Devilbox: cURL error 60: SSL certificate problem: unable to get local issuer certificate

Created on 21 May 2018  路  24Comments  路  Source: cytopia/devilbox

If you encounter a bug and something does not work, make sure you have done the following and check those boxes before submitting an issue - thank you!

  • [X ] Pull latest dockers (e.g.: docker pull cytopia/<used_docker>) before running docker-compose up
  • [X ] Specify used docker versions (php, web and database)
  • [ X] Attach logs for php, mysql and webserver (found in log/ directory)
  • [ X] Start with debug mode and attach docker-compose output (.env setting DEBUG_COMPOSE_ENTRYPOINT=1)
  • [ X] Never use different mysql|mariadb versions on the same HOST_PATH_MYSQL_DATADIR on existing database files. Different mysql|mariadb versions might upgrade/corrupt existing database files. If you have done that already, start with a different path of HOST_PATH_MYSQL_DATADIR (to an empty directory) and try again.

Please also specify the following info:

  • [X ] Which operating system are you at (Linux, OSX or Windows)
    -- Windows 10 Pro version 1803
  • [ X] docker version
    -- Docker version 18.03.1-ce, build 9ee9f40
  • [X ] docker-compose version
    -- docker-compose version 1.21.1, build 7641a569

I am getting this notification on my Updraft options pages.

Errors occurred when trying to connect to UpdraftPlus.Com:
cURL error 60: SSL certificate problem: unable to get local issuer certificate

I looked for a solution and tried a couple of things, but no luck figuring this out on my own.

I Downloaded the latest curl recognized certificates here: https://curl.haxx.se/ca/cacert.pem and placed the file in devilbox\ca. Then I added curl.cainfo = "certificate ./ca/cacert.pem" to my devilbox/cfg/php-ini.7.0/devilbox-custom.ini I also tried 'certificate .\ca\cacert.pem'

After this, the error changed to:

Errors occurred when trying to connect to UpdraftPlus.Com:
cURL error 77: error setting certificate verify locations: CAfile: certificate ./ca/cacert.pem CApath: /etc/ssl/certs

I used the devilbox shell script to open a shell and executed curl api.wordpress.com and the contents output to the terminal. Next, I opened a shell into the PHP container with docker exec -it 3c88083befd0 /bin/bash and executing curl api.wordpress.com. This time there was no output, but there was also no error. I just got a new command prompt.

docker-compose generated no debug output when started.

php-fpm-7.0.zip
mariadb-5.5.zip
dev.cacherz-error.log.zip

DNS

Most helpful comment

I switched my TLD_SUFFIX to loc and now I can curl.

Is there any way that I can have it as .com and still be able to curl?

All 24 comments

I tried it on my machine (Linux) and curling https://updraftplus.com had no problems at all. Maybe they just had a run out certificate during that day?

This has been constant for a couple of weeks now. My, admittedly limited, understanding seems to suggest it's to do with curl and local certificates.

Following this
https://github.com/yabacon/paystack-php/wiki/cURL-error-60:-SSL-certificate-problem:-unable-to-get-local-issuer-certificate-(see-http:--curl.haxx.se-libcurl-c-libcurl-errors.html)

I removed the original error, but got a path error. What would I need to use in my PHP ini to point to the devilbox/ca folder?

Does the following shell command from within the Docker container work:

curl https://updraftplus.com

I get this:

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

I get the same with https://api.wordpress.com

Did you pull the latest PHP container as well as the latest git HEAD on master?

I pulled the master on devilbox just recently, and again just before I submitted this.

I ran update-docker.sh just before I submitted this as well.

git pull origin master

and

update-docker.sh

I just pulled the latest HEAD on master and pulled devilbox/php-fpm:7.0-work.

Result is the same.

What would I need to put in an ini file for a path to the devilbox/ca folder?

I supposed it has to be:

curl.cainfo =  "/ca/devilbox-ca.crt"

However, if curl (the system binary) itself does not work with HTTPS pages, this should also not be a problem of PHP then.
Unfortunately I cannot reproduce this and curl works fine inside the PHP Docker container on my machine.

Well, I tried adding that anyway as the only information I've been able to find that seemed to make sense for the original error was to provide a path to a certificate in php.ini at https://github.com/yabacon/paystack-php/wiki/cURL-error-60:-SSL-certificate-problem:-unable-to-get-local-issuer-certificate-(see-http:--curl.haxx.se-libcurl-c-libcurl-errors.html)

But when I added that path I got a whole new error:

[email protected] in /shared/httpd $ curl https://api.wordpress.com
curl: (51) SSL: no alternative certificate subject name matches target host name 'api.wordpress.com'

This error is staying with me now even after removing the path from my ini file.

Is there a way to remove and replace curl or get devilbox to redo it's cert. The original error said the problem was with the local certificate. That means the problem is on my machine, right?

cURL error 60: SSL certificate problem: unable to get local issuer certificate

Yes, you can just delete the certificate from the /ca directory and start up the devilbox. Whenever this directory is empty, it will re-create the certificate.

Btw, you might also give docker-compose rm -f a try to see if that helps.

@danemorgan can you simply try (just to be absolutely sure)

docker-compose pull php

And also issue a:

docker-compose stop
docker-compose kill
docker-compose rm -f

Let me know if this might resolve the issue or not.

Hello @cytopia

I've the same issue as Dane Morgan, on Linux platform. And with the recent version, issue was solved.
Thanks for this fix : it was related to #259

I tried

docker-compose pull php

and

docker-compose stop
docker-compose kill
docker-compose rm -f

But I still cannot use curl on a secure URL.

I don't have the same error I started with, but I haven't had that error for a while now. Now what I have is

cURL error 51: SSL: no alternative certificate subject name matches target host name 'updraftplus.com'

I have tried various things I've found that seemed like they might be related, but all I've managed is to change the error's reference code.

I am still not able to reproduce this. Do you have a second computer where you can try this on or a Virtual machine?

I'm still fighting this thing.

Doing a -v with curl from shell results in this:

[email protected] in /shared/httpd $ curl https://updraftplus.com -v
* Rebuilt URL to: https://updraftplus.com/
* Hostname was NOT found in DNS cache
*   Trying 172.16.238.11...
* Connected to updraftplus.com (172.16.238.11) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*        subject: C=DE; ST=Berlin; L=Berlin; O=Devilbox; OU=Devilbox; CN=localhost; emailAddress=admin@localhost
*        start date: 2018-07-20 15:25:24 GMT
*        expire date: 2028-07-17 15:25:24 GMT
*        subjectAltName does not match updraftplus.com
* SSL: no alternative certificate subject name matches target host name 'updraftplus.com'
* Closing connection 0
* SSLv3, TLS alert, Client hello (1):
curl: (51) SSL: no alternative certificate subject name matches target host name 'updraftplus.com'

@danemorgan did you set TLD_SUFFIX to *.com, it looks like https://updraftplus.com resolves to the Devilbox IP 172.16.238.11

You mean in my .env? Yes. I set it to .com so that I could use dev.domain.com addresses with my sites. Should I not be doing that?

I switched my TLD_SUFFIX to loc and now I can curl.

Is there any way that I can have it as .com and still be able to curl?

Not at the moment.

The bundled DNS server works with catch-all DNS. So whatever value you set TLD_SUFFIX to, it will use this to create a domain catch all, directing every sub part to the Devilbox httpd server.

In case of TLD_SUFFIX=com, all domains ending on com will be redirected to the Devilbox own http server.

This is also the reason why the SSL certificate was wrong for it.

I will close this issue as the original problem has been resolved. Feel free to open up a feature request to change the behaviour in Bind, but this will be last on the list at the moment.

@danemorgan FYI: I also get those errors very randomly during Travis CI runs. Around every 300th test on Travis has the exact same curl issue when trying to curl to https from within the container.

The error seems to happen unpredictable on random PHP versions, random Docker versions and random Docker compose versions.

Edit: Found a ticket at Moby: https://github.com/moby/moby/issues/2011 and this might also be related: https://github.com/moby/moby/issues/20178 & https://github.com/docker-library/official-images/issues/2827

FYI: I've also reported this issue to moby, unfortunately still unanswered: https://github.com/moby/moby/issues/38724

Running : update-ca-certificates

Fixed my certificate issues when sending via php/curl.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

gowrav-vishwakarma picture gowrav-vishwakarma  路  6Comments

joshjacksoncastus picture joshjacksoncastus  路  3Comments

lostncg picture lostncg  路  3Comments

Venorcis picture Venorcis  路  6Comments

mwmichael picture mwmichael  路  3Comments