Using CURLOPT_CAINFO with updated CA bundle causes certificate verify failed

Question

I use cURL to verify PayPal transactions in a WordPress plugin. Recently I started receiving bug reports about user not being able to complete the purchase process because the transaction couldn't be verified. I tracked down the error to:

SSL certificate problem, verify that the CA cert is OK. Details: 
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I found a lot of questions here in StackOverflow related to the same problem, most of them said the solution was to provide a bundle of CA using CURLOPT_CAINFO cURL's option. I downloaded and currently ship with the plugin the most recent version (converted on Jun 28, 2012) of http://curl.haxx.se/ca/cacert.pem. That solved most of the issues I had received.

The problem now, is that I just received another report of failed payments and the error was the same: SSL certificate problem, verify that the CA cert is OK.. The interesting part is that now the solution was to remove the CURLOPT_CAINFO option. I'm wondering if there is in explanation for this. I thought using an updated CA bundle, such as the one I downloaded, was a general solution but it appears to be otherwise.

What would be a general solution for this kind of problem? and what could explain that using the updated CA bundle causes SSL certificate problems, instead of fixing them?.

This is the cURL configuartion:

<?php
    $ch = curl_init("https://www.paypal.com/cgi-bin/webscr");
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_VERBOSE, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
    curl_setopt($ch, CURLOPT_CAINFO, '/path/to/cacert.pem');
    curl_setopt($ch, CURLOPT_POSTFIELDS, $content);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    $response = curl_exec($ch);
?>

UPDATE: The certificate for www.paypal.com is signed by VeriSign. The Certificate Hierarchy (as shown in Firefox) is:

• VeriSign Class 3 Public Primary Certification Authority - G5
• VeriSign Class 3 Extended Validation SSL CA
• www.paypal.com

I can confirm the certificate for VeriSign Class 3 Public Primary Certification Authority - G5 is included in the version I'm using of http://curl.haxx.se/ca/cacert.pem.

Thanks for your help.

Answer 1

see this url

http://davidwalsh.name/php-ssl-curl-error

or try it

$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,'https://thirdparty.com/token.php'); //not the actual site
curl_setopt($ch,CURLOPT_TIMEOUT,60);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch,CURLOPT_POST,1);
curl_setopt($ch,CURLOPT_POSTFIELDS,'customer_id='.$cid.'&password='.$pass);
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,true); 
curl_setopt($ch,CURLOPT_CAINFO,'mozilla.pem'); /* fixed! */
$result = curl_exec($ch);
if(empty($result)) { /* error: nothing returned */ } else { /* success! */ }
curl_close($ch);