Ask Learn
Preview
Ask Learn is an AI assistant that can answer questions, clarify concepts, and define terms using trusted Microsoft documentation.
Please sign in to use Ask Learn.
Sign inNote
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
When you use PHP cURL extension, be aware that CURLOPT_SSL_VERIFYPEER option is set to TRUE by default as of cURL version 7.10 (Azure has cURL 7.40 installed).
Common error messages related to SSL_VERIFYPEER option could be:
SSL certificate problem, verify that the CA cert is OK
SSL certificate problem: unable to get local issuer certificate
The error is usually caused by missing or having invalid SSL certificate in cURL option. If you see these messages, consider to validate SSL certificate, and check the path to CA certificate file. CA certificate must be in PEM format, for more detail about CA extract, visit https://curl.haxx.se/docs/caextract.html
Do not turn off CURLOPT_SSL_VERIFYPEER unless your cURL connect to non certificate protected server.
There are two ways that you can specify certificate info for cURL in PHP environment.
curl_setopt($ch, CURLOPT_CAINFO, getcwd() . "\cert\ca-bundle.crt");
Note: getcwd() . "\cert\ca-bundle.crt" returns absolute path of your ca-bundle.crt. Make sure ca-bundle is installed at correct path.
Since curl.cainfo is PHP_INI_SYSTEM directive, the value cannot be set in ".user.ini". You can change the setting with PHP_INI_SCAN_DIR, follow the steps:
- In the Azure Portal, select your web app and go to “Application Settings”.
- Go to the App Settings section and add the following key and value and press save.
KEY = PHP_INI_SCAN_DIR
VALUE = D:\home\site\ini
- Go to the KUDU site for your web app (https://<sitename>.scm.azurewebsites.net/debugconsole).
- Go to site directory and press the “+” button and create an “ini” directory.
- In the ini directory, create an “extensions.ini” file.
- Press the edit button next to the file.
- Add the following to the file and save.
curl.cainfo="%ProgramFiles(x86)%\Git\usr\ssl\certs\ca-bundle.crt"
Refer to this blog for PHP configuration on Azure, https://azure.microsoft.com/en-us/documentation/articles/web-sites-php-configure/
CURLOPT_SSL_VERIFYHOST option is used along with verify peer, default value of this option is 2, to check the existence of a common name and also verify that it matches the hostname provided (more detail at https://php.net/manual/en/function.curl-setopt.php)
- Anonymous
March 16, 2017
I am using this .pem file (https://curl.haxx.se/ca/cacert.pem).Do I ever need to update that in my system? (ie. do these certificates expire?)And, if so, under what circumstances does that happen?- Anonymous
March 24, 2017
You will need to update cert.pem periodically. According to https://curl.haxx.se/docs/caextract.html, cert.pem is updated in the frequency of few months.
- Anonymous