What is “cacert.pem”?

Posted on

Question :

In the code where an API call is executed, the following line exists:

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);

When executing the code the following error is returned:


SSL certificate problem: unable to get local issuer certificate – Code: 60

Soon after, the following code was added:

if (curl_errno($ch) == 60) {
    curl_setopt($ch, CURLOPT_CAINFO, dirname(__FILE__) . 'cacert.pem');
    $result = curl_exec($ch);
    $httpStatus = curl_getinfo($ch, CURLINFO_HTTP_CODE);

What does the “cacert.pem” file and why setting “CURLOPT_SSL_VERIFYPEER” to “true” the error is returned?


Answer :

File *.pem is a container file. Generally, it contains the public certificate, but it can also contain any chain of intermediate certifying entities and even public and private keys, as well as root certifying entities.

The normal certificate validation process on a web server involves only the validation of the server’s certificate, ensuring that the client is accessing the correct server (especially ensuring non-repudiation of information from the server).

CURLOPT_SSL_VERIFYPEER causes the client certificate to also be validated. In this way, we guarantee the non-repudiation of the information originated in the client.

What is probably happening is that the intermediate certifying entities of your certificate are wrong. This can occur for a number of reasons, from erroneously specified file, until signature signature diverges from the signature of the final certificate, or simply its intermediate certifying entity is invalid (if it exists).


Leave a Reply

Your email address will not be published. Required fields are marked *