Columbus, Ohio

AWS SDK for PHP Version 3 and the cURL error 60: SSL certificate problem using aws.phar

AWS SDK with PHP

If you get the following error running PHP using the AWS SDK for PHP, then this post is for you!

Error executing “GetParametersByPath” on “https://ssm.us-east-2.amazonaws.com”; AWS HTTP error: cURL error 60: SSL certificate problem: unable to get local issuer certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html)

The problem is your PHP installation is not configured to use a current CA certificates. To confirm, create a PHP script with the following then execute it to see the results:

<?php
  echo "curl.cainfo: ". ini_get('curl.cainfo'). "\n";

In either case you will either see no value specified, or the file that it does specify may be out of date.

Solution to the SSL certificate problem

Update the Certificate Authority bundle by downloading the latest version from here: https://curl.se/docs/caextract.html At the time of this writing the latest version is cacert-2023-01-10.pem.

Option 1 edit the php.ini – BEST OPTION

Edit the php.ini file set if not set, or change the current setting to the path where you saved the cacert-2023-01-10.pem file.

...
curl.cainfo = /path/to/cacert-2023-01-10.pem
...

Don’t forget to restart your web server for the changes to take effect.

Note if you are using Ubuntu or similar, you may need to update various php.ini files as the php.ini for Apache (/etc/php/8.2/apache2/php.ini) is a different file than for the command line (/etc/php/8.2/cli/php.ini)

Option 2 for Apache web server use, add the .htaccess

Edit the .htaccess file and make sure to add the following:

...
php_value curl.cainfo "/path/to/cacert-2023-01-10.pem"
...

Note that this only works if you are using Apache web server with PHP using mod_php (not as FastCGI), and Apache must allow you to have the ability to set OPTIONS from your .htaccess files.

Option 3 command line use add the parameter to command line

When you run scripts from the command line, add a -d parameter before the script you are executing…

php -d openssl.cafile=/path/to/cacert-2023-01-10.pem myscript.php

In my case I am using the aws.phar with a command line script, the contents of the script look something like this:

<?php
$path = '/my/parameter/name'
$parameterStoreClient = new SsmClient([
    'profile' => 'sandbox',
    'region' => 'us-east-2',
    'version' => "latest"
]);
try {
    $result = $parameterStoreClient->getParametersByPath([
        "Path" => $path,
        "WithDecryption" => false
    ]);
    return $result;
} catch(AwsException $e) {
    if( $verbose ) {
        echo "Error: ";
        echo $e->getMessage();
        echo "\n";
    }
}

if( !empty($parameters["Parameters"][0]['Value'] )) {

    echo "Value: ". $parameters["Parameters"][0]['Value'] ."\n";
}

Option 4 add to the config settings when making the client

This option could be useful if you package the pem file with your project.

<?php
$parameterStoreClient = new SsmClient([
    'profile' => 'sandbox',
    'region' => 'us-east-2',
    'version' => "latest",
    'http'    => array('cert' => '/path/to/cert.pem')
]);
...
Angelo Mandato

Angelo Mandato

Angelo Mandato is an entrepreneur, thought leader, innovator, software developer, and software architect from Columbus, Ohio. Angelo has been a professional software developer since 2000 and during that time has founded/cofounded over 5 businesses. Angelo spends his free time with family, friends, home improvement, and restoring classic cars.
All Posts »

Leave a Reply

Your email address will not be published. Required fields are marked *

Join My FREE Newsletter

Get the latest news and episodes of the Cloud Entrepreneur Podcast and Angelo’s development blog directly in your inbox!