WordPress, the popular blogging software written by Automattic, has a problem with SSL self signed certificates. Basically, they don’t work well in any of their newer software products or services.

In order to post an update, I must first log into my blog. This requires me entering a username and password into a login box in the usual way. By default, WordPress does not use the secure HTTPS protocol for this, instead it sends this password in the clear over HTTP.

This is not good, so I, like many others, force WordPress to carry out login and administration functions over HTTPS. This is relatively straightforward, and well documented in WordPress’ own documentation, but requires a SSL certificate.

You can obtain a SSL certificate in one of two ways. Either you pay for a third party issuer to give you one (which has the benefit of not triggering a warning in the browser), or you generate one yourself – a so called “Self Signed” certificate.

Self signed certificates are perfectly valid, but browsers will display a warning on sites which use them. A problem if you’re running a public facing service, but not if it’s just for your own private blog, and crucially the traffic is still encrypted.

The Problem

Unfortunately WordPress don’t seem to like self signed certificates.

The iOS WordPress client once worked fine with self signed certificates, but this functionality was removed in an update a few months ago. Attempts to connect now display an error about the certificate’s self signed status, but unlike all browsers, will not give you the option to proceed.

Jetpack, which is now replacing much of the functionality previously provided by separate WordPress plugins (most importantly WordPress stats), is completely broken.

When you attempt to activate the plugin, Jetpack complains about being unable to communicate with the site with the following error:

Error Details: The Jetpack server was unable to communicate with your site [IXR -32300: transport error: http_request_failed SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed]

There is no way to bypass this, since the cURL error originates on the Jetpack servers and would require a code change at their end to allow the self signed certificate.

WordPress remain tight-lipped

I am not alone in encountering these problems, but so far attempts to contact WordPress/Automattic for support by various mechanisms have all gone unanswered.

It is a legitimate point of view that certificate failures caused by self signed certificates should be a fatal. Personally, I think providing a mechanism to bypass these errors for those who know what they’re doing, is a better solution, but making it fatal is a legitimate point of view from a security standpoint.

I could resolve this issue by buying a certificate, although I have a number of good reasons, some financial and some technical, for why I have not yet done so. If Automattic were to point blank refuse to support self signed certificates in their products then I would have to find a way of making it work.

I also accept the possibility that I could have made a mistake in configuration, although I’m not sure what this could possibly be, and it is only Automattic products that are having issue.

I accept all this, however all requests for support in forum threads and direct, from myself and others, go unanswered. Bug reports for the iOS client are months old and are ignored. Similarly, direct support requests to Jetpack go unanswered.

Automattic: If self certified certificates are a feature that just won’t be supported, then please communicate with me and your other users, or at least update your FAQ. If you think I’ve made a configuration error then please say so. Please communicate, because this silence is infuriating!

Update 20/11/12: After much chasing around I’ve got a response, about JetPack at least. Seems that not allowing self signed certificates was originally a design decision (a clearer error message would have been nice!), however this decision has been re-thought and it is now seen as a bug. There is currently no time-scale as to when the issue will be addressed.

6 thoughts on “Using WordPress with self signed SSL Certificates

  1. Thanks for the info! I actually grabbed a comodo one a little while ago, after losing patience with the whole thing. Good to know the startssl ones work as well (just grabbed a bunch today for a number of sites, seem to work)!

  2. Wer die Administration von WordPress im Multisite-Modus mit selbstsignierten Zertifikaten betreibt, stößt eventuell auf das Problem, dass Updates von Jetpack nicht funktionieren.
    Das liegt daran, dass WordPress schon seit geraumer Zeit SSL Zertifikate streng verifiziert.
    Es gibt keine Konfigurationsmöglichkeit, um das abzuschalten, was für die meisten Anwender gut ist.
    Für Leute, die selbstsignierte Zertifikate verwenden, ist das aber extrem lästig.
    Da Leute, die selbstsignierte Zertifikate verwenden, in der Regel ausreichend Ahnung haben, sei hier kurz ein Patch veröffentlicht, mit dem man diese Verifikation global abschalten kann.
    Global heißt wirklich global: Durch diesen Patch wird kein einziges Zertifikat mehr geprüft!
    Die Option, SSL-Zertifikate zu verifizieren, wird in der Klasse WP_Http in der Datei wp-includes/class-http.php gesetzt. Die Klasse hat eine Methode request, in der zu Beginn ein Array mit dem Namen $defaults initialisiert wird. In diesem Array gibt es den Key 'sslverify', der mit dem Wert true initialisiert wird. Ändert man diese Initialisierung auf false, ist die Verifikation für SSL-Zertifikate abgeschalten.
    Hier der Patch:

    
    diff -Nur wp-includes.orig/class-http.php wp-includes/class-http.php
    --- wp-includes.orig/class-http.php     2013-11-02 20:13:38.000000000 +0100
    +++ wp-includes/class-http.php  2013-12-28 18:45:24.900418576 +0100
    @@ -80,7 +80,7 @@
                            'body' => null,
                            'compress' => false,
                            'decompress' => true,
    -                       'sslverify' => true,
    +                       'sslverify' => false,
                            'sslcertificates' => ABSPATH . WPINC . '/certificates/ca-bundle.crt',
                            'stream' => false,
                            'filename' => null,
    

    Den Patch habe ich hier veröffentlicht, weil ich öfters danach gefragt werde.
    Empfehlen möchte ich die Verwendung eines verifizierbaren Zertifikates mit korrekter Domain.
    Referenzen
    PHP CURL HTTPS causing exception SSL certificate problem, verify that the CA cert is OK
    What WordPress scripts use curl – having problems with SSL CA authentication
    Using WordPress with self signed SSL Certificates

    No related posts.

  3. Unfortunately this issue still exists in 2015. It’s a real shame that WordPress doesn’t take security seriously, particularly for smaller blogs that don’t have the budget to renew overly expensive certificates each year. Thankfully later this year we’ll have letsencrypt.com providing free certificates, but what to do for now…

  4. You can use startssl.com which gives a year long ssl cert. Accepting self signed certs combined with cert pinning for private blogs shouldn’t be a security risk, so I’m not sure why they haven’t done so..

    Ahh well, letsencrypt will be along shortly, so hopefully this’ll solve many of these problems, and arguably solve them in a better way than allowing self signed.

Leave a Reply