phpsslcomposer-php

Composer Curl error 60: SSL certificate problem: unable to get local issuer certificate


I'm trying to get composer to work on a remote Windows-machine which is using a proxy, but I always get this error when doing a composer install/update:

[Composer\Downloader\TransportException] curl error 60 while downloading https://flex.symfony.com/versions.json: SSL certificate problem: unable to get local issuer certificate

This is my composer.bat:

@echo OFF
:: in case DelayedExpansion is on and a path contains ! 
setlocal DISABLEDELAYEDEXPANSION
set HTTP_PROXY=<proxyurl>
php "%~dp0composer.phar" %*

Obviously setting the proxy is needed, if I delete the line, the error becomes this:

[Composer\Downloader\TransportException] curl error 28 while downloading https://flex.symfony.com/versions.json: Operation timed out after 10000 milliseconds with 0 out of 0 bytes received

composer diag gives me this (with the proxy set):

Checking composer.json: OK
Checking platform settings: OK
Checking git settings: OK
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: OK
Checking HTTP proxy: OK
Checking github.com rate limit: OK
Checking disk free space: OK
Checking pubkeys:
Tags Public Key Fingerprint: 57815BA2 7E54DC31 7ECC7CC5 573090D0  87719BA6 8F3BB723 4E5D42D0 84A14642
Dev Public Key Fingerprint: 4AC45767 E5EC2265 2F0C1167 CBBB8A2B  0C708369 153E328C AD90147D AFE50952
OK
Checking composer version: OK
Composer version: 2.0.9
PHP version: 7.4.7
PHP binary path: C:\Program Files\PHP\current\php.exe
OpenSSL version: OpenSSL 1.1.1g  21 Apr 2020
cURL version: 7.69.1 libz 1.2.11 ssl OpenSSL/1.1.1g
zip: extension present, unzip not available

I've been through a lot of posts and tutorials, but none of the answers work for me. (Some are just about curl and it's options to switch off the cert-check but that doesn't work for composer). Here's what I have tried:

All of this did not work, the error remains the same. Then I found a post which set a repository in composer.json and explicitely set the certfile for that repo, so I also tried it and added this to my composer.json:

{
  "repositories": [{
    "type": "composer",
    "url": "https://flex.symfony.com",
    "options" : {
      "ssl" : {
        "cafile" : "cacert.pem"
      }
    }
  }]
}

The file "cacert.pem" is in the same directory as my composer.json, now the error is this:

[Composer\Downloader\TransportException] The "https://flex.symfony.com/packages.json" file could not be downloaded (HTTP/2 404 )

which is not that surprising, as trying to access "https://flex.symfony.com/packages.json" via a browser also gives me a 404. (Don't know if it makes a difference that all at a sudden "packages.json" couldn't be loaded while the cert-error complained about "versions.json", have no idea which is loaded first and if this error is a "good" sign.)

This trial-and-error journey has been going on for days, I'm out of ideas, so any help is appreciated!


Solution

  • Further research led me to the proxy, which is ZScaler, being the problem. As stated in this post, ZScaler intercepts SSL traffic and re-encrypts it with its own certificate which is not trusted, so Composer (or any other program accessing sites via https) will complain with the above error that it's "unable to get local issuer certificate".

    So the solution must be to get the "ZScaler Intermediate Root CA" to be trusted on the server. (Which I can't do myself due to company policy, but anyone looking for a solution to the above problem probably has another hint now what to do.)