Page tree

With translate5 3.1.1 PHP must be installed with curl. Curl is needed to talk to several third party services, mainly openID connect, or also the language resource "google machine translation".

The communication is done encrypted with SSL therefore curl needs up to date ca.cert informations on the local machine. The CAs of the SSL certificate of the requested URLs are checked against this local CA list.

If the local CA list is not update or if the requested server does not provide all intermediate certificates, the following or similar errors can occur:

cURL error 60: SSL certificate problem: unable to get local issuer certificate

Investigate the problem

Either use an online tool like https://globalsign.ssllabs.com/ or a local openssl to track down the problem:

openssl s_client -showcerts -connect DOMAINTOTEST:https

If openssl shows only one certificate with a error like that:

Verify return code: 21 (unable to verify the first certificate)

This indicates that the requested server only provides the server certificate but no intermediate certificate.

The problem about missing intermediates is, that browser solve that problem automatically by either fetching the missing intermediates or check an internal cache containing already the missing intermediate certificates.

Curl does not have such a cache / fetch mechanism.

Therefore a good server always provides the server cert and its cert chain / intermediate certs.


Solution if CA chain provided by the server is not complete

Contact the server administrator so that the missing intermediate certificates / the certificate chain is delivered too. For example in apache this must be done in configuration like that:

<VirtualHost *:443>
    ServerName notexistingexample.translate5.net
    DocumentRoot /pathtowebroot/notexistingexample.translate5.net/public
    SSLEngine on
    SSLCertificateFile /pathto/server-cert.crt
    SSLCertificateKeyFile /pathto/server-cert-key-file.key
    SSLCertificateChainFile /pathto/cert-chain-with-all-intermediate-certs.crt
</VirtualHost>


Provide missing chain as intermediate solution

Open the HTTPS URL in firefox, click on the lock symbol beneath the URL.


Click on more information.


Then a new window opens in firefox, press on show certificate.

In a new tab more information about the certificate is shown. Each certificate in the chain gets an own tab in that window. In the first Tab - the server certificate - click on "Save PME (Certificatechain)"

Save that file for later reuse with CURL.

openssl s_client -showcerts -CAfile /path/to/downloadedchainfile.pem -connect DOMAINTOTEST:https 

# or with curl

curl --cacert /path/to/downloadedchainfile.pem -v https://DOMAINTOTEST 

PHP Curl

In PHP curl the chain file must be provided with the following curl option:
curl_setopt($ch, CURLOPT_CAINFO, "/path/to/downloadedchainfile.pem");

The server must provide valid certificate data, so consider above CAINFO setting only as temporary workaround!


Solution if local CA is completely not update

In this case either update the CA bundle of the operating system (updating ca-certificates package) , or download up-to-date CA bundle on your own, and configure curl to use it.

To use the downloaded file, use it at an suitable place on the disk and configure it in the used php.ini:

curl.cainfo = "/path/to/cacert.pem"

The cacert.pem can be downloaded from http://curl.haxx.se/ca/cacert.pem

See also https://daniel.haxx.se/blog/2018/11/07/get-the-ca-cert-for-curl/

Resources









  • No labels