Windows, cURL 60 unable to get local issuer certificate

I have already tried a lots of options available for this problem on stackoverflow, unfortunately nothing is working for me so far.

It started with composer installation. My env details are listed below:

OS: Windows 7

PHP V 7.1.10, XAMPP version

I am running MINGW64, (which was installed with git v2.1.5)

curl --version

curl 7.56.1 (x86_64-w64-mingw32) libcurl/7.56.1 OpenSSL/1.0.2l (WinSSL) zlib/1.2.11 libidn2/2.0.4 libssh2/1.8.0 nghttp2/1.26.0

Release-Date: 2017-10-23

Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp

Features: AsynchDNS IDN IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL libz TLS-SRP HTTP2 HTTPS-proxy MultiSSL Metalink

Now here it seems CURL with OpenSSL is installed correctly. When I was doing composer require or install it was reported me an error as follows:

I searched and figured out that its the local certificate problem so I downloaded the certificate/bundle from https://curl.haxx.se/docs/caextract.html, placed the certificate under C:\xampp\php\extras\ssl\ and changed the PHP.ini

curl.cainfo="C:\xampp\apache\bin\curl-ca-bundle.crt" openssl.cafile="C:\xampp\php\extras\ssl\curl-ca-bundle.crt"

this never worked. Then I placed my certificates under C:\Windows\System32\curl-ca-bundle.crt, changed the ini still it didn't work.

Then I downloaded cacert.pem from

and repeated steps to make it work with pem file. However I am afraid still no success here. Can anyone help me whats wrong going on here? Any help in this direction is much appreciated.

Upvotes: 8

Answers (2)

Arghya C

Reputation: 10078

This is for `Windows` users, using `curl-7.57.0-win64-mingw` or similar version.

I have already shared this on another thread, but I think Windows users might stumble upon this question and my answer might help. So, sharing the step-by-step process.

This error basically means, curl is failing to verify the certificate of the target URI. If you trust the issuer of the certificate (CA), you can add that to the list of trusted certificates (e.g. It's a local IIS certificate, and you trust it for your development purposes).

For that, browse the URI (e.g. on Chrome) and follow the steps

Right click on the HTTPS secure padlock 🔒 icon on address bar
Click on certificate, it'll open a window with the certificate details
Go to 'Certification Path' tab
Click the ROOT certificate
Click View Certificate, it'll open another certificate window
Go to Details tab
Click Copy to File... button, it'll open the export wizard
Click Next
Select 'Base-64 encoded X.509 (.CER)'
Click Next
Give a friendly name that you can remember e.g. 'MyDomainX.cer' (browse to desired directory) and save
Click Next
Click Finish, it'll save the certificate file

So what did we do?

We basically saved the root certificate for the desired site (that we actually trust) as a local file. What do we do next?

Add that certificate to the list of trusted certificates

Now open this .cer file and copy the contents (including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----)
Now go to the directory where curl.exe is saved e.g. C:\SomeFolder\curl-7.57.0-win64-mingw\bin
Open the curl-ca-bundle.crt file with a text editor (right click and open with...)
Append the copied certificate text to the end of the file. Save

What did we do now?

We added the certificate (content) to curl's main certificate bundle. So now curl will recognize this certificate and allow the domain.

Now your command should execute fine on curl.

Upvotes: 7

flip

Reputation: 119

Just posting this here for posterity as I spent the last 2 hours on this. NOTE: only tested on windows.

Make sure you have the curl version with ssl included ( the latest exe installer has it)
Download the cacert.pem from http://curl.haxx.se/docs/caextract.html
Rename cacert.pem to curl-ca-bundle.crt
Move the cacert.pem file to the curl.exe directory.

Fixed.

Upvotes: 6