function default_ca_bundle()
{
static $cached = null;
static $cafiles = [
// Red Hat, CentOS, Fedora (provided by the ca-certificates package)
'/etc/pki/tls/certs/ca-bundle.crt',
// Ubuntu, Debian (provided by the ca-certificates package)
'/etc/ssl/certs/ca-certificates.crt',
// FreeBSD (provided by the ca_root_nss package)
'/usr/local/share/certs/ca-root-nss.crt',
// OS X provided by homebrew (using the default path)
'/usr/local/etc/openssl/cert.pem',
// Google app engine
'/etc/ca-certificates.crt',
// Windows?
'C:\\windows\\system32\\curl-ca-bundle.crt',
'C:\\windows\\curl-ca-bundle.crt',
];
if ($cached) {
return $cached;
}
...
}
Isn’t it possible that some shared hosting ban access to these system paths so CA Bundle store will not be accessible or these files will be always accessible on shared hostings too?
Probably not. But the exception text tells a nice story.
No system CA bundle could be found in any of the the common system locations. PHP versions earlier than 5.6 are not properly configured to use the system’s CA bundle by default. In order to verify peer certificates, you will need to supply the path on disk to a certificate bundle to the ‘verify’ request option:
If you do not need a specific certificate bundle, then Mozilla provides a commonly used CA bundle which can be downloaded here (provided by the maintainer of cURL):
Once you have a CA bundle available on disk, you can set the ‘openssl.cafile’ PHP ini setting to point to the path to the file, allowing you to omit the ‘verify’ request option. See http://curl.haxx.se/docs/sslcerts.html for more information.
One of my hosts allows access to /etc/ssl/certs/ca-certificates.crt - but this is a hit-and-miss function so I believe it will fail to work on some hosts.
But it was working fine for me in php lower than 5.6 without providing curlopt_cafile manually. It seems it could find systen ca bundle still! So why it says that?