cURL Error 60: Analysis and Solutions for Self-Signed Certificate in Certificate Chain Issues

Keywords: cURL Error 60 | SSL Certificate Verification | CA Root Certificate Bundle | PHP Security Configuration | OAuth Authentication

Abstract: This technical paper provides an in-depth analysis of cURL Error 60 (self-signed certificate in certificate chain), examining SSL certificate verification failures during OAuth authentication using cURL in PHP. Through detailed exploration of certificate validation mechanisms, the role of root certificate bundles, and secure configuration methods, it offers comprehensive solutions including updating CA root certificate bundles, proper php.ini configuration, and using CURLOPT_CAINFO option, while emphasizing the security risks of disabling SSL verification.

Problem Background and Error Analysis

When using PHP's cURL library for OAuth authentication requests, developers frequently encounter error code 60, specifically manifested as "SSL certificate problem: self signed certificate in certificate chain". This error indicates that cURL discovered a self-signed certificate in the certificate chain during server SSL certificate verification, leading to validation failure.

SSL Certificate Verification Mechanism Analysis

The security foundation of SSL/TLS protocol relies on certificate chain verification mechanism. When a client (such as cURL) connects to an HTTPS server, the server provides its SSL certificate. The client needs to verify the legitimacy of this certificate, including:

Whether the certificate is issued by a trusted Certificate Authority (CA)
Whether the certificate is within its validity period
Whether the certificate's subject name matches the accessed domain
Whether the certificate chain is complete and traceable to root certificates

cURL uses CA root certificate bundles to verify server certificates. This certificate bundle contains public key certificates of all trusted root CAs. If the locally installed CA certificate bundle is outdated or missing, cURL cannot properly verify the legitimacy of server certificates.

In-depth Error Cause Analysis

In the provided code example, the developer attempts to send requests to VK OAuth server:

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$output = curl_exec($ch);
if (!$output) {
    print curl_errno($ch) . ': ' . curl_error($ch);
}
curl_close($ch);
return $output;

When cURL enables the CURLOPT_SSL_VERIFYPEER option by default, it strictly verifies server certificates. If there are issues with the local CA certificate bundle, error 60 occurs. This situation typically happens when:

PHP installation lacks CA root certificate bundle
Existing CA certificate bundle is outdated
System environment configuration is incorrect

Secure Solutions

Not Recommended Dangerous Approach

Some developers might choose to disable SSL verification:

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

While this approach can temporarily resolve the error, it brings serious security risks:

Unable to prevent Man-in-the-Middle (MITM) attacks
Data transmission may be eavesdropped or tampered with
Violates security best practices

Recommended Correct Solution

The correct solution is to ensure the system has the latest and complete CA root certificate bundle:

Method 1: Global PHP Configuration

Specify CA certificate bundle path in php.ini configuration file:

curl.cainfo = /path/to/cacert.pem

The advantage of this method is one-time configuration, where all cURL requests automatically use the correct certificate bundle.

Method 2: Runtime Configuration

Dynamically specify CA certificate bundle path in code:

$ch = curl_init();
curl_setopt($ch, CURLOPT_CAINFO, dirname(__FILE__) . "/cacert.pem");
// Other cURL option settings
$output = curl_exec($ch);

CA Certificate Bundle Acquisition and Update

Obtaining the latest CA root certificate bundle:

Visit cURL official website: http://curl.haxx.se/docs/caextract.html
Download the latest cacert.pem file
Save the file to an appropriate directory, ensuring PHP has read permissions

Related Case Analysis and Extensions

The WordPress import issue mentioned in the reference article demonstrates similar technical scenarios. When applications attempt cURL requests in internal network environments, they might encounter certificate verification issues caused by firewall or DNS configurations. These cases further emphasize the importance of proper SSL verification configuration.

In complex network environments, developers also need to consider:

Integration of enterprise internal CA certificates
Certificate differences between development and production environments
Certificate management in containerized deployments

Best Practices Summary

When handling cURL SSL certificate verification issues, the following best practices should be followed:

Always keep CA root certificate bundles up to date
Prefer global PHP configuration over runtime configuration
Avoid disabling SSL verification absolutely
Maintain consistent certificate configuration across development, testing, and production environments
Regularly review and update security configurations

By properly configuring SSL certificate verification, developers can ensure application security while avoiding functional abnormalities caused by certificate issues. This approach not only solves immediate technical problems but, more importantly, establishes sustainable secure development practices.

Copyright Notice: All rights in this article are reserved by the operators of DevGex. Reasonable sharing and citation are welcome; any reproduction, excerpting, or re-publication without prior permission is prohibited.