Fix “cURL error 60: SSL certificate problem: unable to get local issuer certificate” in Akismet

If you are wondering what is actually broken: WordPress cannot verify the SSL certificate when it tries to contact the Akismet API. Akismet is only surfacing that failure.

Why this error shows up

When Akismet checks a comment, it sends a HTTPS request to the Akismet servers using WordPress’s HTTP API. Under the hood, that uses cURL and a list of trusted Certificate Authorities (a “CA bundle”).

“cURL error 60: SSL certificate problem: unable to get local issuer certificate” means:

• The remote server presented a certificate chain.
• Your server’s CA bundle does not include the issuer it needs to trust that chain.
• So the SSL verification fails and the request is blocked.

On WordPress sites, this usually happens because:

• The server’s CA bundle is outdated or incomplete.
• You are running an old WordPress core that ships with an outdated ca-bundle.crt.
• The site is behind a proxy or firewall that rewrites certificates with its own issuer, which PHP does not trust.
• The system clock is wrong, so valid certificates look expired or not yet valid.
• You are on a local or staging setup that uses a self-signed certificate.

Step 1: Confirm it is not just Akismet

First, check whether all outgoing HTTPS requests are unhappy or only Akismet.

1.1 Check Site Health

1. In WordPress, go to Tools → Site Health.
2. On the Status tab, look for items mentioning:
   • cURL error 60
   • could not establish secure connection
   • issues contacting api.wordpress.org or other services

If Site Health also reports SSL or cURL problems, the issue is system wide. Akismet is just where you noticed it first.

1.2 Try another HTTPS action

• Go to Dashboard → Updates and click Check again.
• Try updating a plugin or theme.

If you see similar cURL error 60 messages there, you can be confident this is a general SSL trust problem on the server, not an Akismet bug.

Step 2: Easy fixes inside WordPress

Before touching the server, clear out a few quick variables.

2.1 Update WordPress core and Akismet

WordPress bundles its own CA file at wp-includes/certificates/ca-bundle.crt. Older installs shipped with outdated certificates, which can trigger cURL error 60.

• Update WordPress to the latest stable version.
• Update the Akismet Anti-spam plugin to the latest version.
• Try running the Akismet connection or spam check again.

If the error disappears after updating, the new CA bundle fixed it.

2.2 Temporarily disable security and firewall plugins

Some security, firewall, or “outbound filter” plugins intercept outgoing HTTP requests or change SSL options.

1. Temporarily deactivate security and firewall plugins one by one.
2. After each deactivation, test Akismet again from Settings → Akismet Anti-spam.

If the error only appears with a specific plugin active, that plugin is altering SSL or HTTP calls. Check its documentation or contact its support to allow Akismet’s API calls.

2.3 Make sure your site’s time and URL are correct

• In your hosting control panel, confirm the server time and timezone are correct.
• In WordPress, go to Settings → General and confirm the WordPress Address (URL) and Site Address (URL) are correct and use https:// if your site has SSL.

Incorrect time can make certificates look invalid. Incorrect URLs can cause odd redirect chains during remote tests.

Step 3: If you are on shared or managed hosting

Most WordPress sites are on shared or managed hosting. In that case, your host controls the CA bundle and SSL libraries. You cannot fully fix cURL error 60 from inside WordPress alone.

Once you have confirmed the issue is not limited to Akismet, the next move is to open a support ticket with your host.

3.1 What to ask your host

Send them something like this:

“Our WordPress site is showing an error when Akismet tries to contact its servers:

cURL error 60: SSL certificate problem: unable to get local issuer certificate

Can you please:

• Update the server’s CA certificates bundle and OpenSSL libraries.
• Make sure PHP and cURL are using the current CA bundle.
• Confirm that outgoing HTTPS requests from PHP to Akismet and WordPress.org pass SSL verification.”

On many hosts, they will refresh the CA bundle or adjust their SSL configuration and the error disappears without any changes in Akismet.

Step 4: If you manage the server yourself

If you run your own VPS, dedicated server, or local stack, you can fix the trust store directly.

4.1 Update the system CA store (Linux)

On common Linux distributions, you can update CA certificates with the package manager. For example:

# Debian / Ubuntu
sudo apt update
sudo apt install ca-certificates
sudo update-ca-certificates

# CentOS / Alma / Rocky
sudo yum update ca-certificates || sudo dnf update ca-certificates

Restart web services after updating:

sudo service apache2 restart   # or httpd, php-fpm, nginx, etc.

Then test Akismet again.

4.2 Make sure PHP cURL uses the right CA file

Sometimes PHP is still pointing at an old CA file even after the system bundle is updated.

1. Find your active php.ini (you can see the path in phpinfo() or your hosting panel).
2. Look for the [curl] and [openssl] sections.
3. Set them to use the current CA bundle, for example:

[curl]
curl.cainfo = "/etc/ssl/certs/ca-certificates.crt"

[openssl]
openssl.cafile = "/etc/ssl/certs/ca-certificates.crt"

Save php.ini, restart PHP and your web server, then test Akismet again.

4.3 Update WordPress’s own CA bundle on old installs

On very old WordPress versions, the internal ca-bundle.crt file may be out of date even if the system CA is fine.

1. Back up your site and database.
2. In your site files, open wp-includes/certificates/.
3. Replace ca-bundle.crt with a current CA bundle file downloaded from a trusted source (such as the official cURL bundle).
4. Keep a note that the next WordPress core update will overwrite this file with its own copy.

Whenever possible, a full WordPress core update is safer than manually swapping this file.

4.4 Windows or local IIS / XAMPP stacks

On Windows based stacks, PHP often ships without a proper CA file configured.

1. Download the latest CA bundle file (commonly named cacert.pem) from a trusted source.
2. Save it somewhere under your PHP installation directory, for example:C:\php\extras\ssl\cacert.pem
3. Edit your active php.ini and set:

[curl]
curl.cainfo = "C:\php\extras\ssl\cacert.pem"

[openssl]
openssl.cafile = "C:\php\extras\ssl\cacert.pem"

4. Restart IIS, Apache, or whatever web server you are using on Windows.
5. Try the Akismet connection test again.

Step 5: Local development, proxies, and self-signed certificates

If this is a local or staging site, or you are behind a company proxy, the error may be about a custom certificate chain.

• Your company proxy may replace certificates with its own issuer.
• Your local HTTPS site may use a self-signed certificate.

In both cases, PHP does not trust that issuer by default.

The robust fix is to:

• Export the proxy or self-signed root certificate.
• Add it to the CA bundle that PHP cURL is using (append it to the cacert.pem or ca-bundle.crt you configured above).

For true development only, some people disable SSL verification with filters in WordPress. That can unblock local testing, but you should not do this on a live site. It removes SSL verification entirely, which defeats the purpose of certificates.

Verification: check that Akismet is working again

You are looking for these signs:

• The “cURL error 60: SSL certificate problem: unable to get local issuer certificate” message no longer appears in Akismet.
• Site Health no longer reports SSL or cURL certificate errors under Tools → Site Health.
• In Settings → Akismet Anti-spam, the status shows your key as active and connected.
• New test comments are being checked for spam and show up with Akismet status as expected.

Still stuck?

For AI help

Hit Continue Chat below and send me:

• The exact Akismet error text you see in the dashboard.
• A screenshot or copy of any related Site Health messages.
• Your hosting provider and whether you manage the server yourself.
• Whether this is a live site, staging site, or local development install.

I will help you narrow down whether the problem sits in WordPress, PHP, or the server’s SSL configuration and outline the safest changes to make.

For expert human help

Scroll down to the contact form below. Enter your name, email, and WordPress needs. Atiba will get back to you as soon as possible.