cURL / Mailing Lists / curl-and-php / Single Mail

curl-and-php

[60] error setting certificate verify locations: CAfile: /usr/share/ssl/certs/ca-bundle.crt CApath: none

From: Steven Crandell <steven.crandell_at_gmail.com>
Date: Wed, 9 Nov 2005 03:52:16 -0700

Just spent entirely too long trouble-shooting this issue. Thought I'd post
something about it.

I had a client who has been utilizing php-curl for quite some time now w/out
any trouble.
Then a week ago, he started seeing the error:
[60] error setting certificate verify locations: CAfile:
/usr/share/ssl/certs/ca-bundle.crt CApath: none

I googled this thing to death but all I could see was a grundle of posts
where people
suggested to the person asking the question that they either invoke
curl on the cmd line with the -k option or else to add:
curl_setopt($link, CURLOPT_SSL_VERIFYPEER, FALSE);
to their php script to bypass verification.

This does allow the transaction to complete successfully, but you lose the
benefit of certification verification.
In my case, bypassing verification was not an option.

Take a look here:
http://curl.haxx.se/libcurl/c/libcurl-errors.html

this page says of error 60:
"CURLE_SSL_CACERT (60)

problem with the CA cert (path? access rights?)"

Anyway, the default path to ca-bundle.crt (the file that curl is trying to
use to perform verification) is typically:
/usr/share/ssl/certs/ca-bubdle.crt

Make sure that the user that the web server is running as
(www,nobody,http,whatever) has access to get to that directory (this means
execute rights on all directories in the path)
and read access to the file itself. In my case, the client had accidentally
set /usr/share/ssl/certs to 700 (rwx------).
Given that the directory was owned by root, this meant that no one but the
root user could see the ca-bundle.crt file.
I did a:
chmod 755 /usr/share/ssl/certs
and live was grand.

hope this helps.
 --
Steven Crandell
steven.crandell_at_gmail.com

_______________________________________________
http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
Received on 2005-11-09