What It Does & Meaning:
The following code tells the cURL to NOT verify that security certificates are correct. Hence, the error disappears.
$opts[CURLOPT_SSL_VERIFYPEER] = false;
$opts[CURLOPT_SSL_VERIFYHOST] = 2;
When you connect to a remote server with SSL, their certificate might be invalid, expired, or not signed by a recognized CA. The cURL normally checks it.
CURLOPT_SSL_VERIFYHOST:
- 1: to check the existence of a common name in the SSL peer certificate.
- 2: to check the existence of a common name and also verify that it matches the hostname provided.
CURLOPT_SSL_VERIFYPEER: FALSE to stop CURL from verifying the peer's certificate. Alternate certificates to verify against can be specified with the CURLOPT_CAINFO option or a certificate directory can be specified with the CURLOPT_CAPATH option. CURLOPT_SSL_VERIFYHOST may also need to be TRUE or FALSE if CURLOPT_SSL_VERIFYPEER is disabled (it defaults to 2).
How to Enable & Verify Correctly:
To verify correctly, we need to to verify the certificate being presented to us is good for real. We do this by comparing it against a certificate we reasonable* trust.
If the remote resource is protected by a certificate issued by one of the main CA's like Verisign, GeoTrust et al, you can safely compare against Mozilla's CA certificate bundle which you can get from http://curl.haxx.se/docs/caextract.html
Save the file cacert.pem somewhere in your server and set the following options in your script.
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, TRUE);
curl_setopt ($ch, CURLOPT_CAINFO, "pathto/cacert.pem");
If you are connecting to a resource protected by a self-signed certificate, all you need to do is obtain a copy of the certificate in PEM format and append it to the cacert.pem of the above paragraph.