SSL on Windows FIXED!
Posted: October 8th, 2010, 9:10 amHey Jason, Hello All,
I'd like you to know that I've figured out what the problem is with the CURL SSL transport on Windows.
It basically boils down to the fact that CURL for windows is not compiled nor supplied with the client certificates. On top of that, WordPress doesn't seem to see the necessity of providing a way for the site administrator to specify where CURL should look for the certificate bundle (more on that below.)
When you browse to an SSL–enabled site in your web browser, a few things happen… One of the things that happen is that your browser checks to see if the site’s security certificate is trusted. It does this by checking the entity that signed the certificate against it’s built in book of trusted signatures and if it finds a match, onto the next step. However, if your browser can’t find a match the certificate will be invalid and it will complain that the site could potentially be a fake or insecure.
The ‘book of trusted signatures’ is known as a Certificate Authority bundle and usually comes built in with most web browsers. If you install cURL (the standalone version that can be run from the command–line), chances are it will come with the cURL Certificate Authority bundle and you won’t need to do a thing as the cURL functions within PHP will use this as it’s book of trusted signatures. However, on Windows the cURL functions within PHP are pre–built and included in the standard PHP setup, thus do not include this bundle.
Chances are if you don’t know this you’ll probably spend a good amount of your time screaming at your webpage as it mocks you with error number 60! I know I spent quite a good few hours wondering why it worked on my Linux PC but not on the Windows server!
CURL Error 60: SSL certificate problem, verify that the CA cert is OK.
Details: error:14090086:SSL routines
SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Luckily the fix is quite easy…
You're done! Happy curl SSL on windows!
And Jason, you might be able to hack around it; but I think I will be submitting a bug report to WP devs.
There should be a section to set where your ca-bundle is set, just in case you can't edit your php.conf.
Blessed Be! I expect this post to be sticky!
-- Briam R.
I'd like you to know that I've figured out what the problem is with the CURL SSL transport on Windows.
It basically boils down to the fact that CURL for windows is not compiled nor supplied with the client certificates. On top of that, WordPress doesn't seem to see the necessity of providing a way for the site administrator to specify where CURL should look for the certificate bundle (more on that below.)
When you browse to an SSL–enabled site in your web browser, a few things happen… One of the things that happen is that your browser checks to see if the site’s security certificate is trusted. It does this by checking the entity that signed the certificate against it’s built in book of trusted signatures and if it finds a match, onto the next step. However, if your browser can’t find a match the certificate will be invalid and it will complain that the site could potentially be a fake or insecure.
The ‘book of trusted signatures’ is known as a Certificate Authority bundle and usually comes built in with most web browsers. If you install cURL (the standalone version that can be run from the command–line), chances are it will come with the cURL Certificate Authority bundle and you won’t need to do a thing as the cURL functions within PHP will use this as it’s book of trusted signatures. However, on Windows the cURL functions within PHP are pre–built and included in the standard PHP setup, thus do not include this bundle.
Chances are if you don’t know this you’ll probably spend a good amount of your time screaming at your webpage as it mocks you with error number 60! I know I spent quite a good few hours wondering why it worked on my Linux PC but not on the Windows server!
CURL Error 60: SSL certificate problem, verify that the CA cert is OK.
Details: error:14090086:SSL routines
SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Luckily the fix is quite easy…
- Download "cacert.pem" from http://curl.haxx.se/docs/caextract.html
Rename it to "ca-bundle.crt" and copy it to your web server's folder
Open /your/blog/root/wp-includes/class-http.php and within the WP_Http_Curl object, request method at or about line 1346 in the file, you will see a bunch of curl_setopt calls
Add this line: curl_setopt( $handle, CURLOPT_CAINFO, "C:/path/to/ca-bundle.crt"); (I added it after CURLOPT_URL)
You're done! Happy curl SSL on windows!
And Jason, you might be able to hack around it; but I think I will be submitting a bug report to WP devs.
There should be a section to set where your ca-bundle is set, just in case you can't edit your php.conf.
Blessed Be! I expect this post to be sticky!
-- Briam R.