Databases
StackOverflow2013
Postsdbo
POUsing CURLOPT_CAINFO with updated CA bundle causes certificate verify failed
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POUsing CURLOPT_CAINFO with updated CA bundle causes certificate verify failed
    text
    copied!<p>I use cURL to verify PayPal transactions in a WordPress plugin. Recently I started receiving bug reports about user not being able to complete the purchase process because the transaction couldn't be verified. I tracked down the error to:</p> <pre><code>SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed </code></pre> <p>I found a lot of questions here in StackOverflow related to the same problem, most of them said the solution was to provide a bundle of CA using <code>CURLOPT_CAINFO</code> cURL's option. I downloaded and currently ship with the plugin the most recent version (converted on Jun 28, 2012) of <a href="http://curl.haxx.se/ca/cacert.pem">http://curl.haxx.se/ca/cacert.pem</a>. That solved most of the issues I had received.</p> <p>The problem now, is that I just received another report of failed payments and the error was the same: <code>SSL certificate problem, verify that the CA cert is OK.</code>. The interesting part is that now the solution was to <strong>remove</strong> the <code>CURLOPT_CAINFO</code> option. I'm wondering if there is in explanation for this. I thought using an updated CA bundle, such as the one I downloaded, was a general solution but it appears to be otherwise. </p> <p>What would be a general solution for this kind of problem? and what could explain that using the updated CA bundle causes SSL certificate problems, instead of fixing them?.</p> <p>This is the cURL configuartion:</p> <pre><code>&lt;?php $ch = curl_init("https://www.paypal.com/cgi-bin/webscr"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_VERBOSE, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); curl_setopt($ch, CURLOPT_CAINFO, '/path/to/cacert.pem'); curl_setopt($ch, CURLOPT_POSTFIELDS, $content); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $response = curl_exec($ch); ?&gt; </code></pre> <p><strong>UPDATE</strong>: The certificate for www.paypal.com is signed by VeriSign. The Certificate Hierarchy (as shown in Firefox) is:</p> <ul> <li>VeriSign Class 3 Public Primary Certification Authority - G5</li> <li>VeriSign Class 3 Extended Validation SSL CA</li> <li>www.paypal.com</li> </ul> <p>I can confirm the certificate for <em>VeriSign Class 3 Public Primary Certification Authority - G5</em> is included in the version I'm using of <a href="http://curl.haxx.se/ca/cacert.pem">http://curl.haxx.se/ca/cacert.pem</a>.</p> <p>Thanks for your help.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload