suitable
; certificate. This value must be a correctly hashed certificate directory.
; Most users should not specify a value for this directive as PHP will
; attempt to use the OS-managed cert stores in its absence. If specified,
; this value may still be overridden on a per-stream basis via the "capath"
; SSL stream context option.
openssl.capath='/etc/ssl/certs/'

None of this work, even though retrieving via ini_get() it's ok and fully recognized. For now, I have to make a workaround by modifying vendor/guzzlehttp/guzzle/src/Client.php and adjust default config to 'verify' => '/etc/ssl/certs/ca-certificates.crt' then everything's ok (which I believe not a good option)

retrieving via init_get()

array(8) {
["default_cert_file"]=> string(21) "/usr/lib/ssl/cert.pem"
["default_cert_file_env"]=>  string(13) "SSL_CERT_FILE"
["default_cert_dir"]=>  string(18) "/usr/lib/ssl/certs"
["default_cert_dir_env"]=>  string(12) "SSL_CERT_DIR"
["default_private_dir"]=>  string(20) "/usr/lib/ssl/private"
["default_default_cert_area"]=>  string(12) "/usr/lib/ssl"
["ini_cafile"]=>  string(34) "/etc/ssl/certs/ca-certificates.crt"
["ini_capath"]=>  string(15) "/etc/ssl/certs/"
}

openssl.cafile: /etc/ssl/certs/ca-certificates.crt
curl.cainfo: /etc/ssl/certs/ca-certificates.crt

Note: I've tried setting up ~/.curlrc together with export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt but none of this work

Does anyone have any solution or any clue to solve this issue?

Answer 1

Relating to 'SSL certificate problem: unable to get local issuer certificate' error. Rather obviously this applies to the system sending the CURL request (and no the server receiving the request)

1. Download the latest cacert.pem from https://curl.haxx.se/ca/cacert.pem

2. Add the following line to php.ini (if this is shared hosting and you don't have access to php.ini then you could add this to .user.ini in public_html)

   curl.cainfo="/path/to/downloaded/cacert.pem"
   

   Make sure you enclose the path within double quotation marks!!!

3. grant permission to your web server user like ngnix or www-data to read the file.

   sudo chown www-data /etc/ssl/certs/cacert.pem
   

4. last step restart fpm and ngnix or apache