[Plugin: Online Backup for WordPress] Backup failure

Hi,

Is the error still happening over and over again?
Have you contacted your host about the issue as it seems to be a problem with your web site contacting our servers.

Jason.

Hi,

I’m getting this HTTPS error to, but only since upgrading to the current (2.2.3) version. Worked fine prior to that. Error is:

[Error Code http_request_failed] error setting certificate verify locations:
CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none

As an aside, I’ve got php code on the same machine doing https transactions to remote servers and they all work fine.

btw – I have no CAfile at the error msg location.

Hi raoulew,

What version were you on prior? Do you remember? I will check our code and make sure we didn’t cause this.

Jason.

Hi Jason,

I don’t remember the version, but it was whatever was available on 25 April at 2:34pm (GMT+10), when it was upgraded from it’s previous of 1.0.3 (it was a blog brought back to life).

The HTTPS errors start on 5 May after upgrading to 2.2.3.

Cheers,
Raoul

Hi Raoul,

I’ve done a bit of research and asked a few people, and this error is caused by the web host. It must be coincidence that the errors started when you upgraded to 2.2.3 – the actual HTTPS request we make and the settings used for the request haven’t ever changed since the original release of version 2.0.0.

If you raise a support ticket with your host they’ll most likely be able to resolve the error for you. You could refer them to this URL which someone posted about how they solved the issue:

https://curl.haxx.se/mail/curlphp-2005-11/0038.html

Jason.

Hi Jason,

Thanks for that. We’re actually our own host, so for the benefit of anyone else, here’s how we fixed things.

A recent php upgrade somehow (we think) wiped out the CA bundle file, so using the error message as the basis, we simply replaced it by:

mkdir /etc/ssl/certs
cd /etc/ssl/certs
wget https://curl.haxx.se/ca/cacert.pem // most up-to-date from the curl dev site
mv cacert.pem ca-certificates.crt

And all fixed! Thanks for your help!

Cheers,
Raoul

Hi raoulew,

Excellent. We’ll be sure to note that if anyone else has the issue.

Thanks,

Jason

I have a WordPress site where this is happening, but we are hosted on Windows/IIS7/etc. Can I get an overview of the issue and how it is being fixed in a way that I can apply the logic to my hosting environment? Are we simply saying that the plugin developer is using a self-signed cert and I need to get my server’s cert store to consider their stuff valid?

Hi Accuraty,

For Windows it will just need Windows Update running – I believe the update is “Update for Root Certificates for Windows <Version>”

We’re not using a self-signed cert. We’re using one signed by a trusted certificate authority. However, it appears your installation doesn’t have the public root certificates for the authority. Generally this means they are out of date as they eventually expires and need replacing, and as key strengths increase new certificates are introduced for them.

Just to overview – I’m sure you’ll know most but it’s here for the record:
We make a “SSL” certificate and then need to “sign” it.
We could self-sign – but a client computer would not understand the signature and not trust it since it could be signed by anyone.
If we get Verisign to sign it, the client computer would only trust it if it knew of Verisign and had a copy of Verisign’s “Signing” certificate.
In this instance, the client computer doesn’t know about our certificate authority.

Generally computers will update their root list constantly over time, and periodically download “revocation” lists where certificates have been revoked before the expire time.

Ours is trusted by Microsoft and OpenSSL, Mozilla and Google, Apple and Opera etc. so it should generally be trusted on your machine – but as I said, only if it’s keeping it’s trusted lists up to date.

Regards,

Jason

The server is Windows Server 2008 R2. All Windows Updates including optional and are in place rebooted, etc. “Give me updates for Microsoft products and check for new…” is also checked. There are no hidden updates. I have also read this and verify that The Update Root Certificates feature is on.
https://technet.microsoft.com/en-us/library/cc771121(WS.10).aspx

Any additional advice on how I can pinpoint the cert on my server that is not getting updated?

Hi Accuraty,

A good test is go on the server, then browse to https://wordpress.backup-technology.com/
If you get a certificate error, there is an issue with your root certificates.
EDIT You won’t get an error if your issue is the one I describe below.

I may have given you incorrect information earlier for which I apologise. I read back up the topic and I was thinking a different one…

[Error Code http_request_failed] error setting certificate verify locations:
CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none

Is this the error you are getting? If it is, the issue is with the PHP installation. The CURL configuration needs to be told where to find the CA root certificates.

I found this on PHP documentation site that might help:
https://php.net/manual/en/function.curl-setopt.php

Please everyone, stop setting CURLOPT_SSL_VERIFYPEER to false or 0. If your PHP installation doesn’t have an up-to-date CA root certificate bundle, download the one at the curl website and save it on your server:
https://curl.haxx.se/docs/caextract.html
Then set a path to it in your php.ini file, e.g. on Windows:
curl.cainfo=c:\php\cacert.pem
Turning off CURLOPT_SSL_VERIFYPEER allows man in the middle (MITM) attacks, which you don’t want!

Sorry for the incorrect info earlier!

Jason

On the server I am able to browser to https://wordpress.backup-technology.com/ without any browser warnings about the cert.

I downloaded the PEM and added the setting/path/file to php.ini. IIS7 displays it, so it looks like everything should be working. I will have the client test it. Thanks!

No problem! Hopefully that will hit the nail on the head.

I am so sorry, after 2+ hours logged work, the client deleted the module instead of testing it like I had requested. I have no idea and no conclusion to this. I appreciate your help!