Troubleshoot curl error 60: Unable to get local issuer certificate
Problem
License validation fails and cURL error 60: SSL certificate problem: unable to get local issuer
certificate
is written to the application log in storage/logs/
.
The error message may also be shown in other circumstances.
Cause
cURL is a library used by PHP for transferring data via URLs. When data transfer occurs over a secure connection,
an SSL handle shake verifies that the server you're connecting to is signed by a trusted Certificate Authority (CA).
It does this by checking against a local CA bundle which lists trusted authorities. When cURL cannot find a
valid local CA bundle the unable to get local issuer cerificate
error message is shown.
Resolution
Global Resolution
To specify the location of the CA bundle you need to update your PHP configuration:
-
Find the location of your
php.ini
file.
Usually the easiest way to do this is to create a PHP file:
Creating a new PHP file inside of the base directory of SupportPal is not possible due to web server redirect rules. Instead please temporarily edit the<?php var_dump(php_ini_loaded_file());
index.php
file. - Download cacert.pem
- Move the
cacert.pem
file to an accessible file store, e.g.Linux: /etc/pki/tls/cacert.pem Windows: C:\php\extras\ssl\cacert.pem
-
Edit the
php.ini
file, e.g.curl.cainfo = "/etc/pki/tls/cacert.pem" openssl.cafile = "/etc/pki/tls/cacert.pem"
-
Reboot your web server, if using a PHP process manager (
php-fpm
) you may also need to restart that service.
License Client Resolution
In SupportPal versions prior to 3.3.0 the license client included a local CA bundle. If you're still experiencing
the same error message having followed the global resolution steps, you may need to also overwrite
the cacert.pem
file stored at vendor/supportpal/license_client/src/certs/cacert.pem
.
Help - it's still not working
If you're still experiencing the error having followed the above two sections then you've either:
- Incorrectly restarted the services. Perhaps try a full reboot of the server
- Updated the wrong
php.ini
- Another local certificate authority is overriding the one defined.
Server misconfiguration
It's possible that the server that you're trying to connect to is misconfigured. Check the domain
at SSL Labs to identify any issues. If
This server's certificate chain is incomplete.
is shown, then the server is exposing an
incomplete certificate. The server administrator needs to download the intermediate certificate bundle from
the certificate authority, and add them to their primary certificate for example:
$ cat www.example.com.crt bundle.crt > www.example.com.chained.crt
Zscaler
Zscaler is a program to control internet connections and defines
its own root CA bundle. You need to manually create an certificate bundle for Zscalar that permits connections
to licensing.supportpal.com
.
- Open Firefox to
https://licensing.supportpal.com/
- Click on the padlock and click the arrow then more information
- Click on View Certificate
- Scroll down to Miscellaneous
- Download PEM (Cert)
- Rename downloaded file to
cacert.pem
- Overwrite
vendor\supportpal\license_client\src\certs\cacert.pem
- Update
php.ini
as advised in steps above.