Recently, I had a need to to programmatically load a web page in my WordPress site’s custom plug-in. To do this, I used the cURL library that comes with PHP.
cURL is the name of a command line tool, as well as a code library in different languages, including PHP. It is useful for being able to access different internet hosts, including web hosts, to receive, and send data. Unfortunately, I found it has one giant hole in the default PHP installation. It doesn’t come with a “certificate” file that allows it access secure https/SSL pages on the web. As a result, I could load any “http” page, but not any “https” page. The “curl_exec” function simply returned “false” due to the error.
I use PHP as part of WAMP (Windows-Apache-MySQL-PHP) when developing web sites (the “live” version is on Linux, but I experiment and develop locally on Windows). As part of that installation, PHP was installed, with cURL support included. However, there is a setting in the “php.ini” configuration file called “curl.cainfo” which wasn’t set. That setting tells PHP/cURL where to look to find the Certificate Authority file, which allows cURL to securely access encrypted web content via the https/SSL.
I was able download cacert.pem at https://curl.se/docs/caextract.html . After downloading, I saved the file to C:\wamp64\bin\php\php7.3.21\extras\ssl” on my machine. I updated my “php.ini” file to have the following line:
[curl] ; A default value for the CURLOPT_CAINFO option. This is required to be an ; absolute path. curl.cainfo = C:/wamp64/bin/php/php7.3.21/extras/ssl/cacert.pem
Of course, the proper directory varies for every installation, in part depending on what version of PHP is installed. After saving the file, and pointing to it, I had to shut everything down, and start all over. For me, I had to do a full reboot, as a simple stop/start services wasn’t sufficient.
I somewhat understand the reason for this not working “out of the box”, as it would be hard to include a certificate authority file with cURL that is always up-to-date and what the user wants. However, I think it would be better if cURL did not easily install, or simply didn’t work by default, without such a critical file being setup. A concerning thing, is that there is a setting for simply not using the certificate authority file, which means the SSL certificate of any website is not verified. Of course, that’s a giant security hole. Sadly many sites have taken the “easy” way out.
My code for using cURL looks something like this:
// This starts all uses of cURL $curl_handle= curl_init(); // url is set the web page to open. Works with "https" and other protocols. curl_setopt($curl_handle, CURLOPT_URL, $url); // so that "curl_exec" returns content to variable, not echo to screen curl_setopt($curl_handle, CURLOPT_RETURNTRANSFER, 1); // This will return content of web page, or "false" if there is an error $output = curl_exec($curl_handle); // close curl resource to free up system resources curl_close($curl_handle);
If this post was helpful to you, feel free to let me know.