PayPal IPN: unable to get local issuer certificate

Question

I am using curl to verify the PayPal IPN but it throws error: SSL certificate problem: unable to get local issuer certificate. The same code is working on development server and when I moved to client server it is not working.

DO I need to purchase ssl certification in order to make payment via PayPal express checkout or any change in my coding part or any setting need to make on server.Curl is already enabled on server. Any help will be appreciated.

My code below, and its a reduced test page for this:

$req = HAVING PARAMETERS FROM PAYPAL;

$ch = curl_init("https://www.sandbox.paypal.com/cgi-bin/webscr");
curl_setopt($ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $req);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_FORBID_REUSE, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Connection: Close'));

curl_exec($ch);
if(curl_errno($ch))
{
    echo 'Curl error: ' . curl_error($ch);
}

Answer 1

You're telling cURL to validate the SSL connection but you're not telling it what to validate against;

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);

Make sure you point to an up-to-date list of CA's to trust by adding:

curl_setopt($ch, CURLOPT_CAPATH, "./cacert.pem");

If you don't have an up-to-date cacert list yourself, I'd recommend downloading the one supplied by the cURL maintainer: cacert.pem.

Answer 2

You want CURLOPT_CAINFO (points to a PEM file) not CURLOPT_CAPATH (which points to a directory containing PEM files).

curl_setopt($ch, CURLOPT_CAINFO, "./cacert.pem");