Can't update WordPress – SSL certificate problem – error:14090086:S

  • Resolved webdevelopment

    (@webdevelopment)


    9 years, 1 month ago

    This also happens when I try to get a new plugin or theme.

    I can fix it by overwriting the default WordPress ca-bundle.crt with a different .crt file that my system admin supplied.

    This works to fix the problem, but I have a lot of new customers signing up to use WordPress and I can’t keep logging into copy over a file for each new customer.

    I also see this problem ALL OVER the support forums and no-one has yet suggested a fix. They just simply close the support ticket and move on like nothing happened.

    Why does copying a different crt file work to fix this problem??

    Can someone help me get to the bottom of this?

    Here’s the fix:

    first backup the default WordPress ca-bundle.crt file:

    cp /home/username/domains/domainname.org/public_html/wp-includes/certificates/ca-bundle.crt /home/username/domains/domainname.org/public_html/wp-includes/certificates/ca-bundle.crt.bak

    Then replace it with the crt file provided by my system admin.

    cp /root/cacert.pem /home/username/domains/domainname.org/public_html/wp-includes/certificates/ca-bundle.crt

    I haven’t installed SSL certificates in years so I don’t even remember what these crt files do, but it appears to be some kind of public/private key system.

    The biggest question is why the default WordPress ca-bundel.crt file is not working out of the box?

    Update WordPress

    Warning: An unexpected error occurred. Something may be wrong with www.ads-software.com or this server’s configuration. If you continue to have problems, please try the support forums. (WordPress could not establish a secure connection to www.ads-software.com. Please contact your server administrator.) in /usr/home/username/domains/domainname.com/public_html/wp-admin/includes/update.php on line 115

    Downloading update from https://downloads.www.ads-software.com/release/wordpress-4.3.1-no-content.zip…

    Download failed.: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

    Installation Failed

Viewing 15 replies - 16 through 30 (of 55 total)
  • WPChina

    (@wordpresschina)

    Hi @dd32: many thanks for your help!

    truecho

    (@kuleanadesign)

    Hi @dd32

    I’m seeing this issue appear with some of the sites we manage, all which are with the same host.

    Is there some easy way for me to determine whether I should: a) replace the current wp-includes/certificates/ca-bundle.crt with the one provided by Marcelo above, or b) contact my host to ask whether their server uses ‘severely outdated components?

    I have the same problem ??

    I FIEXD it when i enabled ‘openssl’ in php.ini of my server host.

    Moderator Dion Hulse

    (@dd32)

    Meta Developer

    @kuleanadesign you can try the ca-bundle.crt file directly from www.ads-software.com, if that fixes it then it’ll be fixed in 4.4.1:
    https://core.svn.www.ads-software.com/trunk/wp-includes/certificates/ca-bundle.crt

    Dion it worked. thanks.

    Alex

    (@bald_technologist)

    Replacing the current wp-includes/certificates/ca-bundle.crt with the one from core did the trick for me as well. Thanks for the help everyone.

    This explains why the WordPress ca bundle doesn’t work on many servers
    It isn’t fully WordPress fault, but they are partly responsible in that they are jumping the gun in removing the old certs that are still valid until 2017, replacing them with new ones and breaking the trust chain
    https://myonlinesecurity.co.uk/wordpress-4-4-update-breaks-itself-with-ssl-certificate-problem-unable-to-get-local-issuer-certificate/

    From what I can find out this seems to be a particular problem on CentOS 5 servers using cpanel. It is almost certainly related to the Openssl version that Cpanel use which is stuck on 0.98.x rather than the newer 1.x.x versions that come with newer server OS versions. However CentOS 5 is still supported and in very common use in hosting companies and dedicated servers.

    There is a discussion about this on https://stackoverflow.com/questions/29943932/curl-php-ssl-unable-to-verify-server-side-but-not-always which explains the full technical reasons for this and why the millions of users that have older but still supported server OS. OpenSSl cannot be updated on these servers

    Many users cannot update OpenSSL to a newer version without changing servers that use a different newer OS with all the associated downtime and problems that causes.

    Moderator Dion Hulse

    (@dd32)

    Meta Developer

    https://myonlinesecurity.co.uk/wordpress-4-4-update-breaks-itself-with-ssl-certificate-problem-unable-to-get-local-issuer-certificate/ is partially incorrect, This issue has been resolved with the 4.4.1 release. The issue impacted any sites whose SSL certs were rooted in one of the removed 1024bit certificates – www.ads-software.com was not one of those.

    If anyone is still experiencing this issue with 4.4.1 we’d like to hear from you – as you’ve got a broken OpenSSL install whose behaviour doesn’t match most other servers. We’ve seen this before and the fix for those servers broke SSL for a large chunk of others.

    WPChina

    (@wordpresschina)

    Yes the problems appear to have gone now, but I’m not sure if it’s because we did a mass update of certs or because of the latest WP version ??

    Moderator Dion Hulse

    (@dd32)

    Meta Developer

    Yes the problems appear to have gone now, but I’m not sure if it’s because we did a mass update of certs or because of the latest WP version ??

    The latest update would’ve overwritten any changes you made to the core files ??

    WPChina

    (@wordpresschina)

    The latest update would’ve overwritten any changes you made to the core files ??

    Then problem solved~

    The 4.4.1 update caused the problem on my server and on many others that I have heard about
    The first time I ever had this problem was with 4.4. I replaced the certificate bundle and everything worked
    4.4.1 update and I needed to manually replace the bundle again on all sites on the server. I have been informed of about 100 similar occurrences so 4.4.1 has not fixed the problem, at least not on Cpanel CentOS5 using OpenSSL 0.98

    Moderator James Huff

    (@macmanx)

    OpenSSL 0.98 is probably the problem, or at least it causes very similar problems.

    Is there any chance you can update that? The current release is 1.0.2e.

    You cannot update 0.98 on a centos 5 cpanel server.
    the only way is to update centos, which means moving to a new server and that costs a lot of money and downtime and other associated problems.

    I know that will need to be done when Cent OS 5 is EOL in 2017, but until then or I find some spare money for hosting. I am stuck and so are millions of other users with this problem.

    Moderator James Huff

    (@macmanx)

    Ah, that is unfortunate, who is your hosting provider?

Viewing 15 replies - 16 through 30 (of 55 total)
  • The topic ‘Can't update WordPress – SSL certificate problem – error:14090086:S’ is closed to new replies.