(60) SSL certificate problem: unable to get local issuer certificate

[jokkah]

I have now added more VeriSign CA's to my cacert.pem file and rebooted my web server. I am STILL GETTING error 60's (SSL certificate problem: unable to get local issuer certificate)

Why is this having problems checking the CA's when it tries to do a cURL test to the PayPal Express endpoint?? This did not happen before!

I have already checked the directory permissions where the PEM file is, heck, I even gave "Everyone" full control (highly NOT recommended in any scenario) and tested and it gave the same error 60..

[jokkah]

Update : The error (60) is only happening during the curltester.php for the following endpoints:

- PayPal Express/Pro Server
- PayPal Payflowpro Server
- AuthorizeNet Production Server

The rest of the endpoints, GOOD.

Below each of the fails for the above endpoints:

Code:

Testing again with less security...
GOOD: CURL Connection successful. (but without being able to verify certificate chain. Again: this is a server issue, not a Zen Cart issue.)

It is seeing the cacert.pem, but apparently something is going wrong between the CA's listed in the cacert.pem and the ones the above endpoints are using?

[mick9876]

Hi jokkah,
Did you solve this problem? I appear to have exactly the same issue as curltester.php continues to give me:

IMPORTANT NOTE: Error 60 or 61 means that this server has an SSL certificate configuration problem. YOU NEED TO ASK YOUR HOSTING COMPANY SERVER ADMIN FOR ASSISTANCE with fixing the server's OpenSSL certificate chain.

I followed the suggestion to "manually configuring the CURLOPT_CAINFO value with a legitimate CA bundle" and downloaded a cacert.pem to my server. I know the path to cacert.pem is working correctly because I got a "file not found" type of error as soon as I deleted it.

Background
My hosting company asked me to relocate to a new server so I took the opportunity to upgrade from v1.3.9. I installed v.1.5.4 on the new server, copied my v.1.3.9 data to a new database, then used the fresh v1.5.4 install to upgrade my data. All seemed good until it came time to complete the first Paypal transaction.
I've been working with my hosting company but they've run out of options.
Other details: Windows server. PHP Version: 5.4.23 (Zend: 2.4.0). Database: MySQL 5.6.19-log. HTTP Server: Microsoft-IIS/8.5.

Any help would be much appreciated. Mick.

[RodG]

I've been working with my hosting company but they've run out of options.

Eeeek, a hosting company that can't sort out SSL/Certificate related issues.... If I were you I'd be seeking another host. Fast!.

Cheers
RodG

[mick9876]

I have solved the problem by going to http://curl.haxx.se/docs/caextract.html. However, instead of downloading the latest cacert.pem, I jumped down a paragrapgh to here:

RSA-1024 removed

Around early September 2014, Mozilla removed the trust bits from the certs in their CA bundle that were still using RSA 1024 bit keys. This may lead to TLS libraries having a hard time to verify some sites if the library in question doesn't properly support "path discovery" as per RFC 4158. (That includes OpenSSL and GnuTLS.)
The last CA bundle we converted from before that cleanup: an older ca-bundle from github.

I downloaded the older ca-bundle and it worked a treat. Happy days.

[lhungil]

Glad that is working for you.. However this entire thread and the "issues" you have been experiencing highlight two simple facts. First your hosting provider does not know how to properly configure their servers (or you would not need to specify a custom CA bundle in this case). Secondly your hosting provider is not keeping up to date with patches, upgrades, and security (or you would not need to use an out of date CA bundle). I would echo the sentiments posted earlier by another member.

It is time for you to move your e-commerce store to a hosting provider better suited to e-commerce hosting.

[RodG]

I downloaded the older ca-bundle and it worked a treat. Happy days.

Congratulations at being able to find a solution that your host couldn't. I don't consider this to have been an easy one to resolve. Well done.

However it would be amiss of me to say this solution is a good fix because it potentially opens up a security hole on the server. You probably shouldn't let that bother you in itself though, you have done what is needed, and it is ultimately the hosts responsibility to keep the ca's up to date.

Cheers
RodG

[one tall man]

I am also getting the same errors from Paypal checkout.
Tried to follow this page https://www.zen-cart.com/showthread....er-certificate but so far no luck.
Downloaded cacert.pem from both http://curl.haxx.se/docs/caextract.html and http://filehostuk.com/downloads/cacert.rar
The attached screen shot is all I am getting from curltester.php, nothing like in the screen shot posted at the link above.
What am I doing wrong?

[one tall man]

Argh! I was using an old version of curltester.php and the new version from 1.5.5 shows successful test to all destinations.
But I am still getting the error. How should I investigate further?