cURL SSL Connection Errors in Windows
When you come across situations in which your cURL requests are needing to connect to an SSL-encrypted host and you are presented with a cURL error similar to the following:
cURL error: SSL: certificate verification failed
You are likely encountering an issue where your cURL cacert file is either disassociated with your site’s PHP configuration or the cacert file, itself, is having an issue, necessitating replacement using the latest version.
Another option to circumvent the error, but is not recommended due to its insecure nature, is to modify the cURL request variables to disallow the verification boolean from being “true.” The reason this is not recommended is that it opens that connection attempt up to risk. Your request is essentially connecting to the “secure” host whether it can verify that or not. If it can’t verify it will accept the “secure” host regardless.
Note: As a temporary solution you can implement the following value to your cURL request:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
Editing Your Site Level PHP.INI File
In a php.ini file that is being used by the site, there is a value that denotes the file path for the cURL cacert:
curl.cainfo =
In our shared Windows servers this variable will be directed to the ‘D:\PHP\cacert.pem’ path. This will be standard across all our shared Windows servers.
Note: cPanel/Linux will handle this from OpenSSL configuration level, not a php.ini file level and it is not recommended to use the php.ini configuration file to handle the cacert file requests location.
To include the cacert.pem file in your local site PHP configuration file, please follow the steps below.
-
Log into your Windows Control Panel.
-
Next, locate and access your File Manager.
-
Once you have logged into your site file manager, edit your php.ini file and locate the entry for
curl.cainfo =
-
Finally, add the cacert.pem path to the variable and save the file. Remember that in our Shared Windows servers the curl.cainfo variable will need to be pointed to ‘D:\PHP\cacert.pem’
Note: We also recommend to update the values for
openssl.cafile=
andopenssl.capath=
to the same file path.
Editing Your Server Level PHP.INI File
Note: This is for Dedicated Server owners.
To Make the necessary changes to your PHP sites server wide, please follow the steps list below:
-
Log into your server using RDP.
-
Next, locate the PHP directories. In the Dedicated server template, we install the PHP versions in the C:\PHP directory.
-
Select the desired PHP version and then edit the php.ini file.
-
Now update the
curl.cainfo
,openssl.cafile=
, andopenssl.capath=
values to reflect the path of your cacert file.
Downloading The Latest CACERT File
In situations where the php.ini file is pointing to the correct path for the cacert.pem file, the likely cause for issues would be that the cacert.pem file being utilized is out of date. To correct this issue, download the latest cacert.pem file and place it in the same location.
We generally use the following URL to retrieve the latest cacert.pem file from Mozilla:
Select the ‘cacert.pem’ link to download the certificate store.
After you have downloaded the latest version place it in your PHP path directory. If you do not want to overwrite the existing version. Rename the older file, first, then move the latest file version into the directory.
With the new file in your cacert file path location, now attempt to make your cURL request to the HTTPS URL you were trying reach before. Your cURL request should now be able to successfully verify the certificate.