This is just a semi-educated guess, but note that a self-signed certificate will only be accepted if the allow_self_signed context option is set, regardless of whether it exists in the trusted root CA store. Similarly, the verify_depth context option is still respected when the system store is used.

If the problematic certificate does not fall foul of either of these factors, please check the following:

- Are you able to load the resource in a browser that uses the system CA store, on the same client machine, without errors?
- If you specify a cafile that contains the relevant root certificate (i.e. use the openssl verify routine), does it work?
- Where the system store-based verify routine encounters an operational failure of some kind it will emit an E_WARNING with a descriptive message, please ensure that you have error reporting configured with a sufficient level and include any logged messages here.

Although there aren't currently any proper tests for this code path - something which most certainly needs addressing - it is fairly well tested in practice, simply by real-world usage. For example, if file_get_contents('https://packagist.org/...') didn't work out of the box on windows then there would be frequent reports as composer would not work.

If you want to discuss directly with me further in chat, you can find in the PHP chat room on Stack Overflow most of the time, under the screen name DaveRandom :-)

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.

So, the report was suspended based on semi-educated guess? Without actual investigation?
I knew bugs.php.net tend to be like that, but not on such a scale.

The report was suspended because no response was provided to the questions that were asked by @daverandom. The issue can be reopened once requested feedback is provided.

Yes, browsers that use system CA store (IE, Chrome-based) operate correctly.

Yes, I can use OpenSSL functionality (particularly curl) without an issue after pointing openssl.ca* settings to Cygwin PKI that contains the necessary root CA certificate.

The further error message wasn't helping.

And no, it doesn't work with packagist either.

<?php
print file_get_contents(__FILE__);
var_dump(PHP_VERSION);
var_dump(ini_get("openssl.cafile"));
var_dump(ini_get("openssl.capath"));
file_get_contents('https://packagist.org/');
?>
string(6) "7.1.22"
string(0) ""
string(0) ""
PHP Warning:  file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed in ...\76694-openssl-system-PKI\test.php on line 6
PHP Warning:  file_get_contents(): Failed to enable crypto in ...\76694-openssl-system-PKI\test.php on line 6
PHP Warning:  file_get_contents(https://packagist.org/): failed to open stream: operation failed in ...\76694-openssl-system-PKI\test.php on line 6

Same test with Cygwin PKI

string(6) "7.1.22"
string(76) "C:\Programs\Cygwin_64\etc\pki\ca-trust\extracted\openssl\ca-bundle.trust.crt"
string(35) "C:\Programs\Cygwin_64\usr\ssl\certs"
<and no error messages>

Well, requesting https://packagist.org works for me with and
without setting openssl.cacert, but requesting
https://ca.rootdir.org/ does not even work from a browser
(NET::ERR_CERT_AUTHORITY_INVALID).

So maybe this has been fixed in the meantime.  Or do you still
experience the issue with any of the actively supported PHP
versions[1].

[1] <https://www.php.net/supported-versions.php>

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.

> Well, requesting https://packagist.org works for me with and without setting openssl.cacert, 

Because its CA was added to the internal bundle since then.

> but requesting https://ca.rootdir.org/ does not even work from a browser (NET::ERR_CERT_AUTHORITY_INVALID).

Why invalid? Should be "issuer unknown". Add https://ca.rootdir.org/ca.cer to your system PKI.

> So maybe this has been fixed in the meantime.  Or do you still experience the issue with any of the actively supported PHP versions[1].

Tested with PHP 7.4, nothing changed.

<?php
print file_get_contents(__FILE__);
var_dump(PHP_VERSION);
var_dump(ini_get("openssl.cafile"));
var_dump(ini_get("openssl.capath"));
var_dump(substr(file_get_contents('https://ca.rootdir.org/'), 0, 16));
var_dump(error_get_last());

With Cygwin PKI:

<?php
print file_get_contents(__FILE__);
var_dump(PHP_VERSION);
var_dump(ini_get("openssl.cafile"));
var_dump(ini_get("openssl.capath"));
var_dump(substr(file_get_contents('https://ca.rootdir.org/'), 0, 16));
var_dump(error_get_last());
string(6) "7.4.16"
string(76) "C:\Programs\Cygwin_64\etc\pki\ca-trust\extracted\openssl\ca-bundle.trust.crt"
string(35) "C:\Programs\Cygwin_64\usr\ssl\certs"
string(16) "<html>
<body>
<h"
NULL

Without specific PKI:

<?php
print file_get_contents(__FILE__);
var_dump(PHP_VERSION);
var_dump(ini_get("openssl.cafile"));
var_dump(ini_get("openssl.capath"));
var_dump(substr(file_get_contents('https://ca.rootdir.org/'), 0, 16));
var_dump(error_get_last());
string(6) "7.4.16"
string(0) ""
string(0) ""
string(0) ""
array(4) {
  ["type"]=>
  int(2)
  ["message"]=>
  string(83) "file_get_contents(https://ca.rootdir.org/): failed to open stream: operation failed"
  ["file"]=>
  string(71) "C:\Users\anrdaemon\Documents\Bugs\PHP\76694-openssl-system-PKI\test.php"
  ["line"]=>
  int(6)
}

Thanks!  I'll have a closer look.

The Windows CA cert store is definitely used (not yet sure if 100%
correctly), but currently https://ca.rootdir.org/ca.cer is
apparently down.

Okay, the problem is that we only check the subject CN (which is
"Rootdir CA webserver"), but not the subjectAltNames (which have
the required "ca.rootdir.org").