The message “SSL certificate problem: unable to get local issuer certificate” shows up when trying to connect to Magento Connect or when, generally, you try to use cURL
to connect to a remote web site.
This error happens because cURL
cannot find a cacert.pem
file from which take the trusted signatures.
There are some ways to set this file in cURL
:
- Pass the
cacert.pem
file path directly tocURL
when making the call; - Set the path to the
cacert.pem
file in thephp.ini
.
Other options are to set the environment variable CURL_CA_BUNDLE
or to put the cacert.pem
file in a defined directory on your filesystem depending on your OS.
But, as we are working with digital certificates with PHP cURL
, lets use PHP
! 🙂
Pass the cacert.pem
file path directly to cURL
when making the call
To do this, simply pass the cacert.pem
file path as parameter to pass to stream_context_create()
function:
$contextOptions = [
'ssl' = [
'verify_peer' = true,
'verify_peer_name' = true,
'allow_self_signed' = false,
'cafile' = 'path/to/you/cacert.pem',
'ciphers' = 'HIGH',
'disable_compression' = true,
'capture_peer_cert' = true,
'capture_peer_cert_chain' = true,
'capture_session_meta' = true,
]
];
$context = stream_context_create($contextOptions);
How to set the path to the cacert.pem
file path in the php.ini
The other more robust solution is to set the cacert.pem
file path directly in the php.ini
.
To do this, find the line curl.cainfo
:
[curl]
; A default value for the CURLOPT_CAINFO option. This is required to be an
; absolute path.
;curl.cainfo =
[openssl]
; The location of a Certificate Authority (CA) file on the local filesystem
; to use when verifying the identity of SSL/TLS peers. Most users should
; not specify a value for this directive as PHP will attempt to use the
; OS-managed cert stores in its absence. If specified, this value may still
; be overridden on a per-stream basis via the "cafile" SSL stream context
; option.
;openssl.cafile=
; If openssl.cafile is not specified or if the CA file is not found, the
; directory pointed to by openssl.capath is searched for a suitable
; certificate. This value must be a correctly hashed certificate directory.
; Most users should not specify a value for this directive as PHP will
; attempt to use the OS-managed cert stores in its absence. If specified,
; this value may still be overridden on a per-stream basis via the "capath"
; SSL stream context option.
;openssl.capath=
To make cURL
work with digital certificates is sufficient to simply set the curl.cainfo
parameter:
[curl]
; A default value for the CURLOPT_CAINFO option. This is required to be an
; absolute path.
curl.cainfo = /usr/local/etc/openssl/certs/cacert.pem
Save the php.ini
file and restart Apache. Try again and all should work well.
Magento: SSL certificate problem: unable to get local issuer certificate
Obviously, to solve the “SSL certificate problem: unable to get local issuer certificate” error in Magento when trying to connect to MagentoConnect the option we should choose is the second: set the cacert.pem
file path directly in the php.ini
.
Where to download a cacert.pem
file
There isn’t an official cacert.pem
, so we have to use the most accredited one, that is the one compiled by Mozilla and that can be downoaded from http://curl.haxx.se/ca/cacert.pem
If you like, here you’ll find other useful php.ini
settings for local web development.
Remember to “Make. Ideas. Happen.”.
I wish you flocking users, see you soon!
Julissa says
Whoever wrote this, you know how to make a good arcielt.
Aerendir says
Thank you! 🙂
Steve says
Awesome. This fix also works for the Magento 1.9 downloader from release archives.