I get this error:
«Problem with the SSL CA cert (path? access rights?)»
When doing:
$curl = curl_init('https://example.com' . ($method == 'GET' && $params ? '?' . $params : ''));
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
$response = curl_exec($curl);
print curl_error($curl)
Works ok on another server.
The SSL is using NSS.
PHP 5.3.6
asked Aug 24, 2011 at 16:48
Adam JimenezAdam Jimenez
3,0553 gold badges34 silver badges31 bronze badges
3
Had this happen to two servers which use the PayPal IPN, both at around the same time.
Fix was to restart Apache.
answered Jan 15, 2013 at 11:57
5
If you are getting «Problem with the SSL CA cert (path? access rights?)» it may very well mean that you have either deleted everything from /etc/pki/tls/certs/ or have set invalid permissions (CHMOD).
If you are using RHEL/CentOS, try yum reinstall openssl ca-certificates -y
answered Apr 24, 2013 at 7:07
GajusGajus
66.4k69 gold badges265 silver badges429 bronze badges
2
Just upgraded to PHP 5.5.17 and this is when the trouble started. The server runs PayPal transactions and cURL started failing on this error: «Problem with the SSL CA cert (path? access rights?)».
I tried regenerating the certs, modifying the curl options, nothing was getting me anywhere. The solution was to simply reboot the server (CentOS 6.5 in my case). Hope this helps someone.
answered Sep 28, 2014 at 4:21
gillytechgillytech
3,5562 gold badges24 silver badges43 bronze badges
1
It happen to me after update of packages.
Once I restarted the apache it got fixed.
Then I installed it at production server and I got it again.
This time it was mess at the certificates under /etc/pki/tls/certs/
Backup the files and this command will fix it:
curl http://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt
answered Jan 21, 2015 at 1:50
got it working by renaming the nssdb:
mv /etc/pki/nssdb /etc/pki/nssdb.old
answered Aug 24, 2011 at 17:45
Adam JimenezAdam Jimenez
3,0553 gold badges34 silver badges31 bronze badges
1
On Ubuntu, you need to install CA certificates to allow SSL-based applications to check for the authenticity of SSL connections by:
sudo apt-get install ca-certificates
See: cURL not working (Error #77) for SSL connections
answered May 9, 2019 at 15:45
kenorbkenorb
149k80 gold badges668 silver badges723 bronze badges
Are you facing a curl error 77 problem with the SSL CA cert while curling an SSL website?
One of the main reasons for this error is broken or missing SSL chain certificate files on the server.
At Bobcares, we help our customers to fix similar SSL errors as part of our Server Management Services.
Today, let’s discuss the details on how to fix this error.
What is curl error 77 problem with the SSL CA cert?
Curl error 77 error is a server-side error. This error indicated that the chain certificate files are missing or “broken”. Usually, this error happens simply by outdated SSL certificate(s) for cURL installed on the server. Also, the wrong or incomplete configuration settings on the server can trigger the error on the website.
The error looks like,
Frequently, some website’s PHP scripts may fail with curl error 77 in Plesk servers. Then the website shows the following error:
cURL error (77): Problem with the SSL CA cert (path? access rights?)cURL error (77): Problem with the SSL CA cert (path? access rights?)This error occurs when PHP cURL uses an outdated set of root certificates to verify server certificates.
How to fix curl error 77 problem with the SSL CA cert
Now, let’s see how our Support Engineers fix the curl error 77 for our customers.
Curling an SSL website can result in an error curl: (77) Problem with the SSL CA cert (path? access rights?)on certain servers.
This error is the result of SSL chain certificate files in the PKI directory being corrupted or missed.
Therefore, we make sure the files /etc/pki/tls/certs/ca-bundle.crt and /etc/pki/tls/certs/ca-bundle.trust.crt exist on the server. If they do not exist, we set up them for our customers.
Sometimes, the error gets resolve by removing and reinstalling the ca certificate.
In a CentOS server, we use the below commands to remove ca-bundle and to install a ca-certificate.
rm -f /etc/ssl/certs/ca-bundle.crt
yum reinstall -y ca-certificates
In Plesk servers, adding the following code to %plesk_dir%adminconfpanel.ini solve the error. By default,
%plesk_dir% is C:Program Files (x86)Plesk
[php]
curlCertificatesUrl="http://curl.haxx.se/ca/cacert.pemInsufficient user permission
Sometimes the curl requests to https:// addresses stop working for cPanel users. However, the root user can still run the curl -I -v https://google.comcommand without any issue.
The problem is due to insufficient permission of the user. The user who is trying to accesscurl -I -v https://google.com doesn’t have enough permission to access /etc/pki directory. This due to the user only has jailed ssh access.
So, our Support Engineers fix the error by granting full access to the user.
Other common SSL certificate problem
Similarly, the error SSL certificate problem: Unable to get local issuer certificate can occur when a self-signed certificate cannot be verified or it shows that the root certificates on the system are not working correctly.
Also, It is important to note that this applies to the system sending the CURL request, and NOT the server receiving the request.
To fix the error,
1. Initially, download cacert.pem. from https://curl.haxx.se/ca/cacert.pem
2. Add the following line to php.ini:
curl.cainfo="/path/to/downloaded/cacert.pem"Furthermore, if the server is shared hosting, add the above value to .user.ini file in the public_html folder.
3. Restart PHP
Now, CURL is able to read HTTPS URL without any error.
[Need assistance to fix curl error 77?- We’re available 24/7.]
Conclusion
In short, the curl error 77 problem with the SSL CA cert occurs when SSL chain certificate files are missing or broken. Today, we saw how our Support Engineers fixed this error.
PREVENT YOUR SERVER FROM CRASHING!
Never again lose customers to poor server speed! Let us help you.
Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.
GET STARTED
var google_conversion_label = «owonCMyG5nEQ0aD71QM»;
Website on Plesk shows: cURL error (77): Problem with the SSL CA cert
-
A website or PHP scripts show the following error:
cURL error (77): Problem with the SSL CA cert (path? access rights?)cURL error (77): Problem with the SSL CA cert (path? access rights?)
Error : "error setting certificate verify locations: CAfile: C:ParallelsPleskAdditionalPHPSettingscacert.pem CApath: none"
cURL error 77: error setting certificate verify locations: CAfile: /etc/ssl/certs/cacert.pem CApath: /etc/ssl/certs
-
On Plesk for Windows the Extensions menu may show the following error when trying to open it:
PLESK_ERROR: error setting certificate verify locations: CAfile: C:Program Files (x86)Pleskadminconfcacert.pem CApath: none
Cause
PHP cURL uses an outdated set of root certificates to verify server certificates.
Resolution
Solution 1 – Using Plesk GUI
-
Log in to Plesk.
-
Install
Panel.ini Editorextension: Extensions > Server Tools section > Panel.ini Editor. -
Go to Extensions > My Extensions > Panel.ini Editor (Go To Extension) > Editor.
-
Add records below to the editor and Save changes:
[php]
curlCertificatesUrl="http://curl.haxx.se/ca/cacert.pem"
-
Wait until Daily task is executed (It is executed once a day).
-
Go to Domains > example.com > PHP Settings and add the line below into Additional configuration directives. Replace path to
cacert.pemwith your own path.curl.cainfo="C:Program Files (x86)PleskAdditionalPHPSettingscacert.pem"If it is required to apply the changes for all the domains using a particular PHP version go to Tools & Settings > PHP Settings> %php_version%, click on php.ini tab and add the aforementioned line:
Solution 2 for Windows – Accessing the server
-
Log in to the server via RDP.
-
Download the
cacert.pemfile from the main curl website http://curl.haxx.se/ca/cacert.pem. -
Open
[%plesk_dir%](https://support.plesk.com/hc/en-us/articles/213903325))adminconfpanel.inifile (create it if does not exist)Note: %plesk_dir% by default is C:Program Files (x86)Plesk
-
Add below directive to
panel.ini.[php]
curlCertificatesUrl="http://curl.haxx.se/ca/cacert.pem -
Place downloaded cacert.pem to
[%plesk_dir%](https://support.plesk.com/hc/en-us/articles/213903325)AdditionalPHPSettingsdirectory. -
Wait until Daily task is executed (It is executed once a day).
Solution 2 for Linux – Accessing the server
-
Connect to the server using SSH.
-
Download the CA certificate store from the official cURL website and move it to the directory
/etc/ssl/certs/:# wget https://curl.haxx.se/ca/cacert.pem && mv cacert.pem /etc/ssl/certs/
-
Log into Plesk.
-
Go to Tools & Settings > PHP Settings > select the required PHP version > php.ini.
-
Add the following line into the end of the file:
curl.cainfo="/etc/ssl/certs/cacert.pem"
-
Click OK to save the file
- Server Redundancy
- Linux Containers
- Bare Metal Server
- PhpMyAdmin
- phpPgAdmin
- Oracle VM Server
- Server Virtualization Software
- Windows Server
- Linux
- PHP
- Domain
- Plesk
- Web Server
- DNS Server
- SSL
- SSH
- HTTP
Skip to content
Problem with the SSL CA cert (path? access rights?) — ошибка такого содержания встречается при использовании https, чаще всего при попытке скачать какой-либо файл, доступный по ссылке с https при помощи wget или обратиться к нему используя curl.
Ошибка может возникнуть, например, при выполнении такой команды:
[email protected]:~$ sudo curl https://example.com/install.sh | sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 —:—:— —:—:— —:—:— 0
curl: (77) Problem with the SSL CA cert (path? access rights?)
Если попытаться скачать тот же файл (и перенаправить результат в шел как в примере или просто скачать) по http никакой ошибки не возникнет и файл скачается нормально. Из этого следует, что в системе не хватает определенных компонентов.
Их нужно установить от имени пользователя root или с использованием sudo
apt-get install openssl
openssl — является самой популярной утилитой для шифрования данных, с ее помощью среди прочего генерируются SSL сертификаты
apt-get install ca-certificates
ca-certificates — именно тот компонент, которого не хватало для корректного выполнения запроса к https сайту, после установки ошибки больше не повторяются.
В примере приведенном выше ошибки возникла из-за того, что библиотеки не были установлены в системе, которая является LXC контейнером о чем говорит hostname машины — container. Также и на железных серверах возможно появление ошибки, устраняется она тем же образом — установкой openssl и ca-certificates.
Need Help ?
Do you need an expert to solve your server problems ? Are you looking for a long term support solution?.
About the author
Syslint ™ Technologies is a technical support and software development company offering enterprise solutions since 2008. Our team consists of people that have been mastering their knowledge about all sorts of Unix / Linux systems. With such experience, we joined the web hosting industry in order to make your business grow faster and smoother. Our system administration and security services have been appreciated by many companies throughout the world that run their businesses on Unix platform.
Copyright © Syslint Technologies. All logos and names are trademarks of the respective owners and developers. The rest of this web site content has been copyrighted by Syslint Technologies.
When trying to curl or git clone something over HTTPS as a regular user, it fails with the error:
fatal: unable to access 'https://github.com/mikemackintosh/xxx/': Problem with the SSL CA cert (path? access rights?)
Note: If i run the commands as root, it works fine, but root should not be the only user able to communicate over ssl.
So I think to myself, ok, what’s curl doing behind the scenes:
$ GIT_CURL_VERBOSE=1 git clone https://github.com/mikemackintosh/xxx
Cloning into 'xxx'...
* Couldn't find host github.com in the .netrc file; using defaults
* Hostname was NOT found in DNS cache
* Trying 192.30.252.130...
* Connected to github.com (192.30.252.130) port 443 (#0)
* error reading ca cert file /etc/ssl/certs/ca-certificates.crt (Error while reading file.)
* Closing connection 0
fatal: unable to access 'https://github.com/mikemackintosh/xxx/': Problem with the SSL CA cert (path? access rights?)
As a result, we are able to confirm the ca-certificate file is: /etc/ssl/certs/ca-certificates.crt which matches curl-config -ca output.
The next step is to try and read the file. As just a plain-old, non-root user:
$ cat /etc/ssl/certs/ca-certificates.crt
cat: /etc/ssl/certs/ca-certificates.crt: Permission denied
Now that seems strange.
$ sudo ls -la /etc/ssl/certs/ca-certificates.crt
-rw-r--r-- 1 root root 273790 Jun 15 22:35 /etc/ssl/certs/ca-certificates.crt
$ sudo lsattr /etc/ssl/certs/ca-certificates.crt
-------------e-- /etc/ssl/certs/ca-certificates.crt
So looking at the permissions, it is world-readable. There should be no problem accessing it. No crazy attributes preventing access.
doing an ls -la /etc/ssl/certs/ returns:
...
l????????? ? ? ? ? ? Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.pem
l????????? ? ? ? ? ? VeriSign_Universal_Root_Certification_Authority.pem
l????????? ? ? ? ? ? Visa_eCommerce_Root.pem
l????????? ? ? ? ? ? WellsSecure_Public_Root_Certificate_Authority.pem
l????????? ? ? ? ? ? WoSign_China.pem
l????????? ? ? ? ? ? WoSign.pem
...
If I run a sudo cat /etc/ssl/certs/ca-certificates.pem, it spits out the contents as expected.
Oh, this is for sure a permissions issue.
Doing some googling, i’ve found that there is an ssl-cert group, but this group does not have rights to the /etc/ssl/certs directory.
Ruled out apparmor, ruled out disk corruption, there is no improvement if I run update-ca-certificates (w/wo -f), etc.
Has anyone seen this behavior?
I have never seen anything like this before, but I have duplicated it on two separate machines. As a note, I do come from a CentOS/RHEL background, so this could be a normal behavior of Ubuntu, but i’d love to find out a real solution.
I am in root in my directory on CentOS release 6.6 and I want to do the following in order to install mysql in upper version on centOS:
rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
After that I have the following error:
Retrieving https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
curl: (77) Problem with the SSL CA cert (path? access rights?)
error: skipping https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm - transfer failed
This is my uname -a:
Linux hosting 2.6.32-504.3.3.el6.x86_64 #1 SMP Wed Dec 17 01:55:02 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
Update
This is my base repo:
# CentOS-Base.repo
#
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client. You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the
# remarked out baseurl= line instead.
#
#
[base]
name=CentOS-$releasever - Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
#released updates
[updates]
name=CentOS-$releasever - Updates
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/contrib/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
What should I do?
asked Mar 14, 2016 at 7:48
MLSCMLSC
9427 gold badges21 silver badges27 bronze badges
4
You could try to reinstall the ca-certificates bundle and the openssl package on your server:
$ sudo yum reinstall ca-certificates openssl
answered Mar 14, 2016 at 10:19
krtkrt
1,1519 silver badges10 bronze badges
6
This worked for me (on a CentOS 6 machine):
mkdir /usr/src/ca-certificates && cd /usr/src/ca-certificates
wget http://mirror.centos.org/centos/6/os/x86_64/Packages/ca-certificates-2015.2.6-65.0.1.el6_7.noarch.rpm
rpm2cpio ca-certificates-2015.2.6-65.0.1.el6_7.noarch.rpm | cpio -idmv
cp -pi ./etc/pki/tls/certs/ca-bundle.* /etc/pki/tls/certs/
Answer yes to overwrite the files.
To check:
curl -vvv https://www.unixy.net
dr_
27.4k18 gold badges85 silver badges125 bronze badges
answered Feb 22, 2017 at 8:28
Главная > Linux | nginx | PHP > CURL: Problem with the SSL CA cert (path? access rights?)
Восстанавливая один из своих «внутренних» сервисов, который парсил гугл с помощью Curl, заметил что Google редиректит на свой http домен. Разумеется, я модифицировал код и добавил необходимые настройки. Однако при попытке получить страницу я получил ошибку:
Problem with the SSL CA cert (path? access rights?) ..
Немного погуглив, я нашел вот такую заметку на toster-е:
Для тех у кого используется схема nginx+php-fpm в chroot-е нужно скопировать
/usr/lib64/libnsspem.so
/usr/lib64/libsoftokn3.soв chroot/lib64 каталог.
Проверив текущие настройки сервера, я обнаружил, что это именно мой случай. Последовав совету, я нашел папку chroot вот тут: /etc/php-fpm.d/www.conf
|
chroot=/mnt/hdds/hdd01/public_html |
Дальше, я как и сказано в совете, создал каталог
|
chroot=/mnt/hdds/hdd01/public_html/lib64 |
и скопировал туда файлы
|
/usr/lib64/libnsspem.so /usr/lib64/libsoftokn3.so |
после этого проблема решилась
P.S. Для работы с http php код был модифицирован так:
|
... curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); ... |
Похожие статьи
Автор:
| Рейтинг: 4/5 |
Теги: centos , cert , chroot , curl , nginx , php , ssl