Since WordPress that was version 3.7 had a ca-bundle.crt in its wp-includes folder, I’ve had troubles when I upgrade my WordPress Network. I misunderstood the message “Warning! Problem updating https://SITENAME.” meant one of my sites had a trouble, but now I think it meant the first site the WordPress checked out was wrong and the WordPress had no information about the rest of my sites.
First I had the “Error message: SSL certificate problem: self signed certificate in certificate chain” because I use a self-signed certificate. But Oiram gave me its solution. All I need is to add my CA cert data to the ca-bundle.crt.
Next I had the “Error message: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure”. I’ve had a hard time with this trouble for more than two months. Finally, I have the complete solution of this today \(^o^)/.
I look back now and think the trouble had three issues.
- My client.crt had no ssl_client extension. so I re-made a client.crt with ssl_client extension like this. The reference of this is “sslv3 alert handshake failure when using SSL client auth”.
First, I added the next text to the end of my openssl.cnf.[ ssl_client ]
basicConstraints = CA:FALSE
nsCertType = client
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
nsComment = “OpenSSL Certificate for SSL Client”And I made a new client.crt with ssl_client extension.
>openssl ca -config openssl.cnf -policy policy_anything -extensions ssl_client -in client.csr -out client.crt- With the old client.crt, I had the next two errors when I did “openssl s_client -connect o6asan.com:443 -cert client.crt -key client.key -CAfile cacert.pem”. But, the new one gives no error.
- error:14094418:SSL routines:SSL3_READ_BYTES: ~
error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure: ~ - Of course I re-made a new clientcert.p12
- At “Upgrade Network”, WordPress uses cURL. But cURL doesn’t accept P12 format certificates. So I need PEM format certificates.
- To make a clientcert.pem from the clientcert.p12
>openssl pkcs12 -in clientcert.p12 -nokeys -clcerts -out clientcert.pem - To make a clientkey.pem from the clientcert.p12
>openssl pkcs12 -in clientcert.p12 -nocerts -out clientkey.pem
To make a copy of the clientkey.pem and remove the pass phrase from it.
>copy clientkey.pem cp_clientkey.pem
>openssl rsa <cp_clientkey.pem> clientkey.pem
- To make a clientcert.pem from the clientcert.p12
- To tell my WordPress the places of the client certificates.
- To add the following lines to just before the line “curl_setopt( $handle, CURLOPT_CAINFO, $r[‘sslcertificates’] );” in the file class-http.php.
curl_setopt( $handle, CURLOPT_SSLCERT, 'the exact path of clientcert.pem' );
curl_setopt( $handle, CURLOPT_SSLKEY, 'the exact path of clientkey.pem' );I hate to change WordPress core PHP scripts, so I try and try other methods, but nothing is useful. After all, I add the lines above to the class-http.php.
To copy the clientcert.pem and the clientkey.pem to somewhere in the server, somewhere means a safer place anyone cannot access via the Internet.
This reference is Client URL Library.
- To add the following lines to just before the line “curl_setopt( $handle, CURLOPT_CAINFO, $r[‘sslcertificates’] );” in the file class-http.php.
If you need how to create certificates, see the post “WordPress: Administration Over SSL #1”.
Now the error has gone. I’m happy, clap,clap!!