#54207 closed defect (bug) (fixed)
ca-bundle.crt contains expired certificate DST Root CA X3
Reported by: | bradleyt | Owned by: | SergeyBiryukov |
---|---|---|---|
Milestone: | 5.8.2 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Security | Keywords: | fixed-major |
Focuses: | Cc: |
Description
Last night we started getting warnings in our logs related to failed API calls through wp_safe_remote_post
:
WP HTTP API Error: cURL error 60: SSL certificate problem: certificate has expired.
It turns out the URL we were hitting was using LetsEncrypt, and the LetsEncrypt intermediate certificate DST Root CA X3
expired on September 30, 2021: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ (Specifically the API calls were to https://wp-rocket.me/ as part of the WP Rocket licence validation logic. Visiting this domain in the browser shows the SSL certificate as being totally valid).
The wordpress/wp-includes/certificates/ca-bundle.crt
file still contains this expired certificate. Removing this DST Root CA X3
section resolved the SSL errors we were seeing in our logs.
I'd be surprised if we're the only team to have experienced this, so I'd like to propose that the DST Root CA X3
certificate is removed from ca-bundle.crt
.
Related #50828
Change History (25)
#3
@
3 years ago
- Owner set to SergeyBiryukov
- Resolution set to fixed
- Status changed from new to closed
In 51883:
#4
follow-ups:
↓ 5
↓ 7
@
3 years ago
- Keywords fixed-major added
- Resolution fixed deleted
- Status changed from closed to reopened
Reopening for 5.8.2 consideration, and potentially backporting to older branches too.
#5
in reply to:
↑ 4
@
3 years ago
Replying to SergeyBiryukov:
Reopening for 5.8.2 consideration, and potentially backporting to older branches too.
We were hit by the same problem, so we would be grateful if the patch has been backported to older branches too.
This ticket was mentioned in Slack in #core by sergey. View the logs.
3 years ago
#7
in reply to:
↑ 4
@
3 years ago
Replying to SergeyBiryukov:
Reopening for 5.8.2 consideration
We would also appreciate this being released with 5.8.2, as we are currently unable to manually update ca-bundle.crt in our hosting environment (core WP files are locked down).
#8
@
3 years ago
Note: I found no feasible way how to tell WordPress to not use the wordpress/wp-includes/certificates/ca-bundle.crt
file, so I had to start patching this file manually. That said if there's going to be a patch version (security) update that does not contain the fix from [51883], I'll have to repatch all websites again as soon as they self-update... EDIT: I realized that patch version update only changes added and edited files.
#9
follow-up:
↓ 11
@
3 years ago
You should be able to tell WP to use a certificate bundle of your choice by using the http_request_args
filter and setting the $r['sslcertificates']
argument.
The fix of removing the DST Root CA X3 certificate, however, is not working for me (whether I edit the ca-bundle.crt file built in to WordPress or try to specify a new one using the above method).
#10
@
3 years ago
I think I (mostly) figured it out. The fix in this ticket will work for some sites but not all.
When the server is using cURL with an old version of OpenSSL, and the expired DST Root certificate is still present in the system certificate store, then the fix in this ticket is not enough to resolve the issue. This is because cURL will always use the certificates in the system store, even if another bundle is specified, and older versions of OpenSSL will stop and report an error when they encounter an expired certificate chain.
I wrote a plugin that will fix/workaround this issue in the most secure way possible for a given site: https://github.com/ClassicPress-research/cp-ssl-fix
#11
in reply to:
↑ 9
;
follow-up:
↓ 12
@
3 years ago
Replying to jnylen0:
You should be able to tell WP to use a certificate bundle of your choice by using the
http_request_args
filter and setting the$r['sslcertificates']
argument.
I noticed that - my intention however was to only unset the certificate bundle set by WordPress, so only default certificate bundle as provided by webhost is used (the webhost already has patched the default certificate bundle).
#12
in reply to:
↑ 11
@
3 years ago
Replying to chesio:
my intention however was to only unset the certificate bundle set by WordPress
From some quick testing, it looks like the closest you can do is to set a new bundle with a small number of certificates (1 certificate would probably work, but an empty file always generates an error for me).
I would still opt for setting a custom certificate bundle with everything that WP includes, but only the DST Root certificate removed. The other certificates included by WP will help with compatibility for requests to other servers.
The plugin I linked above should be able to fix the issue for you automatically, let me know if not.
#13
@
3 years ago
@SergeyBiryukov
Reopening for 5.8.2 consideration, and potentially backporting to older branches too.
We're facing the same issue, in a scenario similar to @bradleyt 's (license validation). It would be great if this was at least confirmed to be included in 5.8.2.
This ticket was mentioned in Slack in #core by desrosj. View the logs.
3 years ago
#16
@
3 years ago
This will be included in WordPress 5.8.2 scheduled for release on November, 10, 2021.
I'll leave this closed for now, but it can be reopened and backported to older branches when/if a security release happens for those older versions.
It will help for OpenSSL 1.0.x based systems, some people still run WordPress using that old software.