Resolving "SSL3_GET_SERVER_CERTIFICATE: Certificate Verify Failed" Error for HTTPS Requests

In the realm of web development, utilizing HTTPS for secure communication is paramount. However, occasionally, errors may arise during HTTPS requests, such as the infamous "SSL3_GET_SERVER_CERTIFICATE: certificate verify failed, CA is OK."

Navigating the Error

When this error occurs, it typically indicates a discrepancy between the expected server certificate and the one presented by the server. Despite the CA (Certificate Authority) being deemed valid, issues with certificate validation persist.

Resolution via PHP Configuration

For PHP applications, a straightforward solution for this error lies in configuring the curl.cainfo setting within php.ini. This setting specifies the path to a file containing trusted root certificates. By default, PHP uses its own bundled certificates, which may not be updated regularly.

To resolve the error:

1. Download the ca-certificates bundle from https://curl.se/ca/cacert.pem.
2. Save the downloaded file to a desired location, e.g., /path/to/cacert.pem.
3. Open /etc/php.ini, locate the [curl] section, and add the following line:

curl.cainfo = /path/to/cacert.pem

4. Save and restart the PHP FPM service.

Individual Request Adjustments

If PHP configuration adjustments are not feasible, specific cURL requests can be configured to use the custom CA certificate by setting the CURLOPT_CAINFO option:

curl_setopt($ch, CURLOPT_CAINFO, '/path/to/cacert.pem');

Additional Considerations

Ensure that the server certificate being presented by the HTTPS endpoint is valid and signed by a trusted CA. If the issue persists, consider checking firewall settings or verifying server-side certificates.

Conclusion

By following these steps, you can effectively resolve the "SSL3_GET_SERVER_CERTIFICATE: certificate verify failed, CA is OK" error and ensure smooth HTTPS communication in your PHP applications.