Fix cURL Error: SSL Certificate Problem — Unable to Get Local Issuer Certificate

Home » Bug fixes » Fix cURL Error: SSL Certificate Problem — Unable to Get Local Issuer Certificate
July 30, 2019 Bug fixes
Fix cURL Error: SSL Certificate Problem — Unable to Get Local Issuer Certificate

When making outbound HTTPS requests with cURL — from a PHP script, a site scraper, or wp_remote_get() — you may encounter the following warning:

Problem: A wp_remote_get() or wp_remote_post() call fails with the cURL error: "SSL certificate problem: unable to get local issuer certificate".

Solution: The server's CA certificate bundle is missing or outdated. Download the latest cacert.pem from the curl website, set curl.cainfo to its path in php.ini, and restart the web server. Never work around this by setting 'sslverify' => false in production.

SSL certificate problem: unable to get local issuer certificate

This means cURL cannot verify the full certificate chain because the intermediate certificate is missing from your server's trusted CA bundle. All steps below are run in a terminal.

Step 1. Inspect the certificate chain of the target host to identify the issuing authority. Replace www.yoursite.com with the actual domain:

openssl s_client -connect www.yoursite.com:443

Look for lines like these in the output — they confirm the intermediate certificate is not being served:

verify error:num=20:unable to get local issuer certificate
verify error:num=21:unable to verify the first certificate

The output also shows who signed the certificate. In this example it is GoDaddy:

i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Secure Certificate Authority - G2

Step 2. Visit the issuer's certificate repository (the URL appears in the i:/ line) and download the intermediate certificate bundle. For GoDaddy this is typically gdig2.crt.pem.

Step 3. Copy the downloaded certificate into the system CA directory:

cp gdig2.crt.pem /etc/ssl/certs/

Step 4. Rehash the certificate store so the system picks up the new file:

c_rehash

Run the openssl s_client command from Step 1 again. If all three depth levels now show verify return:1 without any error lines, the chain is complete and cURL will work correctly.

NOTE: Never set CURLOPT_SSL_VERIFYPEER to false as a workaround. Disabling peer verification exposes your requests to man-in-the-middle attacks. Always fix the certificate chain instead.

Related posts