PHP CURL and Peer Certificate Issue

By Akbar

I have been using the Microsoft Translator API for some time, and it worked great. This API requires the “Access Token” to validate all the AJAX calls, and it has been working fine for months.

Now a few days back, it broke, and when debugging the issue, I found that it was failing with the following exception:
“Exception’ with message ‘Peer certificate cannot be authenticated with known CA certificates”

Now a good secure way to detect and resolve this issue is to investigate why this certificate is not being verified. But since in this case was the site was of Microsoft, I simply decided to skip the authentication. All you need to do is add an option in curl for this:

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

This solved the issue very well.

BTW, on a side tip, following code to check and detect for the CURL execution failure works well for me:

//Get the Error Code returned by Curl.
$curlErrno = curl_errno($ch);
if($curlErrno){
	$curlError = curl_error($ch);
	throw new Exception($curlError);
}

Hope this helps.

Update: July 25, 2012 – While the above method works well for the local self signed certificates. It’s possible that you get the similar error for production/live website too using the valid certificates. For example, for one of my client site, who got the new certificate from the “Thawte SSL CA”, the PHP client was throwing following error:
SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

For such errors, you should never ignore them by setting CURLOPT_SSL_VERIFYPEER to false, instead a proper method is to import the correct server certificate and then pass it to the CURL via the CURLOPT_CAINFO option. The following tutorial cover this in detail (see The proper fix section):
Using cURL in PHP to access HTTPS (SSL/TLS) protected sites

Tags: ,