Windows, cURL 60 unable to get local issuer certificate

Question

I have already tried a lots of options available for this problem on stackoverflow, unfortunately nothing is working for me so far.

It started with composer installation. My env details are listed below:

1. OS: Windows 7
2. PHP V 7.1.10, XAMPP version

3. I am running MINGW64, (which was installed with git v2.1.5)

   curl --version

   curl 7.56.1 (x86_64-w64-mingw32) libcurl/7.56.1 OpenSSL/1.0.2l (WinSSL) zlib/1.2.11 libidn2/2.0.4 libssh2/1.8.0 nghttp2/1.26.0

   Release-Date: 2017-10-23

   Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp

   Features: AsynchDNS IDN IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL libz TLS-SRP HTTP2 HTTPS-proxy MultiSSL Metalink

Now here it seems CURL with OpenSSL is installed correctly. When I was doing composer require or install it was reported me an error as follows:

I searched and figured out that its the local certificate problem so I downloaded the certificate/bundle from https://curl.haxx.se/docs/caextract.html, placed the certificate under C:\xampp\php\extras\ssl\ and changed the PHP.ini

curl.cainfo="C:\xampp\apache\bin\curl-ca-bundle.crt" openssl.cafile="C:\xampp\php\extras\ssl\curl-ca-bundle.crt"

this never worked. Then I placed my certificates under C:\Windows\System32\curl-ca-bundle.crt, changed the ini still it didn't work.

Then I downloaded cacert.pem from

https://gist.github.com/VersatilityWerks/5719158/download

and repeated steps to make it work with pem file. However I am afraid still no success here. Can anyone help me whats wrong going on here? Any help in this direction is much appreciated.

Answer 1

This is for Windows users, using curl-7.57.0-win64-mingw or similar version.

I have already shared this on another thread, but I think Windows users might stumble upon this question and my answer might help. So, sharing the step-by-step process.

This error basically means, curl is failing to verify the certificate of the target URI. If you trust the issuer of the certificate (CA), you can add that to the list of trusted certificates (e.g. It's a local IIS certificate, and you trust it for your development purposes).

For that, browse the URI (e.g. on Chrome) and follow the steps

1. Right click on the HTTPS secure padlock 🔒 icon on address bar
2. Click on certificate, it'll open a window with the certificate details
3. Go to 'Certification Path' tab
4. Click the ROOT certificate
5. Click View Certificate, it'll open another certificate window
6. Go to Details tab
7. Click Copy to File... button, it'll open the export wizard
8. Click Next
9. Select 'Base-64 encoded X.509 (.CER)'
10. Click Next
11. Give a friendly name that you can remember e.g. 'MyDomainX.cer' (browse to desired directory) and save
12. Click Next
13. Click Finish, it'll save the certificate file

So what did we do?

We basically saved the root certificate for the desired site (that we actually trust) as a local file. What do we do next?

Add that certificate to the list of trusted certificates

14. Now open this .cer file and copy the contents (including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----)
15. Now go to the directory where curl.exe is saved e.g. C:\SomeFolder\curl-7.57.0-win64-mingw\bin
16. Open the curl-ca-bundle.crt file with a text editor (right click and open with...)
17. Append the copied certificate text to the end of the file. Save

What did we do now?

We added the certificate (content) to curl's main certificate bundle. So now curl will recognize this certificate and allow the domain.

Now your command should execute fine on curl.

Answer 2

Just posting this here for posterity as I spent the last 2 hours on this. NOTE: only tested on windows.

1. Make sure you have the curl version with ssl included ( the latest exe installer has it)
2. Download the cacert.pem from http://curl.haxx.se/docs/caextract.html
3. Rename cacert.pem to curl-ca-bundle.crt
4. Move the cacert.pem file to the curl.exe directory.

Fixed.