Troubleshooting: cURL error when using Cloudflare WARP / Zero Trust

[nickbasham-ltnow]

Hey everyone,

I was hoping someone can help me troubleshoot this. My company recently implemented Cloudflare's WARP / Zero Trust service, which works by installing an agent on each machine so Cloudflare can act as a man-in-the-middle for all traffic. After I installed the client, I had to select "Always Trust" in Keychain Access for the Cloudflare certificate it installed in order for any app and browsers to access the Internet without throwing errors.

That got apps and browsers working, but cURL requests from web applications running through Herd are still failing – in particular, any self update or attempted plugin installation from within WordPress fails with the following error: Download failed.: cURL error 60: SSL certificate problem: unable to get local issuer certificate

It seems like cURL in the versions of PHP bundled with Herd does not use Keychain for checking certificates, so I went the route of working on Herd's PHP configs.

I've attempted several things, including:

• Exported the Cloudflare cert from Keychain as a .pem file for use in the following steps
• Changing the curl.cainfo and openssl.cafile lines in Herd's PHP config file to point to a copy of the Cloudflare cert
• Appending the content of the Cloudflare cert to the end of the default Herd cacert.pem file
• Restarting Herd (via herd restart) after every change
• Confirming the PHP config changes by checking php -i | grep curl
• Copying the Cloudflare cert to /Application Support/Herd/config/valet/Certificates (just grasping for straws at this point)

Anyone have any ideas? Am I missing something simple, am I just not changing the proper config file?

I also discovered that Herd resets the cacert.pem file after it's closed and relaunched, so even if the appending a cert step worked, it would have to be redone frequently.

[nickbasham-ltnow]

I figured this out, so just posting a follow-up in case anyone else runs into this in the future. The issue had nothing to do with Herd – my config changes were working after additional testing against Herd's version of curl bundled with PHP.

The issue was some functions in WordPress, like plugin downloading/updating, uses its internal HTTP API/client which maintains its own certificate authority list. You just need to append Cloudflare's certificate to the WP certificate bundle located at /wp-includes/certificates/ca-bundle.crt. I wrote a script to do this, so now I can easily do that with any new WordPress installation.