Issues with curl and ssl: Curl error: SSL certificate problem: unable to get local issuer certificate

[t2thec]

Hey. Thanks for putting this together. I am having a couple of issue that I am hoping you might be able to help me with?

The first being:
Curl error: SSL certificate problem: unable to get local issuer certificate
I have checked and everything is installed properly on the server and the locations of the SSL key etc is all OK:

'rsa_private_key'  => 'file:///' . base_path() . '/privatekey.pem',
'rsa_public_key'   => 'file:///' . base_path() . '/publickey.cer'

cURL is at version 7.37.1
openSSL is installed and enabled

All settings seem OK. Have you experienced this before? I am running this on Homestead. I initially thought this was the issue, so pushed it to the staging server and I have the same issue.

I've also added the paths without the use of base_path() and the issue remains.

Thanks in advance. I am hoping it is something stupid on my side.

Cheers

[amochohan]

Which sort of application are you creating? If it's not a private application, this wrapper may not work as my project requires only private applications. If you're using a public, or a partner app, you'll probably need to reference the ca-bundle file via the CURLOPT_CAINFO parameter using:

CURLOPT_CAINFO          => 'certs/ca-bundle.crt',

Please feel free to submit a PR.

[t2thec]

Thanks dude. Yeah, it is a private app. I'll take a look adding the curl param and see if it makes a difference.

Cheers

[t2thec]

Finally!! Found the solution to this. It is to do with the Entrust root cert being missing.

I basically followed the advice here: https://community.xero.com/developer/discussion/8447428

I'll add the article here just in case it disappears from their server for whatever reason.

####Copy of article

This took a good few hours to solve; so posting this up incase anyone else is struggling with this. 

Under Ubuntu this started happening yesterday - I was getting an error via a Ruby client like so: 

"SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed"

After a bit of digging it looks like there isn't the required Entrust root certificate authority with the standard Ubuntu ca-certificates package. If you look on the Entrust site there's a whole handful one of which must be required which is not in the ca-certificates package. I'm guessing Xero updated their api.xero.com cert yesterday..... this seems to be very OS specific so you'll need to check for your own environments. 

If you do the following on your server you're calling Xero from : 

openssl s_client -connect api.xero.com:443 -showcerts \
-CAfile /etc/ssl/certs/ca-certificates.crt

You'll get some output that says something like : 
Verify return code: 20 (unable to get local issuer certificate)

This will confirm you're getting an SSL error connecting to the xero api. 

So steps to fix is to get the correct root certificate authority onto your machine from the source (Entrust). I saw a whole bunch of alternatives when googling this from bypassing the checking (bad) to downloading a random ca bundle from someones github page. I believe the following would be the "most correct" way of getting this sorted... 

1) go to https://www.entrust.net/downloads/root_request.cfm
2) copy each of the certificates into .crt files into /usr/local/share/ca-certificates 
3) should look like this: 
$ ls
entrust_2048_ca.crt entrust_ec1_ca.crt entrust_ev_ca.crt entrust_g2_ca.crt entrust_ssl_ca.crt
3) next run 
sudo update-ca-certificates 
You'll get some output telling you something like the following: 
Adding debian:entrust_2048_ca.pem
Adding debian:entrust_ec1_ca.pem
Adding debian:entrust_ev_ca.pem
Adding debian:entrust_g2_ca.pem
Adding debian:entrust_ssl_ca.pem
4) Now if you re-run the openssl check command you should see at the end : 
Verify return code: 0 (ok)

OpenSSL now can verify the Xero SSL cert and you're on your way again.....

Thanks to the original poster Rown Hicks and thanks @drawmyattention for your support.

Right... to work...

Cheers

[amochohan]

@movostudios I just ran into this issue myself with a local dev machine. I appreciate you taking the time to post the fix. Cheers