WORDPRESS : cURL error 60: SSL certificate

Question

I'm currently building a Wordpress install under a debian server. I install PHP7, curl and Apache2

While I'm trying to install new extension I have this error message:

cURL error 60: SSL certificate problem: self signed certificate in certificate chain

I try to modify the php.ini with this, after reading some post treating similar issue:

curl.cainfo = /etc/php7.0/cacert.pem

But I'm still facing the problem even with restart apache.

Any ideas?

Thanks in advance

Answer 1

将 'sslverify' 设置为 false 以修复 cURL 错误 60：WordPress wp_remote_get 请求中的 SSL 证书。

wp_remote_get($url, array('sslverify' => FALSE));

Answer 2

Based on my recent experience, I believe that the message " self signed certificate in certificate chain" tells you the issue exactly - which is that whichever SSL site you are trying to access has a certificate in the chain that is not in the bunch that is referenced by cacert.pem .

This makes sense because the error reports that it is a self-signed certificate.. ie It would never be included in the downloaded cacert.pem file.

My solution was to get a Base64 encoded file containing the certificate chain of the site that I am trying to access.

    How to: Use a browser to access the site you are trying to access, click the 
    certificate part of the address (usually to the left of the address box with 
    a lock icon) and the click on whatever your interface supports to see the 
    list of certificates in the chain.  Manually export those certificates to a 
    text file.

Then append this text file with a text editor to the list of certificates (cacert.pem) that PHP is using for CURL actions.

---

You mention WordPress.. WordPress v4.9.6 has a bundle of certificates that it specifically references when it is upgrading or installing plugins at ./ WordPress Instance \\wp-includes\\certificates. My stop-gap solution was to append the text file above (containing the local self signed-certificate chain) to the ca-bundle.crt file that you will find in that location.

One caveat - when you upgrade WordPress it will overwrite the ca-bundle.crt file, so you will have to re-add them - unless someone has a better solution..?

Answer 3

WordPress uses it's own CA bundle, located in WP/wp-includes/certificates .

The CA bundle that was shipped with WordPress up until recently was outdated, as discussed in this issue: https://core.trac.wordpress.org/ticket/45807 .

Setting sslverify to false is not recommended, and instead you can download an updated version of the bundle, https://github.com/WordPress/WordPress/tree/master/wp-includes/certificates and replace it in the wordpress folder.

Answer 4

Download this file http://curl.haxx.se/ca/cacert.pem

Use your file's location in openssl.cafile=c:/cacert.pem

Reference - https://github.com/auth0/auth0-PHP#i-am-getting-curl-error-60-ssl-certificate-problem-self-signed-certificate-in-certificate-chain-on-windows

Answer 5

In case someone come across same issue with their WordPress installation on Local Machine, by adding http_request_args filter did the trick for me

<?php
/**
 * Plugin Name: Local Dev CaFile
 * Plugin URI: https://stackoverflow.com/q/44632619/881743
 * Description: Another solution for `SSL certificate problem: self signed certificate in certificate chain apache` error for your local development
 * Version: 1.0
 * Author: John Doe
 * Author URI: https://stackoverflow.com/
 * License: WTFPL
 */

add_filter( 'http_request_args', function ( $args ) {
    if ( getenv('WP_ENV') !== 'development' ) {
        return $args;
    } 

    $args['sslcertificates'] = ini_get( 'curl.cainfo' ) ?? $args['sslcertificates'];

    return $args;
}, 0, 1 );

and save it in path/to/wp-content/plugins/dev-plugin.php and activate the plugin from wp-admin, or optionally you could put it in your WPMU_PLUGIN_DIR .

Hope that helps Cheers

Answer 6

Disable SSL verification within your testing site.

You can do this by adding this line into the file

Appearance > Theme Editor > functions.php or

/wp-content/themes/YOUR_THEME/functions.php:

add_filter('https_ssl_verify', '__return_false');

Only add this on a testing site, never on a live site.

Answer 7

Upgrade from wp-cli 2.4 => 2.5 helped me. (with installing this https://github.com/wp-cli/profile-command )

Answer 8

None of the answers here worked for me (and may not work for people using Let's Encrypt certificates on their servers). I found that recently (Sept 30,2021 ) the Let's Encrypt Cretificates expired DST Root CA X3. In addition to the curl error 60 I also had Rest API errors and inability to updated plugins in wordpress. It is possible to update these in the wordpress installation:

The patch is available here and should be available with Wordpress 5.9 (December 2021) if not earlier: https://core.trac.wordpress.org/changeset/51883/trunk/src/wp-includes/certificates/ca-bundle.crt

Answer 9

For Wordpress you can use like this:

$url = "YOUR_ENDPOINT";
$args = array(
        'headers' => array(
            'Authorization' => 'HASH_HERE'
        ),
        'sslverify' => FALSE,
        'data' => array(
            'campaign_id' => $campaign_id
        )
    );

$response = wp_remote_get($url, $args);
$body     = wp_remote_retrieve_body($response);

Answer 10

I had this issue recently because our network does the ssl proxy trick. We had a custom CA bundle that included our internal cert. That was bundled up in the /etc/pki folders, so I just symlinked to it: ln -s /etc/pki/tls/certs/ca-bundle.crt /wp-includes/certificates/

Now it stays updated whenever I update the system.