Websites are unable to make php curl requests to SSL sites

Created:

2016-11-16 12:44:47 UTC

Modified:

2017-04-24 11:11:09 UTC

2

Was this article helpful?


Have more questions?

Submit a request

Websites are unable to make php curl requests to SSL sites

Applicable to:

  • Plesk for Windows
  • Plesk for Linux

Symptoms

PHP cURL libraries  unable to connect due to SSL errors.

    SSL certificate problem: unable to get local issuer certificate

OR

Error : "error setting certificate verify locations: CAfile: C:\Parallels\Plesk\Additional\PHPSettings\cacert.pem CApath: none" when usage of curl together with ssl site

Cause

PHP cURL is not using an updated set of root certificates to verify server certificates.

Around early September 2014, Mozilla removed the trust bits from the certs in their CA bundle that were still using RSA 1024 bit keys. This may lead to TLS libraries having a hard time to verify some sites if the library in question doesn't properly support "path discovery" as per RFC 4158. (That includes OpenSSL and GnuTLS.)

Resolution

  1. Download the cacert.pem file from the main curl website http://curl.haxx.se/ca/cacert.pem .

  2. Add the following into php.ini or add into 'Additional directives' under Websites & Domains > PHP settings :

    curl.cainfo=full\path\to\cacert.pem

For multiple domains, the settings above can be applied at once through the corresponding Service Plan:

  • Go to Home > Service Plans > ServicePlan1 , then to PHP Settings tab
  • In Additional configuration directives add curl.cainfo=full\path\to\cacert.pem parameter
  • Synchronize assigned subscriptions with the Service Plan

For Plesk 12.5:

Since 12.5 on Windows, the URL from which cacert.pem is downloaded can be specified in %plesk_dir%admin\conf\panel.ini file:

[php]
curlCertificatesUrl="http://curl.haxx.se/ca/cacert.pem"

%plesk_dir%\Additional\PHPSettings\cacert.pem file is updated by Daily Maintenance script, by %plesk_dir%\admin\plib\DailyMaintainance\Task\UpdatePhpCurlCertificates.php task, in particular.

Path %plesk_dir%\Additional\PHPSettings\cacert.pem cannot be customized from Plesk settings.

By default, curlCertificatesUrl setting is missing from %plesk_dir%admin\conf\panel.ini . During an upgrade, or by the Daily Maintenance task, Plesk exports certificates to this file by the command:

"%plesk_dir%\admin\bin\certmng" --export-certificates --path "%plesk_dir%Additional\PHPSettings\cacert.pem"

If certificate does not work, try to download certificate from http://curl.haxx.se/ca/cacert.pem and put it into %plesk_dir% Additional\PHPSettings directory.

Note: Make sure that the latest version of Mozilla Firefox is used.

Have more questions? Submit a request
Please sign in to leave a comment.