cURL error 60: SSL certificate problem: unable to get local issuer certificate

Wordpress is mostly working but the health check feature tells me REST API and loopback are both failing for the same reason:

Error: [] cURL error 60: SSL certificate problem: unable to get local issuer certificate

My current setup:

* Cloudflare in front with strict SSL with their origin certs on my server
* Varnish on port 80
* Apache on 8080 with PHP-FPM
* WordPress
* MariaDB

In my PHP.ini I tell Curl where the intermediary certs are. If I manually test Curl from a command line and point to the intermediary certs the curl test is successful. Cloudflare is correctly working with strict SSL and SSL validators say everything is fine.

I suspect the problem is either because I’m using Varnish in front of Apache/PHP as a reverse proxy, or I just shouldn’t use Cloudflare for the certs and should switch to Let’s Encrypt. However, if I try to generate Let’s Encrypt certs, certbot fails to talk to Apache because of Varnish in front of it.

I may eliminate Varnish and see if that fixes the issue but I prefer to have it for performance. I’m thinking of making my life even more complicated and having:

* nginx on port 443 listening for SSL traffic and doing SSL termination sending traffic to Varnish on 80
* Varnish caching and operating as a reverse proxy and if the page isn’t cached it talks to Apache in 8080
* Apache using PHP-FPM, mod_pagespeed, brotli, combining JS, combining CSS, minimizing and optimizing a page as best it possibly can

Most of the guides I’m seeing online for this are really old. I’ve never configured nginx and I’m not an expert on Varnish so I’d love to see a good recent guide or get some help in that regard.

Just curious if anyone has experience with the WordPress Rest API issues before. When I Google it, the only results are to edit php.ini which I’ve already done:

curl.cainfo=”/etc/ssl/certs/origin_ca_rsa_root.pem”
openssl.cafile=”/etc/ssl/certs/origin_ca_rsa_root.pem”
openssl.capath=”/etc/ssl/certs”

Thanks!