I'm currently building a Wordpress install under a debian server. I install PHP7, curl and Apache2
While I'm trying to install new extension I have this error message:
cURL error 60: SSL certificate problem: self signed certificate in certificate chain
I try to modify the php.ini with this, after reading some post treating similar issue:
curl.cainfo = /etc/php7.0/cacert.pem
But I'm still facing the problem even with restart apache.
Any ideas?
Thanks in advance
将 'sslverify' 设置为 false 以修复 cURL 错误 60:WordPress wp_remote_get 请求中的 SSL 证书。
wp_remote_get($url, array('sslverify' => FALSE));
Based on my recent experience, I believe that the message " self signed certificate in certificate chain" tells you the issue exactly - which is that whichever SSL site you are trying to access has a certificate in the chain that is not in the bunch that is referenced by cacert.pem .
This makes sense because the error reports that it is a self-signed certificate.. ie It would never be included in the downloaded cacert.pem file.
My solution was to get a Base64 encoded file containing the certificate chain of the site that I am trying to access.
How to: Use a browser to access the site you are trying to access, click the
certificate part of the address (usually to the left of the address box with
a lock icon) and the click on whatever your interface supports to see the
list of certificates in the chain. Manually export those certificates to a
text file.
Then append this text file with a text editor to the list of certificates (cacert.pem) that PHP is using for CURL actions.
You mention WordPress.. WordPress v4.9.6 has a bundle of certificates that it specifically references when it is upgrading or installing plugins at ./ WordPress Instance \\wp-includes\\certificates. My stop-gap solution was to append the text file above (containing the local self signed-certificate chain) to the ca-bundle.crt file that you will find in that location.
One caveat - when you upgrade WordPress it will overwrite the ca-bundle.crt file, so you will have to re-add them - unless someone has a better solution..?
WordPress uses it's own CA bundle, located in WP/wp-includes/certificates
.
The CA bundle that was shipped with WordPress up until recently was outdated, as discussed in this issue: https://core.trac.wordpress.org/ticket/45807 .
Setting sslverify
to false
is not recommended, and instead you can download an updated version of the bundle, https://github.com/WordPress/WordPress/tree/master/wp-includes/certificates and replace it in the wordpress folder.
Download this file http://curl.haxx.se/ca/cacert.pem
Use your file's location in openssl.cafile=c:/cacert.pem
In case someone come across same issue with their WordPress installation on Local Machine, by adding http_request_args
filter did the trick for me
<?php
/**
* Plugin Name: Local Dev CaFile
* Plugin URI: https://stackoverflow.com/q/44632619/881743
* Description: Another solution for `SSL certificate problem: self signed certificate in certificate chain apache` error for your local development
* Version: 1.0
* Author: John Doe
* Author URI: https://stackoverflow.com/
* License: WTFPL
*/
add_filter( 'http_request_args', function ( $args ) {
if ( getenv('WP_ENV') !== 'development' ) {
return $args;
}
$args['sslcertificates'] = ini_get( 'curl.cainfo' ) ?? $args['sslcertificates'];
return $args;
}, 0, 1 );
and save it in path/to/wp-content/plugins/dev-plugin.php
and activate the plugin from wp-admin, or optionally you could put it in your WPMU_PLUGIN_DIR
.
Hope that helps Cheers
Disable SSL verification within your testing site.
You can do this by adding this line into the file
Appearance > Theme Editor > functions.php or
/wp-content/themes/YOUR_THEME/functions.php:
add_filter('https_ssl_verify', '__return_false');
Only add this on a testing site, never on a live site.
Upgrade from wp-cli 2.4 => 2.5 helped me. (with installing this https://github.com/wp-cli/profile-command )
None of the answers here worked for me (and may not work for people using Let's Encrypt certificates on their servers). I found that recently (Sept 30,2021 ) the Let's Encrypt Cretificates expired DST Root CA X3. In addition to the curl error 60 I also had Rest API errors and inability to updated plugins in wordpress. It is possible to update these in the wordpress installation:
The patch is available here and should be available with Wordpress 5.9 (December 2021) if not earlier: https://core.trac.wordpress.org/changeset/51883/trunk/src/wp-includes/certificates/ca-bundle.crt
For Wordpress you can use like this:
$url = "YOUR_ENDPOINT";
$args = array(
'headers' => array(
'Authorization' => 'HASH_HERE'
),
'sslverify' => FALSE,
'data' => array(
'campaign_id' => $campaign_id
)
);
$response = wp_remote_get($url, $args);
$body = wp_remote_retrieve_body($response);
I had this issue recently because our network does the ssl proxy trick. We had a custom CA bundle that included our internal cert. That was bundled up in the /etc/pki folders, so I just symlinked to it: ln -s /etc/pki/tls/certs/ca-bundle.crt /wp-includes/certificates/
Now it stays updated whenever I update the system.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.