Fun with WordPress
Note – this is a discussion and solution for a technical problem for a WordPress instance that uses an SSL certificate signed by a non-public CA. If you don’t care about this sort of thing, please move your eyes down to the next section.
The error text that I saw in the new-to-me Site Health page following upgrading to WordPress 5.4:
cURL error 60: SSL certificate problem: unable to get local issuer certificate
The error above was generated because WordPress/PHP couldn’t verify the site certificate. When this is broken, the impact can be significant on a WordPress instance. Some features just don’t work quite right. Auto updating can fail, and so on.
The context here is that for a variety of internal and external sites, I use site-specific SSL certificates that are signed by our internal CA. That’s a good thing, because prior to Let’s Encrypt, it was easy to spend a bunch of money on SSL certificates from a reputable source. We won’t discuss the non-reputable sources. Since I’m using an external resource for caching and web app firewalling, I am able to use the internally signed certificate for several external sites as well.
With the most recent update adding Site Health as a core feature, this error surfaced for me on a couple of sites. It took a couple of hours and some false starts before I found this solution.
In the WordPress file tree, there’s a file at
wp-includes/certificates/ca-bundle.crt (using UNIX-style slashes). This is the file of CA certificates that WordPress and the PHP functions use to verify a certificate is valid. Tryijg to get WordPress and PHP to use the system CA certs file (which has my Root Certificate added as a trust source) was a non-starter, although I tried. So I copied the text of my Internal Root Certificate into the
wp-includes/certificates/ca-bundle.crt file. Boom! Problem solved … for now.
The downside of this solution is that any given WordPress update in the future may (will?) overwrite that file with newer info, and will once again exclude my Internal Root Certificate. So I created a text file that contained an identifying header string and the Internal Root Certificate. I then wrote a shell script to check the
wp-includes/certificates/ca-bundle.crt for that header string, and if not found, adds the content of the text file to the ca-bundle.crt file. That shell script runs once a day in the wee hours of the morning.
Now, anytime there’s a WordPress update that overwrites ca-bundle.crt, by the next morning, the Internal Root CA certificate will be back in place, and things will continue humming along nicely.
Staying at Home
We continue to stay at home, which is a good thing.
I’ll ask you to determine for yourself if it’s a good thing that some people who, for reasons of politics, mistrust etc., continue to gather in groups, putting themselves and their loved ones at heightened risk of severe illness and death. I personally would rather that people be sane and safe. But bailing any water at all from the deeply stupid side of the gene pool can only be for the good of humanity, in the long term.
I didn’t do any yardwork this weekend. We did a number of other inside chores, including re-loading shelves and such after dealing with a multi-phased ant invasion.
Additionally, on the yardwork front, I will point out that planting veggies HAS brought the usual effects on to our region: We had two overnight frosts in the last week, and we’re due for one more on Tuesday night. I’ve been tarping the veggie beds for those events, and so far haven’t lost plants to them.
While I was dealing with a training event late last week, I ran across the first picture we took of Lexi on her gotcha date in March 27, 2010:
Nothing particular to report here. Be well, okay?