Websites are unable to make php curl requests to SSL sites

Refers to:

  • Plesk for Windows
  • Plesk for Linux

Created:

2016-11-16 12:44:47 UTC

Modified:

2017-02-13 20:13:58 UTC

1

Was this article helpful?


Have more questions?

Submit a request

Websites are unable to make php curl requests to SSL sites

Symptoms

We just discovered an issue with the php curl libraries across our servers, where it is unable to connect due to SSL errors.

    SSL certificate problem: unable to get local issuer certificate

Cause

PHP cURL is not using an updated set of root certificates to verify server certs.

Around early September 2014, Mozilla removed the trust bits from the certs in their CA bundle that were still using RSA 1024 bit keys. This may lead to TLS libraries having a hard time to verify some sites if the library in question doesn't properly support "path discovery" as per RFC 4158. (That includes OpenSSL and GnuTLS.)

Resolution

  1. Download the cacert.pem file from the main curl website http://curl.haxx.se/ca/cacert.pem .

  2. Add the following into php.ini or add into 'Additional directives' under Websites & Domains > PHP settings :

    curl.cainfo=full\\path\ o\\cacert.pem

For a multiple domains the settings above can be applied at one time through associated service plan:

  • Go to Home > Service Plans > ServicePlan1 , then to PHP Settings tab
  • In Additional configuration directives add curl.cainfo=full\\path\ o\\cacert.pem parameter
  • Synchronize assigned subscriptions with the service plan

For Plesk 12.5:

Since 12.5 on Windows, the URL, from which cacert.pem is downloaded, can be specified in panel.ini file:

[php]
curlCertificatesUrl="http://curl.haxx.se/ca/cacert.pem"

%plesk_dir%\\Additional\\PHPSettings\\cacert.pem file is updated by Daily Maintenance script, by %plesk_dir%\\admin\\plib\\DailyMaintainance\\Task\\UpdatePhpCurlCertificates.php task, in particular.

Path %plesk_dir%\\Additional\\PHPSettings\\cacert.pem cannot be customized from Plesk settings.

By default, curlCertificatesUrl setting is missing from panel.ini . During an upgrade, or by Daily Maintenance task, Plesk exports certificates to this file by command:

"%plesk_dir%\\admin\\bin\\certmng" --export-certificates --path "%plesk_dir%\\Additional\\PHPSettings\\cacert.pem"

If certificate does not work, try to download certificate from http://curl.haxx.se/ca/cacert.pem and put it in C:\\Program Files (x86)\\Parallels\\Plesk\\Additional\\PHPSettings directory.

Note: Make sure you are using the latest version of Mozilla Firefox.

Have more questions? Submit a request
Please sign in to leave a comment.