SSL certificate verify failed over plain HTTP (non-SSL) in WordPress update

3
votes

I'm trying to update WordPress itself along with plugins and themes.

Update WordPress Downloading update from http://downloads.wordpress.org/release/wordpress-4.4.1-new-bundled.zip

Download failed.: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Installation Failed

I've read here: https://help.github.com/articles/error-ssl-certificate-problem-verify-that-the-ca-cert-is-ok/

When you receive this error, it likely means that your CA is out-of-date and needs to be updated. Generally, updating your operating system also updates your CA, and solves the problem.

I asked my host for help, they said:

I get the underlying reference in the link you sent. But root certificate authorities only apply when you are using an ssl site/cert.

The plugin upgrade path in the screen shot you sent was to an http only based site--this is why I don't get the relevancy. If you are calling an http link, ssl is not used and there for not relevant.

However, this request is over HTTP, and isn't using SSL. Why am I getting this error?

4
phpwordpresshttpssl

4 Answers

1
votes

Here is what happened when downloading:

wget http://downloads.wordpress.org/release/wordpress-4.4.1-new-bundled.zip
--2016-01-11 14:40:07--  http://downloads.wordpress.org/release/wordpress-4.4.1-new-bundled.zip
Resolving downloads.wordpress.org... 66.155.40.188, 66.155.40.189, 66.155.40.187, ...
Connecting to downloads.wordpress.org|66.155.40.188|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://downloads.wordpress.org/release/wordpress-4.4.1-new-bundled.zip [following]
--2016-01-11 14:40:07--  https://downloads.wordpress.org/release/wordpress-4.4.1-new-bundled.zip
Connecting to downloads.wordpress.org|66.155.40.188|:443... connected.
ERROR: cannot verify downloads.wordpress.org's certificate, issued by `/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2':
  Unable to locally verify the issuer's authority.
To connect to downloads.wordpress.org insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.

all downloading got redirected to ssl, and the certificate was signed by Go Daddy's most recent CA root.

download the latest certificate from wordpress git site from here, save it to your wp-includes/certificates directory as ca-bundle.crt, make sure the downloaded .crt replace the current one, then try update again.

2
votes

All of wordpress.org is an SSL-based site. Any HTTP request just gets routed through HTTPS via their nginx instance, probably with a rule like this:

server {
       listen         80;
       server_name    my.domain.com;
       return         301 https://$server_name$request_uri;
}
0
votes

The link you have for that file redirects to a HTTPS. You can see it in action at http://www.redirect-checker.org

CONGRATULATION. Everything seems to be fine.

http://downloads.wordpress.org/release/wordpress-4.4.1-new-bundled.zip
301 Moved Permanently
https://downloads.wordpress.org/release/wordpress-4.4.1-new-bundled.zip
200 OK

As for why you're getting that error, your server can't validate the certificate because it can't get the correct chain(CA). As you can see here, wordpress.org is correctly configured. Apparently your server won't trust the chain provided by the server. Most likely it's configured to to only accept CAs that are installed.

There's a couple of ways to play this. Both involve going to the GoDaddy Repository and downloading the Go Daddy Secure Certificate Authority - G2 file (it should be this file).

Now, what you need to do is

  1. Ask you host to install this chain file on their server. They should do this for you if you point them to the repository. This should be trivial.
  2. Hack the WP update script to use the CA chain directly. My bet is it's using the CURL request in this file to do the requesting. It might be another file altogether. You can tell the script doing the downloading to use that CA file. This is not as good a solution for you because you will probably have to hack that script every time.
0
votes

I also run into an 301 issue with Wordpress 4.4.1, which seems to have a different cause, but my research also turned out this from the Version changelog:

Removed SSL certificates causing errors in WP 4.4

Full release notes: Wordpress Version 4.4.1

in the diff you can also see a lot certs removed from:

/wp-includes/certificates/ca-bundle.crt