PHP cURL error 60: SSL Certificate Problem in CI
cURL verifies a server certificate against a CA bundle. When PHP has no curl.cainfo/openssl.cafile configured, or the bundle is missing/stale on the runner, HTTPS requests fail with cURL error 60 - "unable to get local issuer certificate".
What this error means
An HTTPS request (Guzzle, a webhook call, a package fetch) fails in CI with "cURL error 60: SSL certificate problem: unable to get local issuer certificate". The same call works locally where a CA bundle is configured.
GuzzleHttp\Exception\RequestException: cURL error 60: SSL certificate problem:
unable to get local issuer certificate (see https://curl.se/libcurl/c/...)
for https://api.example.com/v1/pingCommon causes
No CA bundle configured for PHP/cURL
A minimal PHP image may not set curl.cainfo/openssl.cafile, so cURL cannot find trusted root certificates to verify the peer.
The CA bundle is missing or out of date
The ca-certificates package is absent or stale on the runner, so even configured paths point at no usable bundle.
How to fix it
Install and point PHP at a CA bundle
Install the certificates package and set the ini paths to the bundle.
apt-get update && apt-get install -y ca-certificates
php -d curl.cainfo=/etc/ssl/certs/ca-certificates.crt \
-d openssl.cafile=/etc/ssl/certs/ca-certificates.crt bin/run.phpSet the paths in php.ini for the runner
; php.ini
curl.cainfo = /etc/ssl/certs/ca-certificates.crt
openssl.cafile = /etc/ssl/certs/ca-certificates.crtVerify, and never just disable verification
- Confirm the bundle file exists and is non-empty on the runner.
- Test with
curl -v https://api.example.comto see the verification result. - Do not set CURLOPT_SSL_VERIFYPEER=false to "fix" it - that disables security, not the bug.
How to prevent it
- Install
ca-certificatesand configurecurl.cainfo/openssl.cafilein the runner image. - Keep the CA bundle current as part of base image maintenance.
- Never disable peer verification to silence cURL error 60.