When you use PHP cURL extension, be aware that CURLOPT_SSL_VERIFYPEER option is set to TRUE by default as of cURL version 7.10 (Azure has cURL 7.40 installed).
Common error messages related to SSL_VERIFYPEER option could be:
SSL certificate problem, verify that the CA cert is OK
SSL certificate problem: unable to get local issuer certificate
The error is usually caused by missing or having invalid SSL certificate in cURL option. If you see these messages, consider to validate SSL certificate, and check the path to CA certificate file. CA certificate must be in PEM format, for more detail about CA extract, visit http://curl.haxx.se/docs/caextract.html
Do not turn off CURLOPT_SSL_VERIFYPEER unless your cURL connect to non certificate protected server.
There are two ways that you can specify certificate info for cURL in PHP environment.
1. Specify CURLOPT_CAINFO in cURL option: (sample code)
curl_setopt($ch, CURLOPT_CAINFO, getcwd() . “\cert\ca-bundle.crt”);
Note: getcwd() . “\cert\ca-bundle.crt” returns absolute path of your ca-bundle.crt. Make sure ca-bundle is installed at correct path.
2. Set curl.cainfo path in php.ini
Since curl.cainfo is PHP_INI_SYSTEM directive, the value cannot be set in “.user.ini”. You can change the setting with PHP_INI_SCAN_DIR, follow the steps:
– Add an App Setting to your Web App with the key
PHP_INI_SCAN_DIR and value
– Create an
settings.ini file using Kudu Console (http://<site-name>.scm.azurewebsite.net) in the
– Set CA path in settings.ini:
; Example Settings
Refer to this blog for PHP configuration on Azure, https://azure.microsoft.com/en-us/documentation/articles/web-sites-php-configure/
CURLOPT_SSL_VERIFYHOST option is used along with verify peer, default value of this option is 2, to check the existence of a common name and also verify that it matches the hostname provided (more detail at http://php.net/manual/en/function.curl-setopt.php)