Skip to main content
We are aware of an issue after updating to cPanel versions 11.110.0.65, 11.126.0.21, or 11.128.0.11, some cPanel plugins or features are no longer functioning properly including WP Toolkit. Please see the following article for more information and updates:
Update to latest cPanel 110, 126, or 128 versions removes "addonfeatures" directory.

curl_exec error 60 SSL certificate problem: unable to get local issuer certificate

vicos
Greetings all, Our php script which has used curl to talk to PayPal over https for years has mysteriously stopped working yesterday. Debugging reveals: "curl_exec error 60 SSL certificate problem: unable to get local issuer certificate" I am guessing this relates to PayPal action on 30-SEP: Discontinue use of the VeriSign G2 Root Certificate. In accordance with industry standards, PayPal will no longer honor secure connections that require the VeriSign G2 Root Certificate for trust validation. Only secure connection requests that are expecting our certificate/trust chain to be signed by the G5 Root Certificate will result in successful secure connections.

Comments

2 comments

Date Votes
  • vicos
    Does anyone from CPANEL have any input on this...how do you update the CA certs that PHP/CURL uses on a CPANEL server? When negotiating a TLS or SSL connection, the server sends a certificate indicating its identity. Curl verifies whether the certificate is authentic, i.e. that you can trust that the server is who the certificate says it is. This trust is based on a chain of digital signatures, rooted in certification authority (CA) certificates you supply. curl uses a default bundle of CA certificates (the path for that is determined at build time)... curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html curl.haxx.se/docs/sslcerts.html">cURL - SSL CA Certificates
    phpinfo shows only this option: -with-curl=/opt/curlssl/ So, what is the path for the "default bundle of CA certificates" ... or should one just download a cacert.pem file from source ( as suggested here: stackoverflow.com/questions/29822686/curl-error-60-ssl-certificate-unable-to-get-local-issuer-certificate ), install it somewhere(??) and point to it in php.ini using curl.cainfo=/path/to/cacert.pem ? BTW, the specific CA cert we are missing is VeriSign Class 3 Public Primary Certification Authority - G5 root certificate. See: Obtain the VeriSign Class 3 Public Primary Certification Authority - G5 root certificate | Symantec I prefer to fix it the best practices way vs just hacking a solution.
    0
  • cPanelMichael
    Hello, Does this system use EasyApache 3 on CentOS 6 or 7? If so, ensure the "curl-devel" package is installed via YUM, and both Curl and CurlSSL options are disabled in your EasyApache 3 profile. Then, add the following line to /var/cpanel/easy/apache/rawopts/all_php5 (create this file if it doesn't exist):
    --with-curl=/usr
    Once you do this, rebuild Apache via EasyApache and verify if the issue persists. Note this is unnecessary with Easyapache 4 because PHP curl is compiled against the OS-supplied libcurl. Thank you.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post