BACK

Curl 60 SSL_CACERT

How to Fix Curl 60 SSL_CACERT “Can’t validate SSL Certificate. Either it is self-signed or it is invalid.”

Introduction

You are reading a short story on why my Facebook’s share button wasn’t working correctly and how I found the cause of that – “Can’t validate SSL Certificate. Either it is self-signed or it is invalid.”, which is also called Curl Error: 60 SSL_CACERT.

Facebook Share Doesnt Work

Story

Recently, I have decided to fix my Facebook’s share button finally. I thought that the solution is simple – place Facebook’s meta information inside the <head> tag, and it should work immediately. However, after adding the necessary meta tags, I still wasn’t able to share any content on Facebook.

I wasn’t able to share any text or image of my article on Facebook. That’s when I have realized that the issue lies somewhere else.

After googling for a few minutes, I have found the Open Graph Object Debugger on Facebook, which helped me to identify my issue. The Object Debugger test lead me to this – “Can’t validate SSL Certificate. Either it is self-signed (which will cause browser warnings ) or it is invalid.”

Facebook SSL Error
Can’t validate SSL Certifiate. Either it is self-signed (which will cause browser warnings ) or it is invalid.

After googling for a few minutes, I found some ideas at StackOverflow on why my SSL certificate isn’t working correctly.

The first possible cause that I found was this: my server isn’t providing an intermediate certificate as it should in the TLS handshake. One of the easiest ways to check if that’s true is to run ssllabs test. However, the ssllabs test didn’t give me any huge problems. That’s when I came back to StackOverflow to dive deeper.

Again, after a few minutes, I found another answer that could potentially solve my issue. The answer was suggesting that my server doesn’t include the chain crt, which is absolutely necessary for Facebook’s Open Graph. 

There is a great test to check if your server is missing the chain crt, you can find it here – whatsmychaincert.com.

Chain CRT missing

How to Add a Chain CRT to Your Server?

It all depends on your situation. If you are on shared hosting and you don’t have SSH access to your server, then you must contact your hosting provider – they must solve it for you. However, if you have a VPS or a dedicated server with Ubuntu, then I have written a short guide on how to do this. Check this out.

Log in with the SSH to your server and find your website’s apache or nginx configuration file. Mine is here /etc/apache2/sites-available/victorlava-com.conf.

cd /etc/apache2/sites-available
nano victorlava-com.conf

Then head to whatsmychaincert.com enter your website’s URL and download the chain crt. Then get the contents of this file with cat, copy the content and paste it into your server at where you store your SSL certificates. I store them at /etc/apache2/ssl/.

After that, come back to whatsmychaincert.com, scroll down a little bit more and find the section that generates configuration files for SSL certificate. Choose your web server, mine is Apache. Code for Apache web server looks something like this:

SSLEngine on
SSLCertificateKeyFile /path/to/example.com.key
SSLCertificateFile /path/to/example.com.crt
SSLCertificateChainFile /path/to/example.com.chain.crt

Edit the path to where you have placed your SSL key, crt and chain crt files. After this it will look something like this:

SSLEngine on
SSLCertificateKeyFile /etc/apache2/ssl/victorlava.com.key
SSLCertificateFile /etc/apache2/ssl/victorlava.com.crt
SSLCertificateChainFile /etc/apache2/ssl/victorlava.com.chain.crt

The final result looks something like this on my .conf file:

<IfModule mod_ssl.c>
<VirtualHost *:80>
        ServerName www.victorlava.com
        Redirect permanent / https://victorlava.com/
</VirtualHost>
<VirtualHost _default_:443>
        ServerAdmin admin@victorlava.com
        ServerName victorlava.com
        ServerAlias www.victorlava.com
        DocumentRoot /srv/user/oblivion/www/victorlava.com

        <Directory /srv/user/oblivion/www/victorlava.com/>
            Options Indexes FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        SSLEngine on
        SSLCertificateKeyFile /etc/apache2/ssl/victorlava-com.key
        SSLCertificateFile /etc/apache2/ssl/victorlava-com.crt
        SSLCertificateChainFile /etc/apache2/ssl/victorlava-com.chain.crt

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        <IfModule mod_dir.c>
            DirectoryIndex index.php index.pl index.cgi index.html index.xhtml index.htm
        </IfModule>

</VirtualHost>
</IfModule>

Save the file and restart your Apache web server:

sudo service apache2 restart

Come back to whatsmychaincert.com and check if it validates now. If it validates then check the status at Facebook’s Open Graph Object Debugger – if you have any remaining issues, fix them and you should be good.

Chain CRT Valid

References

Newsletter

Get my content to your inbox every Monday. I promise, no spam included!

.

Leave a Reply

Your email address will not be published. Required fields are marked *