Windows curl error 60: ssl certificate problem: unable to get local issuer certificate

Q: How do I fix curl 60 SSL certificate?

Locate the curl certificate PEM file location curl-config --ca -- > /usr/local/etc/openssl/cert.pem..

Q: What is a curl Error 60?

Error curl: (60) SSL certificate problem: unable to get local issuer certificate” can be seen when the SSL certificate on the server is not verified or properly configured.

2021. 5. 20. 14:16 | 개발 관련

Inhaltsverzeichnis Show

How do I fix curl 60 SSL certificate?
How do I fix unable to get local issuer certificate?
What is a curl Error 60?
How do I bypass a curl check certificate?

GuzzleHttp\Exception\RequestException: cURL error 60: SSL certificate problem: unable to get local issuer certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html)

문제

Windows에서 구동되는 PHP에서 발생하는 문제, 리눅스 계열인 우분투 등지에선 본 적이 없는 오류인데, 찾아보니까 CA 인증 기관 파일이 없어서라고 한다. 정확한 이유는 모르겠지만...

해결

먼저 다음 URL에서 cacert.pem 파일을 다운로드 받자.

https://curl.haxx.se/ca/cacert.pem

해당 cacert.pem 파일을 다운로드 한 후에, 절대 경로로 찾기 편한 곳에 넣어주자. 나는 그냥 PHP 설치 폴더에 넣어줬다.

"curl.cainfo" 값을 찾은 후에, 앞에 있는 주석 표시(;)을 제거한 후 cacert.pem 파일의 경로를 넣어주자.

여담

이전에도 동일한 문제가 발생했는데, 포맷 후에도 또 이러길래 글을 쓴다. 거 사람 귀찮게 하네

Issue

I'm trying to get composer to work on a remote Windows-machine which is using a proxy, but I always get this error when doing a composer install/update:

[Composer\Downloader\TransportException] curl error 60 while downloading https://flex.symfony.com/versions.json: SSL certificate problem: unable to get local issuer certificate

This is my composer.bat:

@echo OFF :: in case DelayedExpansion is on and a path contains ! setlocal DISABLEDELAYEDEXPANSION set HTTP_PROXY=<proxyurl> php "%~dp0composer.phar" %*

Obviously setting the proxy is needed, if I delete the line, the error becomes this:

[Composer\Downloader\TransportException] curl error 28 while downloading https://flex.symfony.com/versions.json: Operation timed out after 10000 milliseconds with 0 out of 0 bytes received

composer diag gives me this (with the proxy set):

Checking composer.json: OK Checking platform settings: OK Checking git settings: OK Checking http connectivity to packagist: OK Checking https connectivity to packagist: OK Checking HTTP proxy: OK Checking github.com rate limit: OK Checking disk free space: OK Checking pubkeys: Tags Public Key Fingerprint: 57815BA2 7E54DC31 7ECC7CC5 573090D0 87719BA6 8F3BB723 4E5D42D0 84A14642 Dev Public Key Fingerprint: 4AC45767 E5EC2265 2F0C1167 CBBB8A2B 0C708369 153E328C AD90147D AFE50952 OK Checking composer version: OK Composer version: 2.0.9 PHP version: 7.4.7 PHP binary path: C:\Program Files\PHP\current\php.exe OpenSSL version: OpenSSL 1.1.1g 21 Apr 2020 cURL version: 7.69.1 libz 1.2.11 ssl OpenSSL/1.1.1g zip: extension present, unzip not available

I've been through a lot of posts and tutorials, but none of the answers work for me. (Some are just about curl and it's options to switch off the cert-check but that doesn't work for composer). Here's what I have tried:

Downloaded cacert.pem from http://curl.haxx.se/ca/cacert.pem or https://curl.se/docs/caextract.html (no copy&paste as some said editing the file would corrupt it - however that's supposed to happen)
saved the file locally
activated openssl in php.ini
edited php.ini and added the path of the cert-file for "curl.cainfo" as well as "openssl.cafile" (according to some posts that makes a difference, so I tried both), used the full path and quotes, like this: curl.cainfo="C:\Program Files\PHP\cacert.pem"
moved the pem-file to different directories to make sure no Windows-permissions would make it inaccessible (I also set the file and it's directory to be accessible by all users just to make sure)
used php -r "print_r(openssl_get_cert_locations());" to find out the default certfile-location (it's "C:\Program Files\Common Files\SSL"), also saved the cert-file there

All of this did not work, the error remains the same. Then I found a post which set a repository in composer.json and explicitely set the certfile for that repo, so I also tried it and added this to my composer.json:

{ "repositories": [{ "type": "composer", "url": "https://flex.symfony.com", "options" : { "ssl" : { "cafile" : "cacert.pem" } } }] }

The file "cacert.pem" is in the same directory as my composer.json, now the error is this:

[Composer\Downloader\TransportException] The "https://flex.symfony.com/packages.json" file could not be downloaded (HTTP/2 404 )

which is not that surprising, as trying to access "https://flex.symfony.com/packages.json" via a browser also gives me a 404. (Don't know if it makes a difference that all at a sudden "packages.json" couldn't be loaded while the cert-error complained about "versions.json", have no idea which is loaded first and if this error is a "good" sign.)

This trial-and-error journey has been going on for days, I'm out of ideas, so any help is appreciated!

Solution

Further research led me to the proxy, which is ZScaler, being the problem. As stated in this post, ZScaler intercepts SSL traffic and re-encrypts it with its own certificate which is not trusted, so Composer (or any other program accessing sites via https) will complain with the above error that it's "unable to get local issuer certificate".

So the solution must be to get the "ZScaler Intermediate Root CA" to be trusted on the server. (Which I can't do myself due to company policy, but anyone looking for a solution to the above problem probably has another hint now what to do.)

Answered By - Select0r

How do I fix curl 60 SSL certificate?

Locate the curl certificate PEM file location 'curl-config --ca' -- > /usr/local/etc/openssl/cert.pem..

Use the folder location to identify the PEM file 'cd /usr/local/etc/openssl'.

Create a backup of the cert.pem file 'cp cert.pem cert_pem.bkup'.

How do I fix unable to get local issuer certificate?

When ssl certificate problem unable to get local issuer certificate error is caused by a self-signed certificate, the fix is to add the certificate to the trusted certificate store. Open the file ca-bundle. crt located in the directory above, then copy and paste the Git SSL certificate to the end of the file.

What is a curl Error 60?

Error “curl: (60) SSL certificate problem: unable to get local issuer certificate” can be seen when the SSL certificate on the server is not verified or properly configured.

How do I bypass a curl check certificate?

To bypass SSL certificate validation for local and test servers, you can pass the -k or --insecure option to the Curl command. This option explicitly tells Curl to perform "insecure" SSL connections and file transfers. Curl will ignore any security warnings about an invalid SSL certificate and accept it as valid.

windows curl error ssl certificate problem unable to get local issuer certificate cURL error 60