Php curl error 60: ssl certificate problem: unable to get local issuer certificate

Sometimes, when we make a curl call to third party services, we get an error curl: (60) SSL certificate : unable to get local issuer certificate.

This error occurs because the curl verifies and makes a secure connection request using self-signed certificate. When it does not find the valid certificate, it throws an error.

To fix this error, follow the steps below:

1. Open http://curl.haxx.se/ca/cacert.pem
2. Copy the entire page and save it as a “cacert.pem”
3. Open your php.ini file and insert or update the following line.
   curl.cainfo = “[pathtofile]cacert.pem”

Error “curl: (60) SSL certificate problem: unable to get local issuer certificate” can be seen when the SSL certificate on the server is not verified or properly configured. In order to fix this please follow the steps below:

1. Download the latest cacert.pem from https://curl.haxx.se/ca/cacert.pem

2. Add the following line to php.ini: (if this is shared hosting and you don’t have access to php.ini then you could add this to .user.ini in public_html).

Issue

I'm trying to get composer to work on a remote Windows-machine which is using a proxy, but I always get this error when doing a composer install/update:

[Composer\Downloader\TransportException] curl error 60 while downloading https://flex.symfony.com/versions.json: SSL certificate problem: unable to get local issuer certificate

This is my composer.bat:

Obviously setting the proxy is needed, if I delete the line, the error becomes this:

[Composer\Downloader\TransportException] curl error 28 while downloading https://flex.symfony.com/versions.json: Operation timed out after 10000 milliseconds with 0 out of 0 bytes received

composer diag gives me this (with the proxy set):

I've been through a lot of posts and tutorials, but none of the answers work for me. (Some are just about curl and it's options to switch off the cert-check but that doesn't work for composer). Here's what I have tried:

• Downloaded cacert.pem from http://curl.haxx.se/ca/cacert.pem or https://curl.se/docs/caextract.html (no copy&paste as some said editing the file would corrupt it - however that's supposed to happen)
• saved the file locally
• activated openssl in php.ini
• edited php.ini and added the path of the cert-file for "curl.cainfo" as well as "openssl.cafile" (according to some posts that makes a difference, so I tried both), used the full path and quotes, like this: curl.cainfo="C:\Program Files\PHP\cacert.pem"
• moved the pem-file to different directories to make sure no Windows-permissions would make it inaccessible (I also set the file and it's directory to be accessible by all users just to make sure)
• used php -r "print_r(openssl_get_cert_locations());" to find out the default certfile-location (it's "C:\Program Files\Common Files\SSL"), also saved the cert-file there

All of this did not work, the error remains the same. Then I found a post which set a repository in composer.json and explicitely set the certfile for that repo, so I also tried it and added this to my composer.json:

The file "cacert.pem" is in the same directory as my composer.json, now the error is this:

[Composer\Downloader\TransportException] The "https://flex.symfony.com/packages.json" file could not be downloaded (HTTP/2 404 )

which is not that surprising, as trying to access "https://flex.symfony.com/packages.json" via a browser also gives me a 404. (Don't know if it makes a difference that all at a sudden "packages.json" couldn't be loaded while the cert-error complained about "versions.json", have no idea which is loaded first and if this error is a "good" sign.)

This trial-and-error journey has been going on for days, I'm out of ideas, so any help is appreciated!

Solution

Further research led me to the proxy, which is ZScaler, being the problem. As stated in this post, ZScaler intercepts SSL traffic and re-encrypts it with its own certificate which is not trusted, so Composer (or any other program accessing sites via https) will complain with the above error that it's "unable to get local issuer certificate".

So the solution must be to get the "ZScaler Intermediate Root CA" to be trusted on the server. (Which I can't do myself due to company policy, but anyone looking for a solution to the above problem probably has another hint now what to do.)

Answered By - Select0r

How to fix cURL error 60 ssl certificate problem?

How do I fix curl 60 ssl certificate problem certificate has expired?

How do I fix unable to get local issuer certificate?

How install Cacert pem in php INI?