Strange error: cURL error 60: SSL certificate problem

Hi @mikeazores,

This issue is not directly caused by PhastPress. OpenSSL or the certificate trust store on your server is out of date. You can ask your hosting provider to update their software.

–Albert

Hi @kiboit. Thanks for your prompt response.

I’m running my own dedicated server and I already checked OpenSSL and certificate trust store.

I have OpenSSL 1.1.1 which seems to be ok. Regarding certificate trust store, it is working ok (I did some test using SSLabs and SSLShopper SSL Checker and the ISRG Root X1 root certificate is running as it should (I got also feedback from LetsEncrypt forum and it seems it is okay).

Can it be the PHP CURL configuration?

Regards. Miguel

Note: In this response show you some tests from a different domain (plaza82.es instead of abaco44.es) because the plaza82.es is running without Cloudflare and the certificate is issued from Lets Encrypt. Nevertheless, the problem also persists in plaza82.es

• This reply was modified 3 years, 1 month ago by mikeazores.

Hi @mikeazores,

Maybe I spoke too soon. Either PhastPress or WordPress might ship their own certificate store and this might cause the problem. I will check.

In any case the issue is not with the server, but with the client. So if it is not due to the bundled certificate store (I will check whether this is the case) it is due to outdated PHP, cURL or OpenSSL linked to PHP/cURL.

–Albert

Hi @mikeazores,

PhastPress uses the certificate bundle shipped by WordPress, which is located in wp-includes/certificates/ca-bundle.crt.

Even though it shouldn’t matter (because you’re using a recent OpenSSL version), this certificate bundle still contains the expired root certificate.

You might try manually updating this file with the version from the WordPress GitHub repo where the offending certificate was removed a few days ago:

https://raw.githubusercontent.com/WordPress/WordPress/master/wp-includes/certificates/ca-bundle.crt

–Albert

Hi @mikeazores,

And just in case there’s some bug that causes PhastPress to use its own bundled certificate bundle (which is shipped with Phast, the underlying library), I’ve just released version 2.1 which also updates that bundle.

–Albert

Hi @kiboit

Thank you for the info and efforts.

I updated WordPress certificate and tried again with PhastPress 2.0 (before updating to 2.1) and IT IS WORKING.

I just noticed in my phpinfo :
OpenSSL support enabled
OpenSSL Library Version OpenSSL 1.1.1g 21 Apr 2020
OpenSSL Header Version OpenSSL 1.1.1g 21 Apr 2020

However, in CURL module, I have: SSL Version OpenSSL/1.0.1t
They don’t match. I hope this was not the issue…

Once again, thank you a lot, Albert.

Regards. — Miguel

• This reply was modified 3 years, 1 month ago by mikeazores. Reason: Forgot to close

Hi @mikeazores,

However, in CURL module, I have: SSL Version OpenSSL/1.0.1t

This is exactly the issue. So your PHP has been built with an older OpenSSL version. Probably if you recompile PHP the root cause would be fixed. But in any case updating the certificate bundle is a suitable workaround as well.

–Albert

This is exactly the issue. So your PHP has been built with an older OpenSSL version.

Brillant! Will update that ASAP. Thanks

Morning All. Out of interest, will this error actually cause any issues? I get the error but images still look optimised.

Will this get fixed with the next WP update, assuming it ships with the updated SSL?

Thanks

Hi @klwd,

Yes, it might cause issues such as unoptimized images or CSS. But most of your site’s resources will still be cached from before, so you won’t notice in this case.

I would hope that the next WordPress update includes the updated certificates, but of course I can’t say for certain.

–Albert