WordPress and Corporate SSL Certificates

After installing an update to WordPress I routinely see the following error when trying to use the “Update Network” function of my multisite installation:

Warning! Problem updating https://example.com/oneofmyMUsites. Your server may not be able to connect to sites running on it. Error message: SSL certificate problem: unable to get local issuer certificate

I run WordPress on an IIS server with correctly configured SSL certificates. Of course, PHP does not use the built-in Windows certificate store for validating Certificate Authorities. It instead maintains a separate bundle of CA certs in [wordpress install dir]\wp-includes\certificates\ca-bundle.crt. If you have a CA that is one one of the ones in that built-in bundle, you will encounter errors. You need to add you CA’s certificate to the bundle, which is unfortunately not a straightforward process.

  1. Open the Windows Certificates Manager
  2. Export your Root CA cert to a “Base-64 encoded X.509 (.CER)” format file
  3. Open that certificate in any text editor (notepad is fine) and copy the entire contents to your clipboard
  4. Open the previously-mentioned ca-bundle.crt file with an editor that understand linux-style line endings (Wordpad (be careful when saving), Notepad++, gVIM, etc). Notepad.exe will not work
  5. Paste the contents of the exported certificate to the bottom of the ca-bundle.crt file and save
  6. Run “Upgrade Network” again and watch as it works!

Keep in mind that you will have to re-apply this fix every time you update WordPress as the ca-bundle.crt file is overwritten during the upgrade process.