DevKinsta Localhost: cURL error 60: SSL certificate problem

I would love more information on the error given by query monitor. Ideally a fix.

The error:
cURL error 60: SSL certificate problem: unable to get local issuer certificate

PHP: Version 8.0.30
WP: Version 6.5.4

Plugins include and limited to:
Query Monitor
WP-Optimize - Clean, Compress, Cache

Theme:
Bricks Builder

Context:
Query monitor error, HTTP API Calls:
Method: GET
URL: https://exmaple.local/wp-content/themes/bricks/style.css
Status: cURL error 60: SSL certificate problem: unable to get local issuer certificate
Caller: WP_Optimize->get_stylesheet_headers()
Component: Plugin: wp-optimize

The error happens when you go to the wp optimize plugin:
https://exmaple.local/wp-admin/admin.php?page=WP-Optimize

I have a clean wordpress install hosted locally using devkinsta.

Hello.

This is no major concern at all, i just want to be enlighten. It just annoy me that i cannot fix it. There is no error if i disable https at devkinsta.

Thank you for any feedback.

Hi @kjosern :wave:

Welcome to the Kinsta Community!

You might encounter the error “cURL error 60: SSL certificate problem: unable to get local issuer certificate” because the Devkinsta app uses a self-signed SSL certificate only. If you use curl -k to bypass SSL, it should provide the correct curl output. I am not sure, though, if this is doable within the optimize plugin. But you can check out the screenshot below as an example:

You can also refer to this lengthy discussion thread for possible workarounds to bypass this self-signed SSL limitation:

I hope that you find this information helpful. :slightly_smiling_face:

Hi thank you for the insight! I guess it would work, but i might just turn of https inside devkinsta instead, as it is easier to manage for me.

Follow up question, will this affect production or cause any problems developing on none ssl?

Again, thank you so much for your time to reply to me.

Hi @kjosern! Thank you for your reply!

Disabling SSL and HTTPS within DevKinsta should allow you to make insecure connections via HTTP to the local development site. This should not cause problems during the development process. Once you have pushed the site from DevKinsta to a staging environment in MyKinsta where a valid SSL certificate is installed, you can run a search and replace to search for “http://staging-domain-name” and replace it with “https://staging-domain-name” to ensure that all links have been updated from HTTP to HTTPS.

You may find a link to our help article below that goes over how to use the search and replace tool in MyKinsta:

If you do have any questions please don’t hesitate to reply! We are standing by and happy to help!

Best regards

1 Like

For future readers, please note that the issue discussed here is not a critical problem; it’s primarily an annoyance. However, if you’re interested in resolving it, here’s an explanation.

The issue arises when you enable HTTPS locally; DevKinsta utilizes a self-signed certificate. CURL, which verifies certificates, uses a bundle that contains public keys from recognized certificate authorities. Naturally, a self-signed certificate isn’t recognized by this bundle. Consequently, when a plugin or your code uses CURL to fetch data from your own page (e.g., https://your-site.local), you will encounter the SSL error 60.

In my efforts to resolve this, I discovered that you need to add your own certificate to the certificate bundle used by CURL. This adjustment is made inside the devkinsta_fpm container. Unfortunately, this didn’t solve my issue entirely. It turns out that wp_remote_get(), a PHP function within WordPress, uses its own set of certificates. To address the problem, you must add your certificate to the bundle located at wp-includes/certificates/ca-bundle.crt. Simply open this file in a text editor to make the addition.

Disclaimer: This is not inherently a problem; it’s more about alleviating an annoyance. I’m not aware of all potential consequences of these changes. For instance, they might be overwritten during a WordPress update, or they might complicate collaboration in a team setting. I just wanted to shed some light on this. Below is a PHP script you can use to test for these errors by adding the script to your plugin folder:

/**
 * Plugin Name: CURL and WP Remote Get Test Plugin
 * Description: Tests CURL requests and WordPress HTTP API requests from the admin area.
 * Version: 1.0
 * Author: ChatGPT4
 */

function curl_and_wp_remote_test_menu() {
    add_menu_page('CURL and WP Remote Test', 'CURL and WP Remote Test', 'manage_options', 'curl_wp_remote_test_plugin', 'curl_wp_remote_test_admin_page');
}

add_action('admin_menu', 'curl_and_wp_remote_test_menu');

function curl_wp_remote_test_admin_page() {
    echo '<h2>CURL and WP Remote Get Test Output</h2>';

    // CURL Test
    $curl_url = 'https://your-site.local'; // Adjust the URL to match your needs
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $curl_url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1); // This ensures SSL verification is enabled
    $output = curl_exec($ch);
    $error = curl_error($ch);
    curl_close($ch);

    if (!empty($error)) {
        echo "<p>CURL Error: " . esc_html($error) . "</p>";
    } else {
        echo "<p>Success: CURL fetched the CSS file successfully.</p>";
    }

    // WordPress HTTP API Test
    $wp_remote_url = 'https://your-site.local'; // Change this to a URL with your self-signed certificate
    $response = wp_remote_get($wp_remote_url, array('sslverify' => true));

    if (is_wp_error($response)) {
        echo '<div class="notice notice-error"><p>WP Remote Get Test Failed: ' . esc_html($response->get_error_message()) . '</p></div>';
    } else {
        echo '<div class="notice notice-success"><p>WP Remote Get Test Succeeded: Response successfully received.</p></div>';
    }
}
1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.