cURL错误77:读取SSL证书时出现问题(路径:/etc/ssl/certs/ca-certificates.crt),位于/var/www/app/src/Http/Client.php:28
cURL error 77: Problem with reading SSL certificate (path: /etc/ssl/certs/ca-certificates.crt) in /var/www/app/src/Http/Client.php:28
ID: php/curl-ssl-cacert-path-missing
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| PHP 7.4 | active | — | — | — |
| PHP 8.0 | active | — | — | — |
| PHP 8.1 | active | — | — | — |
| PHP 8.2 | active | — | — | — |
根因分析
curl.cainfo或CURLOPT_CAINFO指定的CA证书包文件不存在、不可读或为空,导致cURL无法验证SSL证书。
English
The CA certificate bundle file specified in curl.cainfo or CURLOPT_CAINFO does not exist, is unreadable, or is empty, preventing cURL from verifying SSL certificates.
官方文档
https://www.php.net/manual/en/function.curl-setopt.php解决方案
-
Download the latest cacert.pem from https://curl.se/docs/caextract.html and set the path in php.ini: curl.cainfo = /path/to/cacert.pem. Then restart PHP-FPM.
-
Find the correct CA bundle path on the system: run 'openssl version -d' to get the OpenSSL directory, then look for cert.pem or ca-certificates.crt. Set curl.cainfo accordingly.
-
Copy the CA bundle to the expected location: sudo cp /etc/ssl/certs/ca-certificates.crt /usr/local/share/ca-certificates/ && sudo update-ca-certificates. Then verify with: php -r 'var_dump(curl_version()["ssl_version"]);'
无效尝试
常见但无效的做法:
-
30% 失败
This bypasses security and leaves the application vulnerable to man-in-the-middle attacks; it is not a fix for the missing certificate issue.
-
50% 失败
The package may install certificates to a different path (e.g., /etc/ssl/certs/ca-bundle.crt), and the PHP configuration still points to the old path.
-
70% 失败
Setting an empty string causes PHP to use the default compiled-in path, which may also be incorrect or missing.