Backend Development
PHP Tutorial
How to fix PHP Curl HTTPS Certificate Authority issues on Windows
How to fix PHP Curl HTTPS Certificate Authority issues on Windows
Nov 11, 2024 pm 12:24 PM
A successful HTTPS request involves the HTTP client validating the server-provided TLS certificate against a list of known and trusted root certificates. The PHP Curl extension is not different; the Curl extension uses libcurl to make the HTTPS request, and libcurl, which in turn uses a TLS library such as OpenSSL to validate the request.
The Curl extension requires a valid file containing all of the trusted root certificates to complete the HTTPS validation, and PHP exposes this as a directive in the php.ini file.
On Linux, BSD, and macOS, libcurl can default to the system root certificates, but this is not possible on Windows because Windows does not come with a single file containing all of the system root certificates.
This article discusses two possible approaches to successfully make HTTPS requests on with the Curl extension, and what not to do that can leave HTTPS requests insecure.
Why it fails
$ch?=?curl_init('https://php.watch');??
curl_setopt($ch,?CURLOPT_RETURNTRANSFER,?true);??
curl_exec($ch);?//?false??
curl_error($ch);
//?SSL?certificate?problem:?unable?to?get?local?issuer?certificate
If the curl_exec calls fail with a false response, and if curl_error indicates an SSL certificate problem: unable to get local issuer certificate error, this means Curl was not provided a file containing root certificates, or it was unable to discover it.
This error is uncommon on Linux, BSD, and macOS systems, but quite common on Windows because there is no designated file to obtain the root certificates, and the PHP does not ship a root certificate list on its own.
The solution is to provide a file containing up to date root certificates, or ideally, let Curl parse the native root store that the underlying operating system provides.
Use Native Certificate Authorities
On Curl 7.71 and later, it is possible to set a Curl option to request Curl to use the native (system) root certificates. This works even on Windows, where Curl parses system root certificates and uses them.
When CURLOPT_SSL_OPTIONS option is set to CURLSSLOPT_NATIVE_CA or a bitmask containing those bits, Curl attempts to use the native root certificate store, subject to the capabilities and versions of the underlying TLS library.
This is the recommended fix, if the Curl extension is built with Curl 7.71 or later and PHP 8.2 and later.
?$ch?=?curl_init('https://php.watch');
??curl_setopt($ch,?CURLOPT_RETURNTRANSFER,?true);
???curl_setopt($ch,?CURLOPT_SSL_OPTIONS,?CURLSSLOPT_NATIVE_CA);
????curl_exec($ch);
Note the snippet above does not check the Curl version and the PHP version, and assumes both PHP and Curl version requirements are met. The following is an example showing conditionally adding the Curl option:
$ch?=?curl_init('https://php.watch');??
curl_setopt($ch,?CURLOPT_RETURNTRANSFER,?true);??
if?(defined('CURLSSLOPT_NATIVE_CA')??
??&&?version_compare(curl_version()['version'],?'7.71',?'>='))?{??
????curl_setopt($ch,?CURLOPT_SSL_OPTIONS,?CURLSSLOPT_NATIVE_CA);
}??
curl_exec($ch);
Download and maintain a cacert.pem file
For applications running on PHP versions older than 8.2 (where CURLSSLOPT_NATIVE_CA constant is unavailable), or when the Curl version is older than 7.71, the recommended alternative solution is to download a Curl-compatible root certificate file, and configure PHP or the Curl request to use it.
The Curl project maintains an up to date list of certificates. See CA Certificates extracted from Mozilla.
Download the cacert.pem file
- Move the file to a directory accessible by PHP and the web server. For example, to C:/php/cacert.pem.
Edit the php.ini file and modify the curl.cainfo entry to point to the absolute path to the cacert.pem file.
$ch?=?curl_init('https://php.watch');?? curl_setopt($ch,?CURLOPT_RETURNTRANSFER,?true);?? curl_exec($ch);?//?false?? curl_error($ch); //?SSL?certificate?problem:?unable?to?get?local?issuer?certificateOptionally, restart the Web server (such as Apache) to reload the INI file.
The downside of this approach is that the cacert.pem file must be updated routinely. The cacert.pem file provided by Curl project, for example, is extracted from the root store maintained by Mozilla. On average, this list and the file get updated 4-5 times a year. To ensure compatibility with the latest root certificates list, make sure to update the local copy of this file regularly
If it is not possible to modify the INI file, specify the absolute path to the cacert.pem file within a Curl request as well:
?$ch?=?curl_init('https://php.watch');
??curl_setopt($ch,?CURLOPT_RETURNTRANSFER,?true);
???curl_setopt($ch,?CURLOPT_SSL_OPTIONS,?CURLSSLOPT_NATIVE_CA);
????curl_exec($ch);
On PHP 8.2 ?with Curl 7.77, it is possible to a string containing the cacert.pem contents with the CURLOPT_CAINFO_BLOB option.
The above is the detailed content of How to fix PHP Curl HTTPS Certificate Authority issues on Windows. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
How Do Generators Work in PHP?
Jul 11, 2025 am 03:12 AM
AgeneratorinPHPisamemory-efficientwaytoiterateoverlargedatasetsbyyieldingvaluesoneatatimeinsteadofreturningthemallatonce.1.Generatorsusetheyieldkeywordtoproducevaluesondemand,reducingmemoryusage.2.Theyareusefulforhandlingbigloops,readinglargefiles,or
How to prevent session hijacking in PHP?
Jul 11, 2025 am 03:15 AM
To prevent session hijacking in PHP, the following measures need to be taken: 1. Use HTTPS to encrypt the transmission and set session.cookie_secure=1 in php.ini; 2. Set the security cookie attributes, including httponly, secure and samesite; 3. Call session_regenerate_id(true) when the user logs in or permissions change to change to change the SessionID; 4. Limit the Session life cycle, reasonably configure gc_maxlifetime and record the user's activity time; 5. Prohibit exposing the SessionID to the URL, and set session.use_only
How to access a character in a string by index in PHP
Jul 12, 2025 am 03:15 AM
In PHP, you can use square brackets or curly braces to obtain string specific index characters, but square brackets are recommended; the index starts from 0, and the access outside the range returns a null value and cannot be assigned a value; mb_substr is required to handle multi-byte characters. For example: $str="hello";echo$str[0]; output h; and Chinese characters such as mb_substr($str,1,1) need to obtain the correct result; in actual applications, the length of the string should be checked before looping, dynamic strings need to be verified for validity, and multilingual projects recommend using multi-byte security functions uniformly.
How to URL encode a string in PHP with urlencode
Jul 11, 2025 am 03:22 AM
The urlencode() function is used to encode strings into URL-safe formats, where non-alphanumeric characters (except -, _, and .) are replaced with a percent sign followed by a two-digit hexadecimal number. For example, spaces are converted to signs, exclamation marks are converted to!, and Chinese characters are converted to their UTF-8 encoding form. When using, only the parameter values ??should be encoded, not the entire URL, to avoid damaging the URL structure. For other parts of the URL, such as path segments, the rawurlencode() function should be used, which converts the space to . When processing array parameters, you can use http_build_query() to automatically encode, or manually call urlencode() on each value to ensure safe transfer of data. just
PHP get the first N characters of a string
Jul 11, 2025 am 03:17 AM
You can use substr() or mb_substr() to get the first N characters in PHP. The specific steps are as follows: 1. Use substr($string,0,N) to intercept the first N characters, which is suitable for ASCII characters and is simple and efficient; 2. When processing multi-byte characters (such as Chinese), mb_substr($string,0,N,'UTF-8'), and ensure that mbstring extension is enabled; 3. If the string contains HTML or whitespace characters, you should first use strip_tags() to remove the tags and trim() to clean the spaces, and then intercept them to ensure the results are clean.
PHP get the last N characters of a string
Jul 11, 2025 am 03:17 AM
There are two main ways to get the last N characters of a string in PHP: 1. Use the substr() function to intercept through the negative starting position, which is suitable for single-byte characters; 2. Use the mb_substr() function to support multilingual and UTF-8 encoding to avoid truncating non-English characters; 3. Optionally determine whether the string length is sufficient to handle boundary situations; 4. It is not recommended to use strrev() substr() combination method because it is not safe and inefficient for multi-byte characters.
How to set and get session variables in PHP?
Jul 12, 2025 am 03:10 AM
To set and get session variables in PHP, you must first always call session_start() at the top of the script to start the session. 1. When setting session variables, use $_SESSION hyperglobal array to assign values ??to specific keys, such as $_SESSION['username']='john_doe'; it can store strings, numbers, arrays and even objects, but avoid storing too much data to avoid affecting performance. 2. When obtaining session variables, you need to call session_start() first, and then access the $_SESSION array through the key, such as echo$_SESSION['username']; it is recommended to use isset() to check whether the variable exists to avoid errors
How to prevent SQL injection in PHP
Jul 12, 2025 am 03:02 AM
Key methods to prevent SQL injection in PHP include: 1. Use preprocessing statements (such as PDO or MySQLi) to separate SQL code and data; 2. Turn off simulated preprocessing mode to ensure true preprocessing; 3. Filter and verify user input, such as using is_numeric() and filter_var(); 4. Avoid directly splicing SQL strings and use parameter binding instead; 5. Turn off error display in the production environment and record error logs. These measures comprehensively prevent the risk of SQL injection from mechanisms and details.
