Error connecting to MailChimp: SSL certificate problem:

Hey all,

I’ve just pushed out another update which tries to detect the faulty OpenSSL version and disables SSL verification for this. Please note that this is just a workaround, but at least it will get your sign-ups working again.

If you ask your host to update OpenSSL, SSL verification will automatically be enabled again once OpenSSL is at a version not experiencing this bug.

Now, the mechanism may be too strict or too loose so if you’re still seeing errors, please consider using this one-liner.

Explicitly disable SSL verification

add_filter( 'mc4wp_use_sslverify', '__return_false' );

Explicitly enable SSL verification

add_filter( 'mc4wp_use_sslverify', '__return_true' );

I hope this helps, let’s hope a real fix will be included in WordPress core soon, although from the looks of it the issue is quite a pain to replicate. ??

@digitek,

What distro are you running? Would love to know the exact PHP version + distro for your environments. That would be of great help in debugging this issue for the WP Core team.

Hi Danny, I did post the info above as well.
I currently have 16 instances of WordPress running on various virtual machines, I think 12 or so use your MailChimp plugin. I did not have any trouble with the SSL issue on any of the Linux machines, I can give details but run a little of everything from Debian 7 & 8 to Ubuntu using native stacks, turnkey, bitnami and xampp.

I had the issue on 2 machines, and both are Windows 10 with XAMPP, those servers have no certificates / are http only.

Apache/2.4.12 (Win32)
OpenSSL/1.0.1l
PHP v5.6.8
MYSQL v5.6.24
cURL Information 7.40.0

I also upgraded to 3.07, but it did not resolve the issue.
If you need anything else, just let me know.

One other thing to consider…
Both of the sites I have trouble with use a MySQL Server that is NOT localhost (it is on another machine), but I suspect that is hardly uncommon, nor should it really be a factor, but stranger things have happened.

Hi Danny,

I applied your latest update and it has fixed my issue – thanks for that ??

I called godaddy support to try to get OpenSSL updated to 1.0.1f but they cannot as it is a shared hosted server.

It sounds like the update you provided is a temporary fix until you can get more of this sorted out, so I thought this info might be useful.

Thanks again!

Hello people. For a solution without having to patch plugin code nor upgrading the server OS, you can refer here for a solution:
https://www.ads-software.com/support/topic/cant-update-wordpress-ssl-certificate-problem-error14090086s?replies=13#post-7769227

@marcelo Temporarily solved the issue for me, thanks for posting!

Great!
Thank you very much, Danny van Kooten!

This code fixed that bug:

add_filter( 'http_request_args', function( $args, $url ) {
	// only act on requests to api.mailchimp.com
	if( strpos( $url, 'api.mailchimp.com' ) === false ) {
		return $args;
	}

	$args['sslverify'] = false;
	return $args;
}, 10, 2 );

Hey all,

For a simpler fix, you can also use the following code (since version 3.0.7).

add_filter( 'mc4wp_use_sslverify', '__return_false' );

This will be fully & properly fixed in WordPress 4.4.1 which will be released very soon! ??

I’m not willing to disable certificate verification as it breaks SSL. I’m still working through this. I will post a follow-up when I have a resolution. Some installation data and my results so far are include below for review.

I have two Debian Jessie servers running WordPress instances.

Both have the following package versions:
apache2:amd64/jessie 2.4.10-10+deb8u3 uptodate
curl:amd64/jessie 7.38.0-4+deb8u2 uptodate
mysql-server:all/jessie 5.5.46-0+deb8u1 uptodate
openssl:amd64/jessie 1.0.1k-3+deb8u2 uptodate
php5:all/jessie 5.6.14+dfsg-0+deb8u1 uptodate

The server that runs WordPress from stand alone instances in user directories is having no difficulty with MailChimp for WordPress.

The server that is running the Debian WordPress package (4.1+dfsg-1+deb8u7) is failing to validate the SSL certificates.

The results are consistent whether using the curl -v https://us1.api.mailchimp.com/3.0/?apikey=test or directly from the WP plugin.

The MD5 sum of the ca-bundle.crt file on both servers is 978976c7bbfab9219a6f0a8a66a4da6f (in the users WP install directory on the host that works, and /usr/share/wordpress/wp-includes/certificates/ on the deb install)

Neither machine has curl.cainfo set in any php.ini file.

I just reran the curl test (from the CLI) and specified the /usr/share/wordpress/wp-includes/certificates/ca-bundle.crt with the –cacert option and it worked. For whatever reason, it appears (for me at least) that the problem is being caused by curl not using the ca-bundle.

Minor update – no resolution yet.

Further analysis shows that the working server is using the /etc/ssl/certs directory as its CA Path. The broken server is using the same path when it fails.

MD5 sums of /etc/ssl/certs/ca-certificates.crt differ on the machines, but that seems appropriate since that file would include different local certificates in addition to the common Root CA certs.

It feels like a kludge that’s probably asking to break things in the future (like whenever Debian rolls out a security update to the wordpress package). For now, editing /usr/share/wordpress/wp-includes/class-http.php to use 'sslcertificates' => '/usr/share/wordpress/wp-includes/certificates/ca-bundle.crt', has fixed the problem from within WordPress.

Hey Link P,

Please note that issue is fully resolved in WordPress 4.4.1 – it had something to do with the order of certificates in the certificate bundle that WordPress ships with.

Please see https://core.trac.www.ads-software.com/ticket/34935 for more details.

Hope that helps. If not, let me know!