Question posted in
Some documentation to get you started can be found here.

Facebook – Curl Error SSL_CACERT SSL certificate – Apache

I am getting “Curl Error : SSL_CACERT SSL certificate problem: unable to get local issuer certificate” when asking Facebook to scrape my page over https. How can I fix this so that Facebook can scrape my page without errors?

The page is hosted via Apache 2.4 proxying to IIS 10. Apache handles all certificates and IIS is on the local network. My page is running asp code (so no php) and solutions similar to these: edit the php.ini file or adding curl.pem to php folder will not work fix my problem … or so I think?!?

IIS has no certificate installed.

I do have extension=php_curl.dll enabled — and extension_dir = 'C:64bitphp-7.0.6-Win32-VC14-x64ext' defined in my php.ini file. I followed these steps to install Curl on Windows. And phpinfo.php confirms that cURL is enabled (cURL Information 7.47.1).

My proxy setup in my Apache config file is:

<IfModule mod_proxy.c>
    ProxyRequests Off
    ProxyPass           / http://192.168.1.101:88/com_ssl/
    ProxyPassReverse    / http://192.168.1.101:88/com_ssl/
    RewriteRule ^(.+)$  https://www.domainname.com/$1 [P,L] 
</IfModule>

I have no RequestHeader defined in my Apache proxy config file, such as suggested here in Step 10: 

RequestHeader set "X-RP-UNIQUE-ID"     "%{UNIQUE_ID}e"
RequestHeader set "X-RP-REMOTE-USER"     "%{REMOTE_USER}e"
RequestHeader set "X-RP-SSL-PROTOCOL"     "%{SSL_PROTOCOL}s"
RequestHeader set "X-RP-SSL-CIPHER"     "%{SSL_CIPHER}s"

Is this what is missing to fix the error?

Tags:

3

Answers


  1. 0

    “unable to get local issuer certificate” is almost always the error message you get when the server doesn’t provide an intermediate certificate as it should in the TLS handshake, and as WizKid suggests, running the ssllabs test against the server will indeed tell you if that is the case.

    Login or Signup to reply.
  2. 0

    If you are using nodejs server and getting this error ‘Curl Error SSL_CACERT SSL certificate’ then you need to add your CA along with your SSL CRT.

    var fs = require('fs'); 
var https = require('https'); 
var options = { 
    key: fs.readFileSync('server-key.pem'), 
    cert: fs.readFileSync('server-crt.pem'), 
    ca: fs.readFileSync('ca-crt.pem'), // <= Add This
}; 
https.createServer(options, function (req, res) { 
    console.log(new Date()+' '+ 
        req.connection.remoteAddress+' '+ 
        req.method+' '+req.url); 
    res.writeHead(200); 
    res.end("hello worldn"); 
}).listen(4433);
    Login or Signup to reply.
  3. 0

    This may not have been the case at the time but I will add this info in case others encounter the same issue.

    If you are using a CDN, like cloudflare, it is important to set up your SSL before adding to cloudflare as it can generate issues.

    It is also important to ensure that all domains are correctly annotated in the DNS control of cloudflare, otherwise you may end up serving your main domain via cloudflare and your subdomain(s) directly from your server. Whilst this wont matter much to the user (still shows secure, still have access, still passes SSL tests) it may flag issues with sharing apps onto social media. Basically, I replicated the error by splitting the DNS setup as above and achieved the flagged error as highlighted by the op. Then I added the DNS for the subdomain into cloudflare, tested a few hours later (after resetting the page in debudder: https://developers.facebook.com/tools/debug/sharing/?q=https%3A%2F%2Fus.icalculator.info%2Fterminology%2Fus-tax-tables%2F2019%2Fvirginia.html). and, hey presto, the error goes. So, if you encounter that issue and you use cloudflare, that is something to check you have set up correctly.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search