Make WordPress Core

Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#54207 closed defect (bug) (fixed)

ca-bundle.crt contains expired certificate DST Root CA X3

Reported by: bradleyt's profile bradleyt Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 5.8.2 Priority: normal
Severity: normal Version:
Component: Security Keywords: fixed-major
Focuses: Cc:

Description

Last night we started getting warnings in our logs related to failed API calls through wp_safe_remote_post:

WP HTTP API Error: cURL error 60: SSL certificate problem: certificate has expired.

It turns out the URL we were hitting was using LetsEncrypt, and the LetsEncrypt intermediate certificate DST Root CA X3 expired on September 30, 2021: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ (Specifically the API calls were to https://wp-rocket.me/ as part of the WP Rocket licence validation logic. Visiting this domain in the browser shows the SSL certificate as being totally valid).

The wordpress/wp-includes/certificates/ca-bundle.crt file still contains this expired certificate. Removing this DST Root CA X3 section resolved the SSL errors we were seeing in our logs.

I'd be surprised if we're the only team to have experienced this, so I'd like to propose that the DST Root CA X3 certificate is removed from ca-bundle.crt.

Related #50828

Change History (25)

#1 @fierevere
3 years ago

It will help for OpenSSL 1.0.x based systems, some people still run WordPress using that old software.

#2 @SergeyBiryukov
3 years ago

  • Milestone changed from Awaiting Review to 5.8.2

#3 @SergeyBiryukov
3 years ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 51883:

HTTP: Remove the DST Root CA X3 certificate expired on September 30, 2021.

The currently recommended certificate chain as presented to Let’s Encrypt ACME clients when new certificates are issued contains an intermediate certificate (ISRG Root X1) that is signed by an old DST Root CA X3 certificate that expires on 2021-09-30. In some cases the OpenSSL 1.0.2 version will regard the certificates issued by the Let’s Encrypt CA as having an expired trust chain.

Most up-to-date CA cert trusted bundles, as provided by operating systems, contain this soon-to-be-expired certificate. The current CA cert bundles also contain an ISRG Root X1 self-signed certificate. This means that clients verifying certificate chains can find the alternative non-expired path to the ISRG Root X1 self-signed certificate in their trust store.

Unfortunately this does not apply to OpenSSL 1.0.2 which always prefers the untrusted chain and if that chain contains a path that leads to an expired trusted root certificate (DST Root CA X3), it will be selected for the certificate verification and the expiration will be reported.

References:

Follow-up to [25224], [25426], [25569], [27307], [30491], [30765], [34283], [35919], [36570], [46094].

Props bradleyt, fierevere.
Fixes #54207. See #50828.

#4 follow-ups: @SergeyBiryukov
3 years ago

  • Keywords fixed-major added
  • Resolution fixed deleted
  • Status changed from closed to reopened

Reopening for 5.8.2 consideration, and potentially backporting to older branches too.

#5 in reply to: ↑ 4 @chesio
3 years ago

Replying to SergeyBiryukov:

Reopening for 5.8.2 consideration, and potentially backporting to older branches too.

We were hit by the same problem, so we would be grateful if the patch has been backported to older branches too.

This ticket was mentioned in Slack in #core by sergey. View the logs.


3 years ago

#7 in reply to: ↑ 4 @gilby
3 years ago

Replying to SergeyBiryukov:

Reopening for 5.8.2 consideration

We would also appreciate this being released with 5.8.2, as we are currently unable to manually update ca-bundle.crt in our hosting environment (core WP files are locked down).

#8 @chesio
3 years ago

Note: I found no feasible way how to tell WordPress to not use the wordpress/wp-includes/certificates/ca-bundle.crt file, so I had to start patching this file manually. That said if there's going to be a patch version (security) update that does not contain the fix from [51883], I'll have to repatch all websites again as soon as they self-update... EDIT: I realized that patch version update only changes added and edited files.

Last edited 3 years ago by chesio (previous) (diff)

#9 follow-up: @jnylen0
3 years ago

You should be able to tell WP to use a certificate bundle of your choice by using the http_request_args filter and setting the $r['sslcertificates'] argument.

The fix of removing the DST Root CA X3 certificate, however, is not working for me (whether I edit the ca-bundle.crt file built in to WordPress or try to specify a new one using the above method).

#10 @jnylen0
3 years ago

I think I (mostly) figured it out. The fix in this ticket will work for some sites but not all.

When the server is using cURL with an old version of OpenSSL, and the expired DST Root certificate is still present in the system certificate store, then the fix in this ticket is not enough to resolve the issue. This is because cURL will always use the certificates in the system store, even if another bundle is specified, and older versions of OpenSSL will stop and report an error when they encounter an expired certificate chain.

I wrote a plugin that will fix/workaround this issue in the most secure way possible for a given site: https://github.com/ClassicPress-research/cp-ssl-fix

#11 in reply to: ↑ 9 ; follow-up: @chesio
3 years ago

Replying to jnylen0:

You should be able to tell WP to use a certificate bundle of your choice by using the http_request_args filter and setting the $r['sslcertificates'] argument.

I noticed that - my intention however was to only unset the certificate bundle set by WordPress, so only default certificate bundle as provided by webhost is used (the webhost already has patched the default certificate bundle).

#12 in reply to: ↑ 11 @jnylen0
3 years ago

Replying to chesio:

my intention however was to only unset the certificate bundle set by WordPress

From some quick testing, it looks like the closest you can do is to set a new bundle with a small number of certificates (1 certificate would probably work, but an empty file always generates an error for me).

I would still opt for setting a custom certificate bundle with everything that WP includes, but only the DST Root certificate removed. The other certificates included by WP will help with compatibility for requests to other servers.

The plugin I linked above should be able to fix the issue for you automatically, let me know if not.

#13 @ignaziohappyforms
3 years ago

@SergeyBiryukov

Reopening for 5.8.2 consideration, and potentially backporting to older branches too.

We're facing the same issue, in a scenario similar to @bradleyt 's (license validation). It would be great if this was at least confirmed to be included in 5.8.2.

This ticket was mentioned in Slack in #core by desrosj. View the logs.


3 years ago

#15 @desrosj
3 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 51948:

HTTP: Remove the DST Root CA X3 certificate expired on September 30, 2021.

The currently recommended certificate chain as presented to Let’s Encrypt ACME clients when new certificates are issued contains an intermediate certificate (ISRG Root X1) that is signed by an old DST Root CA X3 certificate that expires on 2021-09-30. In some cases the OpenSSL 1.0.2 version will regard the certificates issued by the Let’s Encrypt CA as having an expired trust chain.

Most up-to-date CA cert trusted bundles, as provided by operating systems, contain this soon-to-be-expired certificate. The current CA cert bundles also contain an ISRG Root X1 self-signed certificate. This means that clients verifying certificate chains can find the alternative non-expired path to the ISRG Root X1 self-signed certificate in their trust store.

Unfortunately this does not apply to OpenSSL 1.0.2 which always prefers the untrusted chain and if that chain contains a path that leads to an expired trusted root certificate (DST Root CA X3), it will be selected for the certificate verification and the expiration will be reported.

References:

Follow-up to [25224], [25426], [25569], [27307], [30491], [30765], [34283], [35919], [36570], [46094].

Props bradleyt, fierevere, SergeyBiryukov.
Merges [51883] to the 5.8 branch.
Fixes #54207. See #50828.

#16 @desrosj
3 years ago

This will be included in WordPress 5.8.2 scheduled for release on November, 10, 2021.

I'll leave this closed for now, but it can be reopened and backported to older branches when/if a security release happens for those older versions.

This ticket was mentioned in Slack in #hosting-community by javier. View the logs.


3 years ago

This ticket was mentioned in Slack in #hosting-community by jadonn. View the logs.


3 years ago

#19 @desrosj
3 years ago

In 52097:

HTTP: Remove the DST Root CA X3 certificate expired on September 30, 2021.

The currently recommended certificate chain as presented to Let’s Encrypt ACME clients when new certificates are issued contains an intermediate certificate (ISRG Root X1) that is signed by an old DST Root CA X3 certificate that expires on 2021-09-30. In some cases the OpenSSL 1.0.2 version will regard the certificates issued by the Let’s Encrypt CA as having an expired trust chain.

Most up-to-date CA cert trusted bundles, as provided by operating systems, contain this soon-to-be-expired certificate. The current CA cert bundles also contain an ISRG Root X1 self-signed certificate. This means that clients verifying certificate chains can find the alternative non-expired path to the ISRG Root X1 self-signed certificate in their trust store.

Unfortunately this does not apply to OpenSSL 1.0.2 which always prefers the untrusted chain and if that chain contains a path that leads to an expired trusted root certificate (DST Root CA X3), it will be selected for the certificate verification and the expiration will be reported.

References:

Follow-up to [25224], [25426], [25569], [27307], [30491], [30765], [34283], [35919], [36570], [46094].

Props bradleyt, fierevere, SergeyBiryukov, peterwilsoncc.
Merges [51883] to the 5.7 branch.
Fixes #54207. See #50828.

#20 @desrosj
3 years ago

In 52098:

HTTP: Remove the DST Root CA X3 certificate expired on September 30, 2021.

The currently recommended certificate chain as presented to Let’s Encrypt ACME clients when new certificates are issued contains an intermediate certificate (ISRG Root X1) that is signed by an old DST Root CA X3 certificate that expires on 2021-09-30. In some cases the OpenSSL 1.0.2 version will regard the certificates issued by the Let’s Encrypt CA as having an expired trust chain.

Most up-to-date CA cert trusted bundles, as provided by operating systems, contain this soon-to-be-expired certificate. The current CA cert bundles also contain an ISRG Root X1 self-signed certificate. This means that clients verifying certificate chains can find the alternative non-expired path to the ISRG Root X1 self-signed certificate in their trust store.

Unfortunately this does not apply to OpenSSL 1.0.2 which always prefers the untrusted chain and if that chain contains a path that leads to an expired trusted root certificate (DST Root CA X3), it will be selected for the certificate verification and the expiration will be reported.

References:

Follow-up to [25224], [25426], [25569], [27307], [30491], [30765], [34283], [35919], [36570], [46094].

Props bradleyt, fierevere, SergeyBiryukov, peterwilsoncc.
Merges [51883] to the 5.6 branch.
Fixes #54207. See #50828.

#21 @desrosj
3 years ago

In 52099:

HTTP: Remove the DST Root CA X3 certificate expired on September 30, 2021.

The currently recommended certificate chain as presented to Let’s Encrypt ACME clients when new certificates are issued contains an intermediate certificate (ISRG Root X1) that is signed by an old DST Root CA X3 certificate that expires on 2021-09-30. In some cases the OpenSSL 1.0.2 version will regard the certificates issued by the Let’s Encrypt CA as having an expired trust chain.

Most up-to-date CA cert trusted bundles, as provided by operating systems, contain this soon-to-be-expired certificate. The current CA cert bundles also contain an ISRG Root X1 self-signed certificate. This means that clients verifying certificate chains can find the alternative non-expired path to the ISRG Root X1 self-signed certificate in their trust store.

Unfortunately this does not apply to OpenSSL 1.0.2 which always prefers the untrusted chain and if that chain contains a path that leads to an expired trusted root certificate (DST Root CA X3), it will be selected for the certificate verification and the expiration will be reported.

References:

Follow-up to [25224], [25426], [25569], [27307], [30491], [30765], [34283], [35919], [36570], [46094].

Props bradleyt, fierevere, SergeyBiryukov, peterwilsoncc.
Merges [51883] to the 5.5 branch.
Fixes #54207. See #50828.

#22 @desrosj
3 years ago

In 52100:

HTTP: Remove the DST Root CA X3 certificate expired on September 30, 2021.

The currently recommended certificate chain as presented to Let’s Encrypt ACME clients when new certificates are issued contains an intermediate certificate (ISRG Root X1) that is signed by an old DST Root CA X3 certificate that expires on 2021-09-30. In some cases the OpenSSL 1.0.2 version will regard the certificates issued by the Let’s Encrypt CA as having an expired trust chain.

Most up-to-date CA cert trusted bundles, as provided by operating systems, contain this soon-to-be-expired certificate. The current CA cert bundles also contain an ISRG Root X1 self-signed certificate. This means that clients verifying certificate chains can find the alternative non-expired path to the ISRG Root X1 self-signed certificate in their trust store.

Unfortunately this does not apply to OpenSSL 1.0.2 which always prefers the untrusted chain and if that chain contains a path that leads to an expired trusted root certificate (DST Root CA X3), it will be selected for the certificate verification and the expiration will be reported.

References:

Follow-up to [25224], [25426], [25569], [27307], [30491], [30765], [34283], [35919], [36570], [46094].

Props bradleyt, fierevere, SergeyBiryukov, peterwilsoncc.
Merges [51883] to the 5.4 branch.
Fixes #54207. See #50828.

#23 @desrosj
3 years ago

In 52101:

HTTP: Remove the DST Root CA X3 certificate expired on September 30, 2021.

The currently recommended certificate chain as presented to Let’s Encrypt ACME clients when new certificates are issued contains an intermediate certificate (ISRG Root X1) that is signed by an old DST Root CA X3 certificate that expires on 2021-09-30. In some cases the OpenSSL 1.0.2 version will regard the certificates issued by the Let’s Encrypt CA as having an expired trust chain.

Most up-to-date CA cert trusted bundles, as provided by operating systems, contain this soon-to-be-expired certificate. The current CA cert bundles also contain an ISRG Root X1 self-signed certificate. This means that clients verifying certificate chains can find the alternative non-expired path to the ISRG Root X1 self-signed certificate in their trust store.

Unfortunately this does not apply to OpenSSL 1.0.2 which always prefers the untrusted chain and if that chain contains a path that leads to an expired trusted root certificate (DST Root CA X3), it will be selected for the certificate verification and the expiration will be reported.

References:

Follow-up to [25224], [25426], [25569], [27307], [30491], [30765], [34283], [35919], [36570], [46094].

Props bradleyt, fierevere, SergeyBiryukov, peterwilsoncc.
Merges [51883] to the 5.3 branch.
Fixes #54207. See #50828.

#24 @desrosj
3 years ago

In 52102:

HTTP: Remove the DST Root CA X3 certificate expired on September 30, 2021.

The currently recommended certificate chain as presented to Let’s Encrypt ACME clients when new certificates are issued contains an intermediate certificate (ISRG Root X1) that is signed by an old DST Root CA X3 certificate that expires on 2021-09-30. In some cases the OpenSSL 1.0.2 version will regard the certificates issued by the Let’s Encrypt CA as having an expired trust chain.

Most up-to-date CA cert trusted bundles, as provided by operating systems, contain this soon-to-be-expired certificate. The current CA cert bundles also contain an ISRG Root X1 self-signed certificate. This means that clients verifying certificate chains can find the alternative non-expired path to the ISRG Root X1 self-signed certificate in their trust store.

Unfortunately this does not apply to OpenSSL 1.0.2 which always prefers the untrusted chain and if that chain contains a path that leads to an expired trusted root certificate (DST Root CA X3), it will be selected for the certificate verification and the expiration will be reported.

References:

Follow-up to [25224], [25426], [25569], [27307], [30491], [30765], [34283], [35919], [36570], [46094].

Props bradleyt, fierevere, SergeyBiryukov, peterwilsoncc.
Merges [51883] to the 5.2 branch.
Fixes #54207. See #50828.

This ticket was mentioned in Slack in #core by circlecube. View the logs.


3 years ago

Note: See TracTickets for help on using tickets.