[wp-trac] [WordPress Trac] #52614: Cloudflare Root Certificate Missing

WordPress Trac noreply at wordpress.org
Wed Mar 17 16:24:45 UTC 2021 

#52614: Cloudflare Root Certificate Missing
-----------------------------+----------------------
 Reporter:  thesimarchitect  |       Owner:  (none)
     Type:  defect (bug)     |      Status:  closed
 Priority:  normal           |   Milestone:
Component:  Security         |     Version:
 Severity:  minor            |  Resolution:  wontfix
 Keywords:                   |     Focuses:
-----------------------------+----------------------
Changes (by desrosj):

 * keywords:  reporter-feedback close =>
 * status:  new => closed
 * resolution:   => wontfix
 * milestone:  Awaiting Review =>


Comment:

 Ah! #3 is definitely why this is happening. While your use case does make
 sense and I can see why you would want to do that,

 The certificate above is not meant to be trusted as a root certificate
 (only for connections to Cloudflare), so I don't think it would be right
 for WordPress to add this cert to the trusted list. In most cases, seeing
 an error here would indicate an incorrectly configured site.

 This also explains why the certificate above is not already on the list
 (Mozilla and Cloudflare do work closely on security initiatives).

 Since this is something happening as a result of your specific setup, I
 recommend setting up some code to accomplish what you need long term to
 avoid having to add your certificate after every update.

 The certificate list used within the WordPress HTTP API is passed by
 absolute path through the `sslcertificates`
 [https://core.trac.wordpress.org/browser/branches/5.7/src/wp-includes
 /class-http.php#L136 argument]. You can use the `http_request_args` filter
 ([https://core.trac.wordpress.org/browser/branches/5.7/src/wp-includes
 /class-http.php#L232 src]) to specify a new crt file with your needed
 certificate tacked on. But, make sure to maintain this file, or perhaps,
 regenerate it on a cron by adding your certificate at the end of the list
 provided by WordPress.

 Just in case someone stumbles upon the suggestion above randomly in the
 future, **this approach could potentially be insecure if implemented
 incorrectly and care should be taken**.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/52614#comment:11>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list