[wp-trac] [WordPress Trac] #54207: ca-bundle.crt contains expired certificate DST Root CA X3
WordPress Trac
noreply at wordpress.org
Fri Oct 1 10:50:55 UTC 2021
#54207: ca-bundle.crt contains expired certificate DST Root CA X3
--------------------------+-----------------------------
Reporter: bradleyt | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
Last night we started getting warnings in our logs related to failed API
calls through `wp_safe_remote_post`:
`WP HTTP API Error: cURL error 60: SSL certificate problem: certificate
has expired.`
It turns out the URL we were hitting was using LetsEncrypt, and the
LetsEncrypt intermediate certificate `DST Root CA X3` expired on September
30, 2021: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-
september-2021/ (Specifically the API calls were to https://wp-rocket.me/
as part of the WP Rocket licence validation logic. Visiting this domain in
the browser shows the SSL certificate as being totally valid).
The `wordpress/wp-includes/certificates/ca-bundle.crt` file still contains
this expired certificate. Removing this `DST Root CA X3` section resolved
the SSL errors we were seeing in our logs.
I'd be surprised if we're the only team to have experienced this, so I'd
like to propose that the `DST Root CA X3` certificate is removed from `ca-
bundle.crt`.
Related #50828
--
Ticket URL: <https://core.trac.wordpress.org/ticket/54207>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list