How to Fix cURL SSL Certificate Errors in Security Ninja (Cloudflare, Loopback, and Localhost Issues)
Security Ninja runs a series of security tests on your WordPress site, including checks that use cURL to make requests to your own website (known as “loopback” requests). Sometimes, especially on sites using Cloudflare, custom SSL certificates, or certain server setups, you may see errors like:
cURL error 60: SSL certificate problem: unable to get local issuer certificate
This article explains what causes these errors, why Security Ninja performs SSL validation, and how you can resolve the issue safely.
What Causes cURL SSL Certificate Errors?
When Security Ninja performs tests such as header checks or homepage requests, it uses cURL to connect to your site over HTTPS. Your server then tries to validate its own SSL certificate.
If you use Cloudflare’s Origin Certificate, a self-signed certificate, or if your server’s CA (Certificate Authority) bundle is outdated or missing, cURL may not be able to verify the certificate chain. This results in the “unable to get local issuer certificate” error.
Common scenarios:
- Your DNS is proxied through Cloudflare, and your server uses a Cloudflare Origin Certificate.
- Your server’s CA bundle is missing or outdated.
- You use a custom or self-signed SSL certificate.
Why Doesn’t Security Ninja Ignore SSL Errors?
SSL validation is a critical security measure. Disabling SSL checks would allow insecure connections and could hide real security issues. For this reason, Security Ninja does not skip SSL validation by default, and we do not recommend disabling it unless you fully understand the risks.
Solutions and Workarounds
Here are safe, recommended ways to resolve cURL SSL certificate errors:
1. Update Your Server’s CA Certificates
Make sure your server’s CA certificates are up to date. On most Linux servers, you can update the CA bundle with:
sudo apt-get update && sudo apt-get install ca-certificates
or
sudo yum update ca-certificates
This helps cURL recognize more certificate authorities, including those used by Cloudflare and Let’s Encrypt.
2. Use a Public SSL Certificate
If possible, use a standard SSL certificate from a public CA (like Let’s Encrypt) instead of a Cloudflare Origin Certificate. Public CA certificates are trusted by default on most servers.
3. Add a Custom CA Bundle Path (Recommended Workaround)
If updating the CA bundle isn’t possible, you can tell WordPress/cURL where to find the correct certificate file by adding this snippet to your theme’s functions.php file or a custom plugin:
add_filter('http_request_args', function($args, $url) {
if (strpos($url, home_url()) !== false) {
$args['sslcertificates'] = '/etc/ssl/cert.pem'; // Adjust path as needed
}
return $args;
}, 10, 2);
Tip:
If you manage multiple sites, consider adding this code to a must-use plugin for easier maintenance.
4. (Not Recommended) Disable SSL Verification
As a last resort, you can disable SSL verification for local requests, but this is not recommended for production sites due to security risks.
Summary
cURL SSL certificate errors in Security Ninja are usually caused by your server not being able to validate its own SSL certificate, especially with Cloudflare or custom setups. The best solution is to update your CA certificates or use a public SSL certificate. For most users, adding a custom CA bundle path as shown above will resolve the issue.
If you want to learn more about Security Ninja’s tests and how they work, check out the documentation or related articles.
