How to make Guzzle ignore ssl verification on each request
Stefan Bogdanescu
Founder & Senior Architect · 2026-06-29
Bypassing SSL Verification in Guzzle: A Developer's Guide
When building modern applications, especially those leveraging frameworks like Laravel, network communication is fundamental. Tools like Guzzle are essential for making external API calls, file transfers, and handling HTTP requests. However, as you’ve discovered, dealing with SSL certificate validation can introduce frustrating errors, particularly in local development environments where self-signed certificates often cause conflicts.
This post dives into the technical solution for ignoring SSL verification in Guzzle, along with a critical discussion on the security implications and best practices for handling HTTPS connections.
The Root of the Problem: SSL Certificate Errors
The error code you are encountering, cURL error 60: SSL certificate problem, arises because Guzzle relies on underlying cURL to establish a secure connection. By default, cURL verifies that the server's SSL certificate is issued by a trusted Certificate Authority (CA). When running on localhost or using internal development setups, the local system often cannot validate these certificates against the public CA store, leading to the handshake failure.
While this works fine for end-users connecting to established sites like Google or Dropbox, it breaks during local testing, forcing us to choose between a functional application and strict security validation.
The Direct Solution: Disabling Verification in Guzzle
To bypass this check and allow Guzzle to proceed with the request regardless of certificate validity, you can configure the Guzzle client to disable SSL verification for specific requests. This is achieved by setting the verify option to false when instantiating the client.
Here is how you apply this solution in a PHP context:
use GuzzleHttp\Client;
// Create a Guzzle Client that explicitly disables SSL verification
$client = new Client([
'verify' => false
]);
try {
// This request will now proceed without strict certificate validation
$response = $client->get('https://example.com/');
echo "Request successful: " . $response->getBody();
} catch (\GuzzleHttp\Exception\RequestException $e) {
echo "An error occurred: " . $e->getMessage();
}
Security Implications and Best Practices
While setting 'verify' => false immediately resolves the cURL error on your local machine, it is crucial to understand the significant security risks involved. Disabling SSL verification means you are no longer verifying the identity of the server you are connecting to. This opens the door to Man-in-the-Middle (MITM) attacks, as an attacker could intercept the traffic and present a fraudulent certificate without your application detecting it.
When should you use this?
This method is acceptable only for highly controlled, internal development environments where you fully trust the network topology (like testing against a known local service setup).
What are the better alternatives?
For production applications or more secure development workflows, relying on disabling verification is strongly discouraged. A more robust approach involves ensuring your PHP environment has access to valid, up-to-date CA certificates. If you encounter issues with custom certificate chains in a Laravel application, focus on configuring the underlying system's trust store rather than globally weakening security protocols. For general advice on building secure and maintainable applications, understanding these foundations is key, much like the principles promoted by laravelcompany.com.
Conclusion
Disabling SSL verification in Guzzle provides a quick fix for local development headaches caused by certificate validation issues. However, as a senior developer, our priority must always be security. Use this technique judiciously—only when absolutely necessary and fully aware of the risks. For production systems, strive to maintain proper certificate validation by ensuring your environment is configured correctly, rather than opting out of essential security checks.