Making WordPress.org

Opened 10 years ago

Closed 9 years ago

#591 closed defect (bug) (invalid)

Get Warning Notices in WordPress 4.0-RC1, because the Cert is invalid for 66.155.40.203

Reported by: developwithconviction's profile developwithconviction Owned by:
Milestone: Priority: high
Component: SSL Keywords:
Cc:

Description (last modified by SergeyBiryukov)

URL:
http://wp.dev/wp-admin/update-core.php

Message:

Warning: An unexpected error occurred. Something may be wrong with WordPress.org or this server&#8217;s configuration. If you continue to have problems, please try the <a href="https://wordpress.org/support/">support forums</a>. (WordPress could not establish a secure connection to WordPress.org. Please contact your server administrator.) in /Library/WebServer/Documents/work/wp.dev/wp-admin/includes/plugin-install.php on line 77

Call Stack

#	Time	Memory	Function	Location
1	0.0015	427664	{main}( )	../update-core.php:0
2	3.8270	21107312	list_plugin_updates( )	../update-core.php:521
3	3.8331	21275712	plugins_api( )	../update-core.php:243
4	4.2963	21284656	trigger_error ( )	../plugin-install.php:77

Problem:

Certificate Common Name (CN) and Hostname does not match?
 	The hostname (66.155.40.203) does NOT match the Common Name in the certificate (*.wordpress.org). This certificate is currently invalid for this host.

You can check it externally as well, see:
https://www.geocerts.com/ssl_checker
Type in: 66.155.40.203 :443

Solution:
Use correct SSL Cert for 66.155.40.203 (WordPress API Server)
Even if I accept the Cart manually in Keychain on Mac or via Safari 'always trust', it does not work. Curl doesn't accept it. Curl Version: 7.37.1

Check via Terminal, same result:

Usernames-MacBook-Air:apache2 username$ curl --cacert /Users/username/Desktop/\*.wordpress.org.cer https://66.155.40.203
curl: (51) SSL: certificate verification failed (result: 5)

Change History (7)

#1 @SergeyBiryukov
10 years ago

  • Description modified (diff)
  • Summary changed from Get Warning Notices in Wordpress 4.0-RC1, because the Cert is invalid for 66.155.40.203 to Get Warning Notices in WordPress 4.0-RC1, because the Cert is invalid for 66.155.40.203

#2 @developwithconviction
10 years ago

Maybe helpful for further investigation, a log from the Core Tester Wordpress Plugin.
As you can see, its the SSL Cert that cause the failure, which curl doesn't accept.
Even if it gets the Cert manually or via 'curl.cainfo =' in php.ini (see Terminal result from the main post above)

URL	https://api.wordpress.org/plugins/update-check/1.1/
Method	POST
Result	error
Error Details	
http_request_failed	SSL: certificate verification failed (result: 5)
Time Taken	0.43059110641479 seconds
HTTP Args	
timeout	(integer) 3
redirection	(integer) 5
httpversion	(string) 1.0
user-agent	(string) WordPress/4.0-RC1; http://wp.dev
reject_unsafe_urls	(boolean) false
blocking	(boolean) true
headers	
Array
(
)
cookies	
Array
(
)
compress	(boolean) false
decompress	(boolean) true
sslverify	(boolean) true
sslcertificates	(string) /Library/WebServer/Documents/work/wp.dev/wp-includes/certificates/ca-bundle.crt
stream	(boolean) false
filename	NULL
limit_response_size	NULL
HTTP POST body	
Array
(
    [plugins] => {"plugins":{"akismet\/akismet.php":{"Name":"Akismet","PluginURI":"http:\/\/akismet.com\/","Version":"3.0.1","Description":"Used by millions, Akismet is quite possibly the best way in the world to <strong>protect your blog from comment and trackback spam<\/strong>. It keeps your site protected from spam even while you sleep. To get started: 1) Click the \"Activate\" link to the left of this description, 2) <a href=\"http:\/\/akismet.com\/get\/\">Sign up for an Akismet API key<\/a>, and 3) Go to your Akismet configuration page, and save your API key.","Author":"Automattic","AuthorURI":"http:\/\/automattic.com\/wordpress-plugins\/","TextDomain":"akismet","DomainPath":"","Network":false,"Title":"Akismet","AuthorName":"Automattic"},"core-control\/core-control.php":{"Name":"Core Control","PluginURI":"http:\/\/dd32.id.au\/wordpress-plugins\/core-control\/","Version":"1.1","Description":"Core Control is a set of plugin modules which can be used to control certain aspects of the WordPress control.","Author":"Dion Hulse","AuthorURI":"http:\/\/dd32.id.au\/","TextDomain":"","DomainPath":"","Network":false,"Title":"Core Control","AuthorName":"Dion Hulse"},"hello.php":{"Name":"Hello Dolly","PluginURI":"http:\/\/wordpress.org\/plugins\/hello-dolly\/","Version":"1.6","Description":"This is not just a plugin, it symbolizes the hope and enthusiasm of an entire generation summed up in two words sung most famously by Louis Armstrong: Hello, Dolly. When activated you will randomly see a lyric from <cite>Hello, Dolly<\/cite> in the upper right of your admin screen on every page.","Author":"Matt Mullenweg","AuthorURI":"http:\/\/ma.tt\/","TextDomain":"","DomainPath":"","Network":false,"Title":"Hello Dolly","AuthorName":"Matt Mullenweg"},"https-debugger\/https-debugger.php":{"Name":"HTTPS Debugger","PluginURI":"http:\/\/wordpress.org\/","Version":"1.1","Description":"Used to determine if there's anything wrong with the communication to WordPress.org over HTTPS. See Dashboard -> HTTPS Tester (If using multisite, visit Updates -> HTTPS Tester in the network admin.)","Author":"the WordPress team","AuthorURI":"http:\/\/wordpress.org\/","TextDomain":"","DomainPath":"","Network":true,"Title":"HTTPS Debugger","AuthorName":"the WordPress team"}},"active":["core-control\/core-control.php","https-debugger\/https-debugger.php"]}
    [translations] => []
    [locale] => ["en_US"]
    [all] => true
)
HTTP Transports	WP_HTTP_curl
Request Time	2014-08-28 17:10:38 -0

#3 @developwithconviction
10 years ago

Temporary fix seems to be:

wp-config.php

add_filter( 'http_api_transports', function()
{
    return array( 'streams' );
});

As stated on another site:

This is a problem with changes in WordPress’ HTTP API. It isn’t fully compatible with cURL anymore.
I am not sure, why exactly it happens (there is no context information given, when this error occurs), but you can add a temporary fix.

Source: http://wordpress.stackexchange.com/questions/121334/unexpected-error-on-update-requests

I can fully confirm this statement. It seems to be that Wordpress isn't fully compatible with cURL anymore. (Reasons take a look at the above two posts from me)

This is only a temporary fix for people coming from sites like Google.com searching for a solution here, until we get a real/official solution.

#4 @dd32
10 years ago

At no point during WordPress should the IP address be used directly, and as such, the SSL certs do not list the IP address, you'll find this is insanely common amongst almost every SSL host as IP addresses change, and hosts have multiple SSL websites served from IP address, so you should instead always test with the full hostname, api.wordpress.org.

Back to the error at hand though, it sounds like either something in the cURL version you have installed isn't compatible with SSL connections, or, something else in PHP is preventing the SSL from working. The version of cURL installed in PHP will almost always be 100% different from the command line curl installed on the server.

Could you supply the exact message that WordPress is hitting?
This should return a WP_Error object with the error: (Note: You'll have to remove your streams-only filter first of course)
var_dump( wp_remote_get( 'https://api.wordpress.org/') );
Can you also post the output of:
var_dump( curl_version() );

#5 @dd32
10 years ago

Ah, I missed that the raw error was present in comment:2

It looks like this is a cURL + DarwinSSL + wildcard subdomain issue in cURL 7.37.1, potentially related to OSX Yosemite.
It could also be being triggered by the format of our cacert.crt file, there might be a SSL cert in there that DarwinSSL doesn't like.

Upstream ref: http://curl.haxx.se/mail/tracker-2014-08/0007.html

Last edited 10 years ago by dd32 (previous) (diff)

#6 @developwithconviction
10 years ago

Ok. Is there anything I could do to assist the error resolving process?
I've send the error with the URL of this ticket directly to apple via the Yosemite Beta Feedback Assistant.

Last edited 10 years ago by developwithconviction (previous) (diff)

#7 @dd32
9 years ago

  • Resolution set to invalid
  • Status changed from new to closed

I believe this was fixed in cURL 7.38.0, so cURL 7.37.1 was the only broken release when using DarwinSSL.

Marking as invalid as it was a) an upstream breakage b) a core.trac thing rather than meta.trac

Note: See TracTickets for help on using tickets.