Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#52614 closed defect (bug) (wontfix)

Cloudflare Root Certificate Missing

Reported by: thesimarchitect's profile thesimarchitect Owned by:
Milestone: Priority: normal
Severity: minor Version:
Component: Security Keywords:
Focuses: Cc:

Description

Everytime WordPress Updates I need to re-add Cloudflare Root CA Manually, because it's not included in your file /wp-includes/certificates/ca-bundle.crt

This is their Root Certificate:

-----BEGIN CERTIFICATE-----
MIIEADCCAuigAwIBAgIID+rOSdTGfGcwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNV
BAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTQwMgYDVQQLEytDbG91
ZEZsYXJlIE9yaWdpbiBTU0wgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQH
Ew1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMB4XDTE5MDgyMzIx
MDgwMFoXDTI5MDgxNTE3MDAwMFowgYsxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBD
bG91ZEZsYXJlLCBJbmMuMTQwMgYDVQQLEytDbG91ZEZsYXJlIE9yaWdpbiBTU0wg
Q2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMw
EQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAwEiVZ/UoQpHmFsHvk5isBxRehukP8DG9JhFev3WZtG76WoTthvLJFRKFCHXm
V6Z5/66Z4S09mgsUuFwvJzMnE6Ej6yIsYNCb9r9QORa8BdhrkNn6kdTly3mdnykb
OomnwbUfLlExVgNdlP0XoRoeMwbQ4598foiHblO2B/LKuNfJzAMfS7oZe34b+vLB
yrP/1bgCSLdc1AxQc1AC0EsQQhgcyTJNgnG4va1c7ogPlwKyhbDyZ4e59N5lbYPJ
SmXI/cAe3jXj1FBLJZkwnoDKe0v13xeF+nF32smSH0qB7aJX2tBMW4TWtFPmzs5I
lwrFSySWAdwYdgxw180yKU0dvwIDAQABo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYD
VR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUJOhTV118NECHqeuU27rhFnj8KaQw
HwYDVR0jBBgwFoAUJOhTV118NECHqeuU27rhFnj8KaQwDQYJKoZIhvcNAQELBQAD
ggEBAHwOf9Ur1l0Ar5vFE6PNrZWrDfQIMyEfdgSKofCdTckbqXNTiXdgbHs+TWoQ
wAB0pfJDAHJDXOTCWRyTeXOseeOi5Btj5CnEuw3P0oXqdqevM1/+uWp0CM35zgZ8
VD4aITxity0djzE6Qnx3Syzz+ZkoBgTnNum7d9A66/V636x4vTeqbZFBr9erJzgz
hhurjcoacvRNhnjtDRM0dPeiCJ50CP3wEYuvUzDHUaowOsnLCjQIkWbR7Ni6KEIk
MOz2U0OBSif3FTkhCgZWQKOOLo1P42jHC3ssUZAtVNXrCk3fw9/E15k8NPkBazZ6
0iykLhH1trywrKRMVw67F44IE8Y=
-----END CERTIFICATE-----

It would be handy if someone could look into it and fix it. I am ok for myself, but other people using cloudflare's certificate will have a loopback error.

Change History (13)

#1 @ayeshrajans
4 years ago

Hi @thesimarchitect - thanks for opening this ticket. WordPress's certificate store is not automatically updated, and I believe we sync with Curl's certificate list. Manually adding root certificates could be a security vulnerability, so I doubt adding a particular root certificate will realistically happen.

#50828 is an active ticket to sync with changes from upstream root store.

#2 follow-up: @SergeyBiryukov
4 years ago

  • Component changed from General to Security

#3 @thesimarchitect
4 years ago

Thanks @ayeshrajans !

I wish they do, since many people use Cloudflare's free certificates and without their root certificate we keep getting the error code 60 on health check, meaning the loopback isn't likely working properly when it happens. I didn't feel any issue with the functionality of my site, but something might be affected in the background that I can't see.

Nonetheless, I hope the information I shared helps somehow 😇

#4 in reply to: ↑ 2 @thesimarchitect
4 years ago

Replying to SergeyBiryukov:

Thanks!!

#5 follow-up: @desrosj
4 years ago

  • Keywords close added

I'm going to mark this as a close candidate, but let's leave it open for a bit and see how #50828 is resolved.

I think this will end up needing to be requested upstream for the details listed above, though.

#6 in reply to: ↑ 5 ; follow-up: @thesimarchitect
4 years ago

Replying to desrosj:

I'm going to mark this as a close candidate, but let's leave it open for a bit and see how #50828 is resolved.

I think this will end up needing to be requested upstream for the details listed above, though.

Thanks! Should I add a comment to #50828 mentioning they need to add Cloudflare to the certificate chain? I don't understand why it's not included or mentioned by many people considering the massive number of WordPress & Cloudflare combination users...

#7 @thesimarchitect
4 years ago

Problem not solved on WordPress 5.7.

As usual, I had to add Cloudflare's Root Certificate to /wp-includes/certificates/ca-bundle.crt after the update (since Wordpress overwrites it).

#8 in reply to: ↑ 6 @desrosj
4 years ago

I don't understand why it's not included or mentioned by many people considering the massive number of WordPress & Cloudflare combination users...

It wasn't 100% clear for me either, so I've done some investigating. Here is a breakdown that should help clarify this.

The certificates bundled in WordPress are an adjusted copy of the Mozilla root CA certificate list distributed in their certdata.txt file with some modifications to include some older 1024bit certificates for backwards compatibility.

#50828 aims to make some changes to make updating the certificate list shipped with WordPress easier.

  • Use the copy of the Mozilla CA certificate list from cURL (which maintains the Mozilla CA certificate store in PEM format).
  • Maintain a separate file for legacy certificates.
  • Combine the two files into one ca-bundle.crt file that is shipped in Core.

The missing link here is that either:

  • Mozilla needs to add Cloudflare's root certificate to their bundle.
  • WordPress needs to add a third file containing other trusted certificates that gets merged into the final ca-bundle.crt file.

As @ayeshrajans noted above though, the second option could potentially be a security vulnerability, so I'm not sure it's the best option.

I'm currently trying to find some answers to how Mozilla adds certificates to their list, and if there has been any past discussions/decisions to not include their certificate.

#9 follow-up: @desrosj
4 years ago

  • Keywords reporter-feedback added

@thesimarchitect So it looks like the certificate you specified above is actually the origin certificate for Cloudflare, not the root one.

I believe that this certificate is meant for the connection TO the Cloudflare server, and not from the Cloudflare server to the actual website server.

A few questions:

  • If you do not add this certificate to the ca-bundle.crt file, does the site work normally for users? Is the only error encountered within Site Health when the loop back is attempted?
  • Is your site in orange cloud mode (passing through Cloudflare)? Or grey cloud mode (traffic not passing through Cloudflare)?

If the site works normally without updating the cert file and you are in orange cloud mode, it's possible (maybe) that something is configured at the hosting level to intercept traffic targeted to the same site before it is sent out and reroutes it back to the site for a faster connection. This would result in the certificate (intended for use only between a user and Cloudflare) not being valid.

#10 in reply to: ↑ 9 @thesimarchitect
4 years ago

Replying to desrosj:

@thesimarchitect So it looks like the certificate you specified above is actually the origin certificate for Cloudflare, not the root one.

I believe that this certificate is meant for the connection TO the Cloudflare server, and not from the Cloudflare server to the actual website server.

A few questions:

  • If you do not add this certificate to the ca-bundle.crt file, does the site work normally for users? Is the only error encountered within Site Health when the loop back is attempted?
  • Is your site in orange cloud mode (passing through Cloudflare)? Or grey cloud mode (traffic not passing through Cloudflare)?

If the site works normally without updating the cert file and you are in orange cloud mode, it's possible (maybe) that something is configured at the hosting level to intercept traffic targeted to the same site before it is sent out and reroutes it back to the site for a faster connection. This would result in the certificate (intended for use only between a user and Cloudflare) not being valid.

Hi! Thanks for your reply!

  1. The site works normally, the problem is the loopback error, that only goes away if I add that certificate.
  1. My site passes through Cloudflare and I don't own a private certificate because it's expensive and I don't need it. Let's encrypt doesn't renew certificates because of Cloudflare as well plus, if I am not mistaken, I am not sure WordPress accepts Let's encrypt free certificates either.
  1. I don't want to do my loopback via Cloudflare (by editing my VPS's hosts file) when it's much faster to use localhost with the server's local IP (I run everything on NGinx inside of a VPS).

Using the same authoritative chains used by cURL would not solve the problem, here's what happens if I try to curl from within localhost:

curl https://thesimarchitect.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Also, just in case anybody wants to fix their cURL to recognize Cloudflare's Origin Certificate, just save the certificate on a .crt file inside /usr/local/share/ca-certificates, then run sudo update-ca-certificates to get rid of the error. 😉

Version 2, edited 4 years ago by thesimarchitect (previous) (next) (diff)

#11 @desrosj
4 years ago

  • Keywords reporter-feedback close removed
  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Ah! #3 is definitely why this is happening. While your use case does make sense and I can see why you would want to do that, I don't think WordPress should be changed to accommodate this.

The certificate above is not meant to be trusted as a root certificate (only for connections to Cloudflare), so I don't think it would be right for WordPress to add this cert to the trusted list. In most cases, seeing an error here would indicate an incorrectly configured site.

This also explains why the certificate above is not already on the list (Mozilla and Cloudflare do work closely on security initiatives).

Since this is something happening as a result of your specific setup, I recommend setting up some code to accomplish what you need long term to avoid having to add your certificate after every update.

The certificate list used within the WordPress HTTP API is passed by absolute path through the sslcertificates argument. You can use the http_request_args filter (src) to specify a new crt file with your needed certificate tacked on. But, make sure to maintain this file, or perhaps, regenerate it on a cron by adding your certificate at the end of the list provided by WordPress.

Just in case someone stumbles upon the suggestion above randomly in the future, this approach could potentially be insecure if implemented incorrectly and care should be taken.

Last edited 4 years ago by desrosj (previous) (diff)

#12 @ayeshrajans
4 years ago

Thanks a lot @desrosj for taking a thorough look. You are right, this is apparently the CloudFlare-issued publicly untrusted certificate, that should not be trusted.

I opened #52837, that is somewhat related.

I think we can improve WordPress's HTTPS detection by running a test client-side. I think OP and other sites that run on local/intranet should have the custom root certificates already trusted by the browser, so WordPress might as well just see if the browser accepts the certificate, and assume it's good enough for certain cases to use HTTPS.

#13 @thesimarchitect
4 years ago

Thanks @desrosj! I will look on how to implement your suggestion, so I don't have to keep adding that certificate manually after each WordPress update.

@ayeshrajans my website does NOT run on an intranet, it's a regular website behind cloudflare.

The problem is Wordpress' loopback happens from and to the server itself, locally, and when it tries to connect the error appears because the only cert assigned is the cert of origin from Cloudflare, since all regular access to my site happens through Cloudflare, except for whatever Wordpress "loops back" onto itself and curl requests I have set up on my VPS cron.

Before I also used to have lets encrypt, but the certs keep expiring too often and it's always a lot of work to renew them.

Note: See TracTickets for help on using tickets.