CurlException: [curl] 51: SSL: certificate verification failed

Look at the certificate chain for whatever domain is giving you this error. For me it was googleapis.com

openssl s_client -host www.googleapis.com -port 443

You'll get back something like this:

CONNECTED(00000005)
depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.googleapis.com
   i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
 1 s:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
   i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign

Note: I captured this after I fixed the issue. Also, your chain output will look different.

Then you need to look at the certificates allowed in php running under apache. Run phpinfo() in a page.

<?php echo phpinfo();

Then look for the certificate file that's loaded from the page output by searching the page for openssl.cafile:

openssl.cafile openssl.cafile /usr/local/php5/ssl/certs/cacert.pem

This is the file you'll need to fix by adding the correct certificate(s) to it.

sudo nano /usr/local/php5/ssl/certs/cacert.pem

You basically need to append the correct certificate "signatures" to the end of this file.

You can find some of them here:

  • https://pki.google.com/
  • https://www.geotrust.com/resources/root-certificates/index.html

They look like this:

example certificate image

(Note: This is an image so people will not simply copy/paste certificates from stackoverflow)

If you need to convert a .crt to pem, you'll need to do something like this:

openssl x509 -inform DER -outform PEM -in GIAG2.crt -out GIA2.pem

Once the right certificates are in this file, restart apache and test.