Tuesday, October 27, 2015

SSL3_GET_SERVER_CERTIFICATE: certificate verify failed

Sorry for spamming my blog with technical info, but this is a good find for the geeks out there like me.

We found a references on StackExchange to this test, which can be run on any Linux system that has curl installed (which is generally how you get the titular error):
curl -v https://api.sandbox.paypal.com/v1/oauth2/token
This informed us that:
* successfully set certificate verify locations:
*   CAfile: /usr/share/curl/curl-ca-bundle.crt
  CApath: none
We have specified the CAINFO curl_opt in our PHP code, pointed it to a file, but when we tried to curl to Paypal's SSL server, it told us "error setting certificate verify locations: CAfile: /etc/apache2/...".  We concluded that, at least on our system, we'd have to use whatever curl was using as the default.
We copied the newest bundle.crt file into
/usr/share/curl/curl-ca-bundle.crt and that fixed the problem.
Some other things we had tried that didn't work and were unnecessary:
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($curl, CURLOPT_CAINFO, '/etc/apache2/...

Updating ca-bundle.crt in other places (we found two!)

This was while we were trying to get our CC payment system working after, as Paypal puts it themselves, "We will be performing the G5 and SHA-256 upgrades to payflowpro.paypal.com on October 13, 2015." which broke our system.
If this info helped you, please leave a comment so I know (not so important), and check out the other stuff I've written into this blog (very important!).