Keywords: PHP | cURL | SSL Certificate | Error Code 60 | CA Certificate Bundle
Abstract: This article provides an in-depth analysis of PHP cURL error code 60, typically caused by SSL certificate verification failures. It details the solution through configuring the curl.cainfo parameter to point to a valid CA certificate bundle, specifically recommending the cacert.pem file from curl.haxx.se. With step-by-step guidance for Windows WAMP environments and code examples illustrating certificate verification mechanisms, it helps developers completely resolve SSL connection issues, ensuring secure and reliable API calls with services like Amazon AWS.
Problem Background and Error Analysis
When configuring PHP development environments on Windows WAMP and using the Amazon PHP SDK for API calls, developers frequently encounter cURL error code 60. The complete error description is: cURL error: SSL certificate problem: unable to get local issuer certificate (cURL error code 60). This error indicates that cURL cannot validate the server certificate's legitimacy during SSL/TLS handshake due to missing root Certificate Authority (CA) certificates.
Deep Analysis of Error Mechanism
The cURL library performs a complete SSL certificate verification process when establishing HTTPS connections:
- Server sends its SSL certificate chain
- Client verifies if certificate signatures are issued by trusted CAs
- Checks if certificates are within validity period
- Verifies domain names in certificates match requested domains
When cURL cannot find appropriate root certificates to validate server certificates, it throws error code 60. In PHP, this verification process depends on the certificate bundle file specified by the curl.cainfo configuration.
Solution Implementation Steps
The core solution is to provide a complete, up-to-date CA certificate bundle. The officially maintained certificate bundle from curl is recommended:
First, download the certificate bundle from the official source:
Download URL: https://curl.haxx.se/ca/cacert.pemSave the downloaded cacert.pem file to a local directory, for example: C:\wamp\certs\cacert.pem.
Modify the PHP configuration file php.ini by adding or changing the following configuration:
curl.cainfo = "C:\wamp\certs\cacert.pem"After configuration, restart the WAMP service to apply changes. Verify the configuration with the following PHP code:
<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://www.amazon.com");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
$response = curl_exec($ch);
if (curl_errno($ch)) {
echo 'cURL Error: ' . curl_error($ch);
} else {
echo 'SSL Connection Verified Successfully';
}
curl_close($ch);
?>Importance and Maintenance of Certificate Bundles
The cacert.pem bundle contains root and intermediate certificates from all major CAs. Compared to self-generated certificate bundles, the officially maintained bundle offers these advantages:
- Regularly updated with latest CA certificates
- Thoroughly tested for compatibility
- Widely recognized and trusted
Regularly check and update the certificate bundle, especially after operating system or PHP version upgrades. Ensure bundle validity by comparing file modification timestamps or using certificate verification scripts.
Alternative Approaches and Considerations
Although setting CURLOPT_SSL_VERIFYPEER to false bypasses certificate verification, this significantly reduces connection security and is not recommended for production environments. Consider this option only in development and testing environments with clear understanding of the risks.
For environments where php.ini cannot be modified, specify the certificate path at runtime through code:
<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://api.example.com");
curl_setopt($ch, CURLOPT_CAINFO, "C:\path\to\cacert.pem");
// Other cURL options...
?>This approach offers greater flexibility but requires explicitly specifying the certificate path in each cURL request.
Summary and Best Practices
The key to resolving PHP cURL error code 60 lies in correctly configuring the CA certificate bundle. Using the officially provided cacert.pem file from curl is the most reliable approach. After configuration, write test scripts to verify SSL connection functionality and establish mechanisms for regular certificate bundle updates. For enterprise applications, consider using operating system certificate stores or establishing internal certificate management processes to ensure security and reliability of all API calls.