We have a number of sites that use webhooks, which were having trouble connecting to our back-end services. This problem only occurred recently as everything was working in the past.
Searching for the specific error message, “cURL error 60: SSL certificate problem: unable to get local issuer certificate” gave a number of different fixes for PHP. Essentially, configuring PHP to search for trusted certs.
Unfortunately, none of the fixes worked. No matter how much reconfiguration was done for PHP, it didn’t work. The problem must lie somewhere lower than the PHP layer.
Drilling down further by running OpenSSL directly:
openssl s_client -debug -host xxx -port 443
This gave us an error as well, “Verify return code: 21 (unable to verify the first certificate)”. This clearly shows that the problem is in a lower layer than PHP. So, it’s not the fault of PHP, nor OpenSSL.
It turns out that the issue was with sending a wrong intermediate certificate on the server side, not the CURL client side. There has been a number of changes made by LetsEncrypt to their intermediate certificates not too long ago. We had not changed our configuration on this server for a while now.
So, all we had to do was to download the latest intermediate certificate and configure our web-server to use that instead.