Multisite database upgrade SSL error

admin管理员组

文章数量:1328618

I have upgraded my Multisite setup WordPress to 3.6.1. And after that, when I do Network Upgrade > Database Upgrade it's showing:

Warning! Problem updating . Your server may not be able to connect to sites running on it.

Error message: Peer certificate cannot be authenticated with known CA certificates

What happened please?

---

Info

• I'm currently running the Site under Trusted Wildcard SSL (not self-signed), but installed on the Load-balancer only. (Apache Servers doesn't (need to) have the Cert installed, apparently.) Is this the root cause?
• The Database is at Amazon RDS (with the default settings) which is not with SSL there. *

I have upgraded my Multisite setup WordPress to 3.6.1. And after that, when I do Network Upgrade > Database Upgrade it's showing:

Warning! Problem updating http://www.example/site1. Your server may not be able to connect to sites running on it.

Error message: Peer certificate cannot be authenticated with known CA certificates

What happened please?

---

Info

• I'm currently running the Site under Trusted Wildcard SSL (not self-signed), but installed on the Load-balancer only. (Apache Servers doesn't (need to) have the Cert installed, apparently.) Is this the root cause?
• The Database is at Amazon RDS (with the default settings) which is not with SSL there. *

• multisite
• database
• updates
• upgrade
• ssl

Share Improve this question edited Aug 28, 2015 at 2:55 夏期劇場 asked Sep 23, 2013 at 9:48 夏期劇場夏期劇場 50633 gold badges1111 silver badges2424 bronze badges 0

Add a comment  | 

9 Answers 9

Sorted by: Reset to default 1

If possible, you should try and fix the cause of this error - invalid SSL certificates. But there are some instances where this is not possible or desirable. One obvious one being development sites using a self-signed SSL certs.

One way around this is to set $ssl_verify to false before line 1161 of wp-includes/class-http.php:

curl_setopt( $handle, CURLOPT_SSL_VERIFYHOST, ( $ssl_verify === true ) ? 2 : false )

The way I've done this in the past is by adding:

$ssl_verify = false;

To line 1159, before doing a multi-site upgrade and removing it afterwards. It looks like there should be much more sophisticated way of doing this. It looks from the code around it that judging by the code around it that you should be able to parse paramater sslverify=false but that doesn't appear to work (probably because the upgrade wrapper doesn't pass through the parameters).

To avoid making changes to Core I would un-do this change once you have completed the upgrade.

I don't know if this will help or not, but worth a try. Create a Must Use plugin and drop this lines, see code comments:

<?php
/* Plugin Name: Network upgrade exception */

// Run only in the Upgrade screen
add_action( 'load-upgrade.php', 'add_filter_wpse_115279' );

function add_filter_wpse_115279()
{
    add_filter( 'http_request_args', 'apply_filter_wpse_115279', 10, 2 );
}

// http://core.trac.wordpress/browser/tags/3.6.1/wp-admin/network/upgrade.php#L68 
// wp_remote_get( $upgrade_url, array( 'timeout' => 120, 'httpversion' => '1.1' ) );
// This function will end up calling WP_Http class, where we can use the filter http_request_args
function apply_filter_wpse_115279( $args, $url )
{
    # Adjust var <----------------------------------
    $ms_domain_to_check = 'http://example/site1/';
    if( FALSE !== strpos( $url, $ms_domain_to_check ) )
    {
        $args['sslverify'] = false;
    }
    return $args;
}

/**
 * Full list of arguments in
 * http://core.trac.wordpress/browser/tags/3.6.1/wp-includes/class-http.php#L84

  $defaults = array(
    'method' => 'GET',
    'timeout' => apply_filters( 'http_request_timeout', 5),
    'redirection' => apply_filters( 'http_request_redirection_count', 5),
    'httpversion' => apply_filters( 'http_request_version', '1.0'),
    'user-agent' => apply_filters( 'http_headers_useragent', 'WordPress/' . $wp_version . '; ' . get_bloginfo( 'url' ) ),
    'reject_unsafe_urls' => apply_filters( 'http_request_reject_unsafe_urls', false ),
    'blocking' => true,
    'headers' => array(),
    'cookies' => array(),
    'body' => null,
    'compress' => false,
    'decompress' => true,
    'sslverify' => true,
    'stream' => false,
    'filename' => null,
    'limit_response_size' => null,
  );

*/

That error is probably due the use of cURL in the Wordpress multisite updating proccess. By default cURL will try to verify the SSL certificate with an accepted CA in a bundled set of CA certificates.

You have at least four options:

1. Make sure you are using the last version of cURL in your PHP installation to ensure the set of used CA is updated.

2. Manually set the path to your SSL certificate:

   curl_setopt($connection, CURLOPT_SSL_VERIFYPEER, 1); curl_setopt($AuthNetConn, CURLOPT_CAINFO, "path:/ca-bundle.crt");

3. Bypass the SSL verification:

   curl_setopt($connection, CURLOPT_SSL_VERIFYPEER, false);

4. Check your SSL certificate is valid and issued by an accepted CA.

For options 2 and 3 you may need to filter the arguments used by WordPress to make the http requests.
See @brasofilo's answer, it may work.

Anyway, you should investigate why the verification of the SSL is failing instead of just bypassing it.

In many cases, you may use the following filter to disable local ssl verification. This is useful for self-signed certificates errors.

add_filter('https_local_ssl_verify', '__return_false');

The current version v4.3.0 determins if a request is "local" with the following, in wp-includes/class-http.php

// Determine if this request is to OUR install of WordPress.
$homeURL = parse_url( get_bloginfo( 'url' ) );
$r['local'] = 'localhost' == $arrURL['host'] || ( isset( $homeURL['host'] ) && $homeURL['host'] == $arrURL['host'] );
unset( $homeURL );

In some cases, the local consideration may not work, in which case you may consider the more inclusive filter, add_filter('https_ssl_verify', '__return_false');

Multisite installations with mixed http and https schemes may find more information on trac, upgrade.php fails with mixed HTTPS (SSL) and simple HTTP sites

Regardless, a manual workaround is to visit each child site's /wp-admin/upgrade.php

Another related description, http://scottnelle/683/ssl-error-upgrading-wordpress-multisite-network/

It is possible to upgrade/update the database for each child site individually by visiting:

https://rootsite/subsite/wp-admin/upgrade.php

See also related core trac ticket, Database is not upgraded in multisite if loopback is disabled

As mentioned before Scott Nelle suggests this:

Create a file in wpcontent/mu-plugins/ and name it something like network-upgrade-ignore-ssl.php. Put the following in the file:

<?php
   add_filter('https_ssl_verify', '__return_false');
   add_filter('https_local_ssl_verify', '__return_false');
?>

On a WordPress multisite instance at AWS EC2 Hosting we got a similar problem, of curl6 while updating the network after adding a new site, to the WP and the DNS records with an " A " Record resolving at the same networks static ip.

Actually this was very simple it was just the Database Transits that were causing these issues we used the free version of WP-Optimize to Run All Optimizations, then upgraded the Network and this worked.

Modifying core files with $ssl_verify = false; (Not Recommneded)

was not a solution for us as we are using Google AMP Native " Standard Mode " which needs SSL to be verified at every point.

for SSL we are using the Really Simple SSL ( Free ) that too is to be activated on the URL for better use.

Thanks.

I am using Wordpress 3.8.1 and I changed line 67 of wp-admin/network/upgrade.php and added , 'sslverify' => false like this:

--- a/wp-admin/network/upgrade.php      2014-03-29 14:31:28.081943490 +0100
+++ b/wp-admin/network/upgrade.php      2014-03-29 14:30:52.785947460 +0100
@@ -64,7 +64,7 @@
                        $upgrade_url = admin_url( 'upgrade.php?step=upgrade_db' );
                        restore_current_blog();
                        echo "<li>$siteurl</li>";
-                       $response = wp_remote_get( $upgrade_url, array( 'timeout' => 120, 'httpversion' => '1.1' ) );
+                       $response = wp_remote_get( $upgrade_url, array( 'timeout' => 120, 'httpversion' => '1.1', 'sslverify' => false ) );
                        if ( is_wp_error( $response ) )
                                wp_die( sprintf( __( 'Warning! Problem updating %1$s. Your server may not be able to connect to sites running on it. Error message: <em>%2$s</em>' ), $siteurl, $response->get_error_message() ) );
                        do_action( 'after_mu_upgrade', $response );

This way the verification is only disabled in this specific case and with a patch file you can easily apply the changes after an upgrade:

# go to the directory with wp-admin/ in it
cd wordpresshomedir

# without --dry-run if there are no errors
patch --dry-run -p1 < ../disable-sslverify.patch

The right solution is checking the server TIME. If it is wrong SSL doesn't work fine.

本文标签： Multisite database upgrade SSL error