WordPress.org

Making WordPress.org

Opened 4 years ago

Closed 4 years ago

#1172 closed defect (invalid)

Server with broken CERTS cannot "upgrade network" since 4.2.3

Reported by: hallcp Owned by:
Milestone: Priority: normal
Component: General Keywords:
Cc:

Description

I tried to update our WordPress install to 4.2.3. The update itself seemed to go OK, but when I tried to upgrade the individual sites I get this error:

Warning! Problem updating http://swwdev2.unx.sas.com/blogs/wp.dev/globaltags. Your server may not be able to connect to sites running on it. Error message: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:func(144):reason(134)

It says Warning, but it halts the process. Nothing is written to the debug log. We know our server's SSL certificates are bad, but this hasn't been a show-stopper before. The Unix sysadmin says he can't fix our certificates without upgrading to a new version of Linux, so this is a real roadblock. In the past things like plugin updates have warned about the certificate, then tried a non-SSL connection and kept trucking.

Change History (2)

#1 @rhurling
4 years ago

This seems like a WordPress Core issue and should be reported there (https://core.trac.wordpress.org/newticket) instead of the Meta Trac (which is for the WordPress Sites, such as wordpress.org, wordcamp.org, etc. directly).

But I think if you add 'sslverify' => false to the args in the line
$response = wp_remote_get( $upgrade_url, array( 'timeout' => 120, 'httpversion' => '1.1' ) ); (that's in line number 69 for me)
like this
$response = wp_remote_get( $upgrade_url, array( 'timeout' => 120, 'httpversion' => '1.1', 'sslverify' => false ) );
in wp-admin/network/upgrade.php that should work. (It would disable the verification of the SSL Certs)

@Meta Trac maintainers: Not sure if I should set it to invalid, so I'm just leaving it as is.

Last edited 4 years ago by rhurling (previous) (diff)

#2 @iandunn
4 years ago

  • Resolution set to invalid
  • Status changed from new to closed

Rouven is correct, but it's even better to use filters rather than hacking core file:

add_filter( 'https_ssl_verify',       '__return_false' );
add_filter( 'https_local_ssl_verify', '__return_false' );

Don't leave that on permanently, though, just when you're running the network upgrade. Otherwise you'd open the server up to impersonation attacks, etc.

Note: See TracTickets for help on using tickets.