Troubleshoot curl error 60: Unable to get local issuer certificate

Problem

License validation fails and cURL error 60: SSL certificate problem: unable to get local issuer certificate is written to the application log in storage/logs/.

The error message may also be shown in other circumstances.

Cause

cURL is a library used by PHP for transferring data via URLs. When data transfer occurs over a secure connection, an SSL handle shake verifies that the server you're connecting to is signed by a trusted Certificate Authority (CA). It does this by checking against a local CA bundle which lists trusted authorities. When cURL cannot find a valid local CA bundle the unable to get local issuer cerificate error message is shown.

Resolution

Global Resolution

To specify the location of the CA bundle you need to update your PHP configuration:

1. Find the location of your php.ini file.
   Usually the easiest way to do this is to create a PHP file:

   <?php
   
   var_dump(php_ini_loaded_file());
           

   Creating a new PHP file inside of the base directory of SupportPal is not possible due to web server redirect rules. Instead please temporarily edit the index.php file.
2. Download cacert.pem
3. Move the cacert.pem file to an accessible file store, e.g.

   
               Linux: /etc/pki/tls/cacert.pem
               Windows: C:\php\extras\ssl\cacert.pem
           

4. Edit the php.ini file, e.g.

   
   curl.cainfo = "/etc/pki/tls/cacert.pem"
   openssl.cafile = "/etc/pki/tls/cacert.pem"
           

5. Reboot your web server, if using a PHP process manager (php-fpm) you may also need to restart that service.

License Client Resolution

In SupportPal versions prior to 3.3.0 the license client included a local CA bundle. If you're still experiencing the same error message having followed the global resolution steps, you may need to also overwrite the cacert.pem file stored at vendor/supportpal/license_client/src/certs/cacert.pem.

Help - it's still not working

If you're still experiencing the error having followed the above two sections then you've either:

• Incorrectly restarted the services. Perhaps try a full reboot of the server
• Updated the wrong php.ini
• Another local certificate authority is overriding the one defined.

Server misconfiguration

It's possible that the server that you're trying to connect to is misconfigured. Check the domain at SSL Labs to identify any issues. If This server's certificate chain is incomplete. is shown, then the server is exposing an incomplete certificate. The server administrator needs to download the intermediate certificate bundle from the certificate authority, and add them to their primary certificate for example:

$ cat www.example.com.crt bundle.crt > www.example.com.chained.crt

Zscaler

Zscaler is a program to control internet connections and defines its own root CA bundle. You need to manually create an certificate bundle for Zscalar that permits connections to licensing.supportpal.com.

1. Open Firefox to https://licensing.supportpal.com/
2. Click on the padlock and click the arrow then more information
3. Click on View Certificate
4. Scroll down to Miscellaneous
5. Download PEM (Cert)
6. Rename downloaded file to cacert.pem
7. Overwrite vendor\supportpal\license_client\src\certs\cacert.pem
8. Update php.ini as advised in steps above.