Paypal Access - SSL certificate: unable to get local issuer certificate
The correct solution is to fix your PHP setup.. setting CURLOPT_SSL_VERIFYPEER to false is a quick hack, but it's wrong as you disable the certificate validation by it's certificate authority. This exposes you to a man-in-the-middle attack.
It's easy to fix (php 5.3.7 or higher) - Download a list file with an up-to-date certificate authorities, and add this setting to your php.inicurl.cainfo=<path-to>cacert.pem
Restart your web server, and it'll work !
You may disable SSL verification (which is enabled by default as of cURL 7.10), by adding this:
CURLOPT_SSL_VERIFYPEER, falseto your $options, however the proper way is to keep validation enabled.
SECURITY NOTICE
If remote site uses certificate issued by known CA but validation still fails, then most likely certificate is incorrectly set up on the remote server (lack of intermediate certificates etc.). Alternatively your system got no idea about used Certificate Authority that signed target's certificate. In such case yo should use php.ini's curl.cainfo (documentation) to point to valid PEM file with all supported CAs - that would make your setup properly validate issuer chain.
Please be aware that by setting CURLOPT_SSL_VERIFYPEER to false you are NOT solving the issue! You are working it around. This is all about security so it's fine to do that for a while, but deploying that on production is not wise, politely speaking, as you will become open to Man In The Middle Attack. You have been warned.
I had the same exact problem
Can't connect to PayPal to validate IPN message: SSL certificate: unable to get local issuer certificateI used the code samples generated on paypal's github found here (I used PHP): https://github.com/paypal/ipn-code-samples
I downloaded both certs and tried testing both from curl: http://curl.haxx.se/docs/caextract.html
After about 2 hours of testing (using paypal's ipn simulator) and googling, found that paypal ipn cannot be tested on localhost, so i pushed the code live and tried testing, but still got the same error (even with permissions set to 777).
When I set CURLOPT_SSL_VERIFYPEER, false, it worked but this would defeat the purpose of having an ssl certificate.
After snooping around on my server's files, I found a curl-ca-bundle.crt file in my PHP folder. I decided to hardcode the CURLOPT_CAINFO in my paypal ipn script to that path. It finally worked!
I noticed this older .crt file included some certificates that weren't on the latest .crt file from the curl website. It was a bunch of certificates from verisign class 1, verisign class 2, verisign class 3 and verisign class 4.
Here's the complete list of the certificate names I added to curl's .crt file:
- Verisign Class 1 Public Primary Certification Authority
- Verisign Class 1 Public Primary Certification Authority - G2
- Verisign Class 1 Public Primary Certification Authority - G3
- Verisign Class 2 Public Primary Certification Authority - G2
- Verisign Class 2 Public Primary Certification Authority - G3
- Verisign Class 3 Public Primary Certification Authority
- Verisign Class 4 Public Primary Certification Authority - G2
This may have something to do with what @Andomar was saying - paypal's verisign certificate is not included in the default (by default I mean curl's default) list of safe certificates.
I didn't have the time to debug and figure out exactly which certificate is needed so I just included all of them.
For anyone who experiences this problem in the future, I would suggest to get the latest certs from curl and add one by one the certificates in the list above until the error is gone.
Here's a link for some of those verisign certificates (you may need to google for the others not listed): www.symantec.com/page.jsp?id=roots
Note*: To view paypal's current certificates you can run this command in terminal:
openssl s_client -connect paypal.com:443 -showcertsIf anyone has further insight to this issue, please comment as I spent hours to figure all of the above out.