This document (000020585) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Manager Server 4.1
SUSE Manager Server 4.2
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 15
Situation
Any zypper command which needs to download data from the SUSE Manager Server gives the following error:
Error code: Curl error 60
Error message: SSL certificate problem: unable to get local issuer certificate
Resolution
Depending on which SUSE Manager client is used, the following steps are needed to solve the issue.
1. On servers running the salt-minion.service run "salt-call state.apply certs"
2. On servers using the traditional client.
2.1 Is
rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm package installed?
2.1.1 Check with "rpm -qa | grep rhn-org-trusted-ssl-cert-1.0-1.noarch" if installed go to step 2.2, if not installed continue with step 2.1.2.
2.1.2 Get the package from the server with "wget //<sumaserver-fqdn>/pub/rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm"
2.1.3 Install the package with "rpm -ihv rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm"
Or
2.2
Is the softlink "/etc/pki/trust/anchors/RHN-ORG-TRUSTED-SSL-CERT" available? If not create it with:
2.2.1 "ln -s /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT /etc/pki/trust/anchors/RHN-ORG-TRUSTED-SSL-CERT"
2.2.2 Followed by a "update-ca-certificates"
Cause
The file RHN-ORG-TRUSTED-SSL-CERT or the link to the file RHN-ORG-TRUSTED-SSL-CERT is missing in the /etc/pki/trusts/anchors
directory.
For the SUSE Manager clients to be able to contact the SUSE Manager Server the Trusted SSL Certificate is needed.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020585
- Creation Date: 11-Mar-2022
- Modified Date:11-Mar-2022
- SUSE Linux Enterprise Server
- SUSE Manager Server
< Back to Support Search
For questions or concerns with the SUSE Knowledgebase please contact:
Sometimes, when we make a curl call to third party services, we get an error curl: (60) SSL certificate : unable to get local issuer certificate.
This error occurs because the curl verifies and makes a secure connection request using self-signed certificate. When it does not find the valid certificate, it throws an error.
To fix this error, follow the steps below:
- Open //curl.haxx.se/ca/cacert.pem
- Copy the entire page and save it as a “cacert.pem”
- Open your php.ini file and insert or update the following line.
curl.cainfo = “[pathtofile]cacert.pem”
The message “SSL certificate problem: unable to get local issuer certificate” shows up when trying to connect to Magento Connect or when, generally, you try to use cURL to connect to a remote web site.
This error happens because cURL cannot find a cacert.pem file from which take the trusted signatures.
There are some ways to set
this file in cURL:
- Pass the cacert.pem file path directly to cURL when making the call;
- Set the path to the cacert.pem file in the php.ini.
Other options are to set the environment variable CURL_CA_BUNDLE or to put the cacert.pem file in a defined directory on your filesystem depending on your OS.
But, as we are working with digital certificates with PHP cURL, lets use PHP! 🙂
Pass the cacert.pem file path directly to cURL when making the call
To do this, simply pass the cacert.pem file path as parameter to pass to stream_context_create() function:
$contextOptions = [ 'ssl' = [ 'verify_peer' = true, 'verify_peer_name' = true, 'allow_self_signed' = false, 'cafile' = 'path/to/you/cacert.pem', 'ciphers' = 'HIGH', 'disable_compression' = true, 'capture_peer_cert' = true, 'capture_peer_cert_chain' = true, 'capture_session_meta' = true, ] ]; $context = stream_context_create($contextOptions);How to set the path to the cacert.pem file path in the php.ini
The other more robust solution is to set the cacert.pem file path directly in the php.ini.
To do this, find the line curl.cainfo:
[curl] ; A default value for the CURLOPT_CAINFO option. This is required to be an ; absolute path. ;curl.cainfo = [openssl] ; The location of a Certificate Authority (CA) file on the local filesystem ; to use when verifying the identity of SSL/TLS peers. Most users should ; not specify a value for this directive as PHP will attempt to use the ; OS-managed cert stores in its absence. If specified, this value may still ; be overridden on a per-stream basis via the "cafile" SSL stream context ; option. ;openssl.cafile= ; If openssl.cafile is not specified or if the CA file is not found, the ; directory pointed to by openssl.capath is searched for a suitable ; certificate. This value must be a correctly hashed certificate directory. ; Most users should not specify a value for this directive as PHP will ; attempt to use the OS-managed cert stores in its absence. If specified, ; this value may still be overridden on a per-stream basis via the "capath" ; SSL stream context option. ;openssl.capath=To make cURL work with digital certificates is sufficient to simply set the curl.cainfo parameter:
[curl] ; A default value for the CURLOPT_CAINFO option. This is required to be an ; absolute path. curl.cainfo = /usr/local/etc/openssl/certs/cacert.pemSave the php.ini file and restart Apache. Try again and all should work well.
Obviously, to solve the “SSL certificate problem: unable to get local issuer certificate” error in Magento when trying to connect to MagentoConnect the option we should choose is the second: set the cacert.pem file path directly in the php.ini.
Where to download a cacert.pem file
There isn’t an official cacert.pem, so we have to use the most accredited one, that is the one compiled by Mozilla and that can be downoaded from //curl.haxx.se/ca/cacert.pem
If you like, here you’ll find other useful php.ini settings for local web development.
Remember to “Make. Ideas. Happen.”.
I wish you flocking users, see you soon!