SSL certificate problem: unable to get local issuer certificate

[blacknell]

This error relates #972

I've been running composer fine for many months and years and then just recently I'm getting errors on composer outdated but it's the same with any composer command

https://repo.packagist.org could not be fully loaded (curl error 60 while downloading https://repo.packagist.org/packages.json: SSL certificate problem: unable to get local issuer certificate), package information was loaded from the local cache and may be out of date
Legend:
! patch or minor release available - update recommended
~ major release available - update possible
markbaker/complex         2.0.3   ~ 3.0.1   PHP Class for working with complex numbers
markbaker/matrix          2.1.3   ~ 3.0.0   PHP Class for working with matrices
monolog/monolog           2.3.2   ! 2.3.4   Sends your logs to files, sockets, inboxes, databases and various web services
symfony/polyfill-mbstring v1.23.0 ! v1.23.1 Symfony polyfill for the Mbstring extension

Here's the output from composer diagnose

Checking composer.json: OK
Checking platform settings: OK
Checking git settings: OK
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: FAIL
[Composer\Downloader\TransportException] curl error 60 while downloading https://repo.packagist.org/packages.json: SSL certificate problem: unable to get local issuer certificate
Checking github.com rate limit: OK
Checking disk free space: OK
Checking pubkeys: 
Tags Public Key Fingerprint: 57815BA2 7E54DC31 7ECC7CC5 573090D0  87719BA6 8F3BB723 4E5D42D0 84A14642
Dev Public Key Fingerprint: 4AC45767 E5EC2265 2F0C1167 CBBB8A2B  0C708369 153E328C AD90147D AFE50952
OK
Checking composer version: FAIL
[Composer\Downloader\TransportException] curl error 60 while downloading https://getcomposer.org/versions: SSL certificate problem: unable to get local issuer certificate
Composer version: 2.1.11
PHP version: 7.4.12
PHP binary path: /Applications/MAMP/bin/php/php7.4.12/bin/php
OpenSSL version: OpenSSL 1.0.2u  20 Dec 2019
cURL version: 7.68.0 libz 1.2.11 ssl OpenSSL/1.0.2u
zip: extension present, unzip present, 7-Zip not available

Any ideas?

[herndlm]

Just guessing but this sounds and reads like your ca bundle could be outdated. Can you access https://repo.packagist.org/packages.json via browser or is curl https://repo.packagist.org/packages.json working? Are there outstanding system/package updates? You're on Linux, right?

[blacknell]

curl https://repo.packagist.org/packages.json

I'm on a Mac and the above works fine

{"packages":[],"notify-batch":"https://packagist.org/downloads/","providers-url":"/p/%package%$%hash%.json","metadata-url":"/p2/%package%.json","search":"https://packagist.org/search.json?q=%query%&type=%type%","list":"https://packagist.org/packages/list.json","providers-api":"https://packagist.org/providers/%package%.json","warning":"Support for Composer 1 is deprecated and some packages will not be available. You should upgrade to Composer 2. See https://blog.packagist.com/deprecating-composer-1-support/","warning-versions":"<1.99","provider-includes":{"p/provider-2013$%hash%.json":{"sha256":"1dad08f7e399e597b0f9268a99116a8421b0b89bb18d4d26b1544a7afff13784"},"p/provider-2014$%hash%.json":{"sha256":"5024ffae44123c05b401ae6dfec87e8a8d493d714e159434014645e73508ff3c"},"p/provider-2015$%hash%.json":{"sha256":"e8399b3451f7c765aa59a894c03a8f3ee57b10a3516ba5c944660badb3109e29"},"p/provider-2016$%hash%.json":{"sha256":"2244d30b863743c510eb5ab5e5cad850e8c37006710f784c5022d1a9f65d66d1"},"p/provider-2017$%hash%.json":{"sha256":"fab624c6ae01c8f877a57d1b0b7b7bd903ac2b6526410b6e39db889f8f714f37"},"p/provider-2018$%hash%.json":{"sha256":"6370b572f2278131991248ba6fb5b4b2a629ef8975e3180242546fcdd94531fc"},"p/provider-2019$%hash%.json":{"sha256":"fc7d6703c52bdffa53ed6a962a0526d7ce23703ffb9959fc71f9aed49f9d5c0f"},"p/provider-2020$%hash%.json":{"sha256":"3fa0f3fb659d25843d4423d3c2fb8b5ae1812b27550c782d56263c9ca6b32d2e"},"p/provider-2021-01$%hash%.json":{"sha256":"d0357c0bc960391b71131525ca5483647effb93f03b5f51bb6b97275f4457562"},"p/provider-2021-04$%hash%.json":{"sha256":"d067323f8134d33e0f306f072ad684a67aee527ee390d0618a338cc3e67aa603"},"p/provider-2021-07$%hash%.json":{"sha256":"3557d92fb44e23f98292a33f72dd30d915d58f2f4651840707bec5f3881b8904"},"p/provider-2021-10$%hash%.json":{"sha256":"73a37c8656d3cfefd189d622030b9e4c5101cda227dadfcb7bd940e1281082d6"},"p/provider-archived$%hash%.json":{"sha256":"8ade869163430bd7fa52b6e79951f164c45f43f9621ec44b4397235140809664"},"p/provider-latest$%hash%.json":{"sha256":"0e8525154c643b4c07a06ee45561001137c920856e67cd98cd69f33121df73c0"}}}

[Seldaek]

Share the output of composer diagnose -vvv please. There should be some "Checked CA file" or "Checked directory ..." on top which may indicate which CA bundle is used, and perhaps where the error lies.

[blacknell]

Share the output of composer diagnose -vvv please. There should be some "Checked CA file" or "Checked directory ..." on top which may indicate which CA bundle is used, and perhaps where the error lies.

Running 2.1.11 (2021-11-02 12:10:25) with PHP 7.4.12 on Darwin / 17.7.0
Reading ./composer.json (/Users/Paul/Dropbox/Finance/Investments/analysis/composer.json)
Loading config file ./composer.json (/Users/Paul/Dropbox/Finance/Investments/analysis/composer.json)
Checked CA file /etc/pki/tls/certs/ca-bundle.crt does not exist or it is not a file.
Checked directory /etc/pki/tls/certs/ca-bundle.crt does not exist or it is not a directory.
Checked CA file /etc/ssl/certs/ca-certificates.crt does not exist or it is not a file.
Checked directory /etc/ssl/certs/ca-certificates.crt does not exist or it is not a directory.
Checked CA file /etc/ssl/ca-bundle.pem does not exist or it is not a file.
Checked directory /etc/ssl/ca-bundle.pem does not exist or it is not a directory.
Checked CA file /usr/local/share/certs/ca-root-nss.crt does not exist or it is not a file.
Checked directory /usr/local/share/certs/ca-root-nss.crt does not exist or it is not a directory.
Checked CA file /usr/ssl/certs/ca-bundle.crt does not exist or it is not a file.
Checked directory /usr/ssl/certs/ca-bundle.crt does not exist or it is not a directory.
Checked CA file /opt/local/share/curl/curl-ca-bundle.crt does not exist or it is not a file.
Checked directory /opt/local/share/curl/curl-ca-bundle.crt does not exist or it is not a directory.
Checked CA file /usr/local/share/curl/curl-ca-bundle.crt does not exist or it is not a file.
Checked directory /usr/local/share/curl/curl-ca-bundle.crt does not exist or it is not a directory.
Checked CA file /usr/share/ssl/certs/ca-bundle.crt does not exist or it is not a file.
Checked directory /usr/share/ssl/certs/ca-bundle.crt does not exist or it is not a directory.
Checked CA file /private/etc/ssl/cert.pem: valid
Executing command (/Users/Paul/Dropbox/Finance/Investments/analysis): git branch -a --no-color --no-abbrev -v
Failed to initialize global composer: Composer could not find the config file: /Users/Paul/.composer/composer.json

Reading /Users/Paul/Dropbox/Finance/Investments/analysis/vendor/composer/installed.json
Checking composer.json: Reading ./composer.json (/Users/Paul/Dropbox/Finance/Investments/analysis/composer.json)
OK
Checking platform settings: OK
Checking git settings: Executing command (CWD): git config color.ui
OK
Checking http connectivity to packagist: Downloading http://repo.packagist.org/packages.json
[200] http://repo.packagist.org/packages.json
OK
Checking https connectivity to packagist: Downloading https://repo.packagist.org/packages.json
FAIL
[Composer\Downloader\TransportException] curl error 60 while downloading https://repo.packagist.org/packages.json: SSL certificate problem: unable to get local issuer certificate
Checking github.com rate limit: Downloading https://api.github.com/rate_limit
[200] https://api.github.com/rate_limit
OK
Checking disk free space: OK
Checking pubkeys: 
Tags Public Key Fingerprint: 57815BA2 7E54DC31 7ECC7CC5 573090D0  87719BA6 8F3BB723 4E5D42D0 84A14642
Dev Public Key Fingerprint: 4AC45767 E5EC2265 2F0C1167 CBBB8A2B  0C708369 153E328C AD90147D AFE50952
OK
Checking composer version: Downloading https://getcomposer.org/versions
FAIL
[Composer\Downloader\TransportException] curl error 60 while downloading https://getcomposer.org/versions: SSL certificate problem: unable to get local issuer certificate
Composer version: 2.1.11
PHP version: 7.4.12
PHP binary path: /Applications/MAMP/bin/php/php7.4.12/bin/php
OpenSSL version: OpenSSL 1.0.2u  20 Dec 2019
cURL version: 7.68.0 libz 1.2.11 ssl OpenSSL/1.0.2u
zip: extension present, unzip present, 7-Zip not available

[Seldaek]

OK so it is using /private/etc/ssl/cert.pem as CA bundle. Maybe that file is outdated? You could try to replace it with the latest from https://curl.se/docs/caextract.html ?

Ideally this should be updated automatically though..

[blacknell]

Hmm. I don't know why my cert.pem wasn't being updated but it was dated 2017. I am running on High Sierra which is rather old I admit.

Anyway, backing up the old file and downloading and replacing it with the most from from your link above fixed the problem. Thank you very much.

[tcpdump-examples]

Thanks a lot for the info. I got this fixed. This article also provides me with useful info about this. https://www.howtouselinux.com/post/exploring-unable-to-get-local-issuer-certificate

[rimadjamaa]

@Seldaek pleas can you help me with the same issue of @blacknell but me am using windows and when i did the comande line composer diagnose -vvv to indicate which CA bundle is used i get this :

PS C:\Users\Rima> composer diagnose -vvv
Running 2.5.8 (2023-06-09 17:13:21) with PHP 8.1.10 on Windows NT / 10.0
Reading C:/Users/Rima/AppData/Roaming/Composer/composer.json (C:\Users\Rima\AppData\Roaming\Composer\composer.json)
Loading config file C:/Users/Rima/AppData/Roaming/Composer/composer.json (C:\Users\Rima\AppData\Roaming\Composer\composer.json)
Checked CA file /etc/pki/tls/certs/ca-bundle.crt does not exist or it is not a file.
Checked directory /etc/pki/tls/certs/ca-bundle.crt does not exist or it is not a directory.
Checked CA file /etc/ssl/certs/ca-certificates.crt does not exist or it is not a file.
Checked directory /etc/ssl/certs/ca-certificates.crt does not exist or it is not a directory.
Checked CA file /etc/ssl/ca-bundle.pem does not exist or it is not a file.
Checked directory /etc/ssl/ca-bundle.pem does not exist or it is not a directory.
Checked CA file /usr/local/share/certs/ca-root-nss.crt does not exist or it is not a file.
Checked directory /usr/local/share/certs/ca-root-nss.crt does not exist or it is not a directory.
Checked CA file /usr/ssl/certs/ca-bundle.crt does not exist or it is not a file.
Checked directory /usr/ssl/certs/ca-bundle.crt does not exist or it is not a directory.
Checked CA file /opt/local/share/curl/curl-ca-bundle.crt does not exist or it is not a file.
Checked directory /opt/local/share/curl/curl-ca-bundle.crt does not exist or it is not a directory.
Checked CA file /usr/local/share/curl/curl-ca-bundle.crt does not exist or it is not a file.
Checked directory /usr/local/share/curl/curl-ca-bundle.crt does not exist or it is not a directory.
Checked CA file /usr/share/ssl/certs/ca-bundle.crt does not exist or it is not a file.
Checked directory /usr/share/ssl/certs/ca-bundle.crt does not exist or it is not a directory.
Checked CA file /etc/ssl/cert.pem does not exist or it is not a file.
Checked directory /etc/ssl/cert.pem does not exist or it is not a directory.
Checked CA file /usr/local/etc/ssl/cert.pem does not exist or it is not a file.
Checked directory /usr/local/etc/ssl/cert.pem does not exist or it is not a directory.
Checked CA file /usr/local/etc/openssl/cert.pem does not exist or it is not a file.
Checked directory /usr/local/etc/openssl/cert.pem does not exist or it is not a directory.
Checked CA file /usr/local/etc/openssl@1.1/cert.pem does not exist or it is not a file.
Checked directory /usr/local/etc/openssl@1.1/cert.pem does not exist or it is not a directory.
Checked CA file /etc/pki/tls/certs does not exist or it is not a file.
Checked directory /etc/pki/tls/certs does not exist or it is not a directory.
Checked CA file /etc/ssl/certs does not exist or it is not a file.
Checked directory /etc/ssl/certs does not exist or it is not a directory.
Checked CA file /etc/ssl does not exist or it is not a file.
Checked directory /etc/ssl does not exist or it is not a directory.
Checked CA file /usr/local/share/certs does not exist or it is not a file.
Checked directory /usr/local/share/certs does not exist or it is not a directory.
Checked CA file /usr/ssl/certs does not exist or it is not a file.
Checked directory /usr/ssl/certs does not exist or it is not a directory.
Checked CA file /opt/local/share/curl does not exist or it is not a file.
Checked directory /opt/local/share/curl does not exist or it is not a directory.
Checked CA file /usr/local/share/curl does not exist or it is not a file.
Checked directory /usr/local/share/curl does not exist or it is not a directory.
Checked CA file /usr/share/ssl/certs does not exist or it is not a file.
Checked directory /usr/share/ssl/certs does not exist or it is not a directory.
Checked CA file /etc/ssl does not exist or it is not a file.
Checked directory /etc/ssl does not exist or it is not a directory.
Checked CA file /usr/local/etc/ssl does not exist or it is not a file.
Checked directory /usr/local/etc/ssl does not exist or it is not a directory.
Checked CA file /usr/local/etc/openssl does not exist or it is not a file.
Checked directory /usr/local/etc/openssl does not exist or it is not a directory.
Checked CA file /usr/local/etc/openssl@1.1 does not exist or it is not a file.
Checked directory /usr/local/etc/openssl@1.1 does not exist or it is not a directory.
Checked CA file C:\Users\Rima\AppData\Local\Temp\ope62AE.tmp: valid
Executing command (C:/Users/Rima/AppData/Roaming/Composer): git branch -a --no-color --no-abbrev -v
Executing command (C:/Users/Rima/AppData/Roaming/Composer): git describe --exact-match --tags
Executing command (CWD): git --version
Executing command (C:/Users/Rima/AppData/Roaming/Composer): git log --pretty="%H" -n1 HEAD --no-show-signature
Executing command (C:/Users/Rima/AppData/Roaming/Composer): hg branch
Executing command (C:/Users/Rima/AppData/Roaming/Composer): fossil branch list
Executing command (C:/Users/Rima/AppData/Roaming/Composer): fossil tag list
Executing command (C:/Users/Rima/AppData/Roaming/Composer): svn info --xml
Reading C:/Users/Rima/AppData/Roaming/Composer/composer.json (C:\Users\Rima\AppData\Roaming\Composer\composer.json)
Loading config file C:/Users/Rima/AppData/Roaming/Composer/composer.json (C:\Users\Rima\AppData\Roaming\Composer\composer.json)
Reading C:/Users/Rima/AppData/Roaming/Composer/composer.lock (C:\Users\Rima\AppData\Roaming\Composer\composer.lock)
Reading C:/Users/Rima/AppData/Roaming/Composer/vendor/composer/installed.json (C:\Users\Rima\AppData\Roaming\Composer\vendor\composer\installed.json)
Reading C:/Users/Rima/AppData/Roaming/Composer/vendor/composer/installed.json (C:\Users\Rima\AppData\Roaming\Composer\vendor\composer\installed.json)
Checking platform settings: OK
Checking git settings: Executing command (CWD): git config color.ui
OK git version 2.41.0
Checking http connectivity to packagist: Downloading http://repo.packagist.org/packages.json
[200] http://repo.packagist.org/packages.json
OK
Checking https connectivity to packagist: Downloading https://repo.packagist.org/packages.json
[200] https://repo.packagist.org/packages.json
OK
Checking github.com rate limit: Downloading https://api.github.com/rate_limit
[200] https://api.github.com/rate_limit
OK
Checking disk free space: OK
Checking pubkeys:
Tags Public Key Fingerprint: 57815BA2 7E54DC31 7ECC7CC5 573090D0  87719BA6 8F3BB723 4E5D42D0 84A14642
Dev Public Key Fingerprint: 4AC45767 E5EC2265 2F0C1167 CBBB8A2B  0C708369 153E328C AD90147D AFE50952
OK
Checking composer version: Downloading https://getcomposer.org/versions
[200] https://getcomposer.org/versions
OK
Composer version: 2.5.8
PHP version: 8.1.10
PHP binary path: C:\laragon\bin\php\php-8.1.10-Win32-vs16-x64\php.exe
OpenSSL version: OpenSSL 1.1.1q  5 Jul 2022
cURL version: 7.77.0 libz 1.2.12 ssl OpenSSL/1.1.1q
zip: extension present, unzip not available, 7-Zip present (7z)

and when i tried to access the path C:\Users\Rima\AppData\Local\Temp\ope62AE.tmp in my computer i didn't find it

[Sicklou]

Hello,

I've got the same issue too with repo.packagist.org : SSL certificate problem: unable to get local issuer certificate

When I launch this command : curl -x xxxxx.myproxy.com https://repo.packagist.org --cacert C:/DevEnv/SSL/caCert.pem -vvv &> test_proxy.log the error happened. But the same command trying to connect to api.github.com is working fine.

And if I try to connect to connect to packagist without the proxy, it works. But I can't tell composer to avoid using the proxy with packagist, and using it with github.

Here is what I get :

*   Trying 163.116.242.82:8081...
* Connected to xxxxx.myproxy.com (163.116.242.82) port 8081 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to repo.packagist.org:443
> CONNECT repo.packagist.org:443 HTTP/1.1

> Host: repo.packagist.org:443

> User-Agent: curl/7.75.0

> Proxy-Connection: Keep-Alive

> 

< HTTP/1.1 200 Connection Established

< 

* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: C:/DevEnv/SSL/caCert.pem
*  CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* CONNECT phase completed!
* CONNECT phase completed!
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2652 bytes data]
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
} [2 bytes data]
* SSL certificate problem: unable to get local issuer certificate

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

How can I make it works ?

[MBALI-SAH]

Hello, I don't know if this will help anyone, I was able to resolve it with the following command: composer require psr/log:dev-master

[luisprmat]

I have this same problem on Windows (in this moment) and I have not been able to solve it in any way. It won't even let me install composer

[brandonfarber]

Since I see this still gets comments I'll just note my experience - I ran into this today and was scratching my head for a while. Ran all the checks I could, tried disabling ssl/tls, nothing was working...even installed new pem file manually, was still getting "Unable to get local issuer certificate"

Turned out it was my antivirus (Avast, specifically). I disabled all shields in Avast for 10 minutes and composer worked properly afterwards. Figured I'd drop this note as a reminder for others who might come along - try disabling any antivirus/firewall/vpn setup temporarily too, as that could be the culprit.

[Seldaek]

Ok thanks, I've added a note in the docs hopefully that helps https://getcomposer.org/doc/articles/troubleshooting.md#ssl-certificate-problem-unable-to-get-local-issuer-certificate

[a3m-nix]

i tried disabling avast and everything worked fine