Moodle
  1. Moodle
  2. MDL-36903

Download pre-check for plugin ZIP packages

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 2.4
    • Fix Version/s: 2.4
    • Component/s: Administration
    • Labels:
    • Testing Instructions:
      Hide

      Testing difficulty: HARD (requires root access to the machine)

      In this test, you are about to simulate a situation of missing certificate for the certification authority (CA) that signed the HTTPS certificate for moodle.org sites. Previously, the absence of the certificate caused ugly error screens at the end of the deployment process. We want to make sure that the 'Install this update' button is not displayed at all.

      1. Please use the test instructions from MDL-35238 and prepare the fake.php script to replace the default one. Make it so that fake.php will report an available update and the download URL of the zip will be at https://moodle.org/plugins/... (the real URL of a ZIP uploaded into the Plugins).
      2. TEST: Check for available updates and make sure the available update for your plugin is reported.
      3. Now we must remove the DigiCert's certificate from your operating system. Please refer to your SSL compile-time configuration to find out the paths where SSL certs are stored. At my machine, certificates are in /etc/ssl/certs/ and the one we want to remove (move it somewhere so you can put it back after testing!) is called DigiCert_High_Assurance_EV_Root_CA.pem. It may have different name at your machine, but it should be the one published at https://www.digicert.com/digicert-root-certificates.htm as the "DigiCert High Assurance EV Root CA".
      4. Once that certificate is missing from your OS, reload the page that informs you about available updates.
      5. TEST: Make sure that no "Install this update" button is displayed. Instead, you should see "Can not download the package" help link (with "More help" link that does not lead to any existing docs page yet). Please note, if you have removed some certificate and the button is still there, the chances are that you removed the wrong certificate. Please double check before you fail this test. Thanks.
      6. Now, download the file https://www.digicert.com/testroot/DigiCertHighAssuranceEVRootCA.crt and put it into moodledata/moodleorgca.crt
      7. Reload the page that informs you about available updates again.
      8. TEST: Make sure the "Install this update" button is displayed again.
      9. TEST: Make sure the plugin can be updated via that button.

      Note: Instead of fake.php, you can use the default provider and some plugin that already has a 2.4 version published in the Plugins directory
      Note: If you have a site with missing DigiCert already, just skip the step with moving it to a temporary place.
      Note: There is moodledata/mdeploy/mdeploy.log file that may contain useful information for you (this info will be added to docs)

      Show
      Testing difficulty: HARD (requires root access to the machine) In this test, you are about to simulate a situation of missing certificate for the certification authority (CA) that signed the HTTPS certificate for moodle.org sites. Previously, the absence of the certificate caused ugly error screens at the end of the deployment process. We want to make sure that the 'Install this update' button is not displayed at all. Please use the test instructions from MDL-35238 and prepare the fake.php script to replace the default one. Make it so that fake.php will report an available update and the download URL of the zip will be at https://moodle.org/plugins/ ... (the real URL of a ZIP uploaded into the Plugins). TEST: Check for available updates and make sure the available update for your plugin is reported. Now we must remove the DigiCert's certificate from your operating system. Please refer to your SSL compile-time configuration to find out the paths where SSL certs are stored. At my machine, certificates are in /etc/ssl/certs/ and the one we want to remove (move it somewhere so you can put it back after testing!) is called DigiCert_High_Assurance_EV_Root_CA.pem. It may have different name at your machine, but it should be the one published at https://www.digicert.com/digicert-root-certificates.htm as the "DigiCert High Assurance EV Root CA". Once that certificate is missing from your OS, reload the page that informs you about available updates. TEST: Make sure that no "Install this update" button is displayed. Instead, you should see "Can not download the package" help link (with "More help" link that does not lead to any existing docs page yet). Please note, if you have removed some certificate and the button is still there, the chances are that you removed the wrong certificate. Please double check before you fail this test. Thanks. Now, download the file https://www.digicert.com/testroot/DigiCertHighAssuranceEVRootCA.crt and put it into moodledata/moodleorgca.crt Reload the page that informs you about available updates again. TEST: Make sure the "Install this update" button is displayed again. TEST: Make sure the plugin can be updated via that button. Note: Instead of fake.php, you can use the default provider and some plugin that already has a 2.4 version published in the Plugins directory Note: If you have a site with missing DigiCert already, just skip the step with moving it to a temporary place. Note: There is moodledata/mdeploy/mdeploy.log file that may contain useful information for you (this info will be added to docs)
    • Affected Branches:
      MOODLE_24_STABLE
    • Fixed Branches:
      MOODLE_24_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-36903-updates-ssl
    • Rank:
      46438

      Description

      As experienced by some early testers (see https://moodle.org/mod/forum/discuss.php?d=216584&parent=943531 for example), mdeploy.php can easily run into problems with fetching ZIPs via SSL (typically outdated certificates at the machine, old cURL library installed etc). It would be nice to try and fetch a small file from the repository (or maybe just a HEAD request?) over HTTPS to make sure the download is expected to succeed in mdeploy.php. If such a pre-check fails, a nice message would be displayed instead of the "Install this update" button.

      1. moodleorgca.crt
        251 kB
        Leo Furze-Waddock

        Issue Links

          Activity

          Hide
          Aparup Banerjee added a comment -

          is there a way to also automate the CA being trusted by the system or moodle (or php) so that we can distribute the CA's credentials along with moodle ?

          ie: what this seems to be implying http://php.net/manual/en/function.m-setssl-cafile.php

          Show
          Aparup Banerjee added a comment - is there a way to also automate the CA being trusted by the system or moodle (or php) so that we can distribute the CA's credentials along with moodle ? ie: what this seems to be implying http://php.net/manual/en/function.m-setssl-cafile.php
          Hide
          Michael de Raadt added a comment -

          Yes, unfortunately, we cannot assume all servers can make SSL cURL requests. For example, XAMPP (as distributed with the pre-built Windows distribution) does not.

          Show
          Michael de Raadt added a comment - Yes, unfortunately, we cannot assume all servers can make SSL cURL requests. For example, XAMPP (as distributed with the pre-built Windows distribution) does not.
          Hide
          David Mudrak added a comment -

          FYI, the current plan is: The failed pre-check will lead to a docs page that will recommend 1) update OS certificates if possible or (if not, eg at shared hostings) 2) download the certificate from https://www.digicert.com/digicert-root-certificates.htm and upload it to moodledata. According my testing, it should work. And if we change the CA, we will just update the docs page and they will download different CA cert to moodledata.

          The patch coming soon.

          Show
          David Mudrak added a comment - FYI, the current plan is: The failed pre-check will lead to a docs page that will recommend 1) update OS certificates if possible or (if not, eg at shared hostings) 2) download the certificate from https://www.digicert.com/digicert-root-certificates.htm and upload it to moodledata. According my testing, it should work. And if we change the CA, we will just update the docs page and they will download different CA cert to moodledata. The patch coming soon.
          Hide
          David Mudrak added a comment -
          The following changes since commit f42c34a38a51de6f6202de430df9cdb9fcee6fe2:
          
            On demand release 2.4beta+ (2012-11-23 16:07:34 +0800)
          
          are available in the git repository at:
            git://github.com/mudrd8mz/moodle.git MDL-36903-updates-ssl
          
          David Mudrák (4):
                MDL-36903 Verify the SSL certificate of available updates provider
                MDL-36903 Pre-check the ZIP download before executing the mdeploy.php utility
                MDL-36903 Make mdeploy.php use the custom CA certificate if it exists
                MDL-36903 Add a link to Moodle documentation from mdeploy error pages
          
           admin/renderer.php |    9 +++++-
           lang/en/plugin.php |    6 ++++
           lib/pluginlib.php  |   67 +++++++++++++++++++++++++++++++++++++++++++++++++++-
           mdeploy.php        |   14 ++++++++++-
           4 files changed, 92 insertions(+), 4 deletions(-)
          
          
          Show
          David Mudrak added a comment - The following changes since commit f42c34a38a51de6f6202de430df9cdb9fcee6fe2: On demand release 2.4beta+ (2012-11-23 16:07:34 +0800) are available in the git repository at: git: //github.com/mudrd8mz/moodle.git MDL-36903-updates-ssl David Mudrák (4): MDL-36903 Verify the SSL certificate of available updates provider MDL-36903 Pre-check the ZIP download before executing the mdeploy.php utility MDL-36903 Make mdeploy.php use the custom CA certificate if it exists MDL-36903 Add a link to Moodle documentation from mdeploy error pages admin/renderer.php | 9 +++++- lang/en/plugin.php | 6 ++++ lib/pluginlib.php | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++- mdeploy.php | 14 ++++++++++- 4 files changed, 92 insertions(+), 4 deletions(-)
          Hide
          David Mudrak added a comment -

          Rebased against v2.4.0-rc1

          Show
          David Mudrak added a comment - Rebased against v2.4.0-rc1
          Hide
          Dan Poltawski added a comment -

          Testing this on OSX by:

          • Installing 2.3 version of topcol course format
          • Setting 'required maturity' of updates to alpha level
          • Going to system keychain, telling OSX to not trust all digitcert HA certificates
          • Doing curl test to ensure its not trusting wiht system:
            url https://moodle.org
            curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
            error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
            More details here: http://curl.haxx.se/docs/sslcerts.html
            
            curl performs SSL certificate verification by default, using a "bundle"
             of Certificate Authority (CA) public keys (CA certs). If the default
             bundle file isn't adequate, you can specify an alternate file
             using the --cacert option.
            If this HTTPS server uses a certificate signed by a CA represented in
             the bundle, the certificate verification probably failed due to a
             problem with the certificate (it might be expired, or the name might
             not match the domain name in the URL).
            If you'd like to turn off curl's verification of the certificate, use
             the -k (or --insecure) option.
            
          Show
          Dan Poltawski added a comment - Testing this on OSX by: Installing 2.3 version of topcol course format Setting 'required maturity' of updates to alpha level Going to system keychain, telling OSX to not trust all digitcert HA certificates Doing curl test to ensure its not trusting wiht system: url https: //moodle.org curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http: //curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default , using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
          Hide
          Dan Poltawski added a comment -

          Noticed that when I check for updates I get:

          Unable to fetch available updates data - unexpected cURL error.
          
          More information about this error
          
          Debug info: cURL error 60: SSL certificate problem, verify that the CA cert is OK. Details:
          error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
          Error code: err_response_curl
          Stack trace:
          line 832 of /lib/pluginlib.php: available_update_checker_exception thrown
          line 718 of /lib/pluginlib.php: call to available_update_checker->get_response()
          line 481 of /admin/index.php: call to available_update_checker->fetch()
          
          
          Show
          Dan Poltawski added a comment - Noticed that when I check for updates I get: Unable to fetch available updates data - unexpected cURL error. More information about this error Debug info: cURL error 60: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Error code: err_response_curl Stack trace: line 832 of /lib/pluginlib.php: available_update_checker_exception thrown line 718 of /lib/pluginlib.php: call to available_update_checker->get_response() line 481 of /admin/index.php: call to available_update_checker->fetch()
          Hide
          Dan Poltawski added a comment -

          It seems we must be missing some more pre permission checks, because I then got:

          Moodle deployment utility had a trouble with your request. See the docs page and the debugging information for more details.
          
          exception 'backup_folder_exception' with message 'Unable to backup the current version of the plugin (moving failed)' in mdeploy.php:755
          Stack trace:
          #0 mdeploy.php(1326): worker->execute()
          #1 {main}
          
          Show
          Dan Poltawski added a comment - It seems we must be missing some more pre permission checks, because I then got: Moodle deployment utility had a trouble with your request. See the docs page and the debugging information for more details. exception 'backup_folder_exception' with message 'Unable to backup the current version of the plugin (moving failed)' in mdeploy.php:755 Stack trace: #0 mdeploy.php(1326): worker->execute() #1 {main}
          Hide
          Dan Poltawski added a comment -

          Eek, that left me with an empty topcoll folder.

          Show
          Dan Poltawski added a comment - Eek, that left me with an empty topcoll folder.
          Hide
          Dan Poltawski added a comment -

          When I sorted out the directory persmisions, I got:

          Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: Cannot modify header information - headers already sent by (output started at /Users/danp/git/integration/mdeploy.php:1050) in /Users/danp/git/integration/mdeploy.php on line 1237
          
          Show
          Dan Poltawski added a comment - When I sorted out the directory persmisions, I got: Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: Cannot modify header information - headers already sent by (output started at /Users/danp/git/integration/mdeploy.php:1050) in /Users/danp/git/integration/mdeploy.php on line 1237
          Hide
          Dan Poltawski added a comment -

          I have created two issues for the two things I discovered:

          MDL-36962 mdeploy.php needs to set default timezone
          MDL-36963 Automatic updates deployer needs to check directory permisisons too

          Show
          Dan Poltawski added a comment - I have created two issues for the two things I discovered: MDL-36962 mdeploy.php needs to set default timezone MDL-36963 Automatic updates deployer needs to check directory permisisons too
          Hide
          Dan Poltawski added a comment -

          Integrated this now, thanks david.

          Show
          Dan Poltawski added a comment - Integrated this now, thanks david.
          Hide
          Dan Poltawski added a comment -

          Tested and passed, although note the linked issues I discovered while testing.

          I have added the docs_required flag to ensure we create these help pages for the certificate errors. We must remember to do it here, because nobody is gonna be able to do it unless they are deeply technically inolved with this!

          Show
          Dan Poltawski added a comment - Tested and passed, although note the linked issues I discovered while testing. I have added the docs_required flag to ensure we create these help pages for the certificate errors. We must remember to do it here, because nobody is gonna be able to do it unless they are deeply technically inolved with this!
          Hide
          Eloy Lafuente (stronk7) added a comment -

          Just in time for Moodle 2.4.0 release, thanks!

          Closing, ciao

          Show
          Eloy Lafuente (stronk7) added a comment - Just in time for Moodle 2.4.0 release, thanks! Closing, ciao
          Hide
          Martin Dougiamas added a comment -

          Why is the cert location in moodledata when there is already a /moodledata/mdeploy/auth directory?

          Show
          Martin Dougiamas added a comment - Why is the cert location in moodledata when there is already a /moodledata/mdeploy/auth directory?
          Hide
          Martin Dougiamas added a comment -

          Tested again on a real site that needed this and it works, though we really need to document at

          http://docs.moodle.org/24/en/admin/mdeploy/notdownloadable and
          http://docs.moodle.org/24/en/error/core_plugin/err_response_curl

          Show
          Martin Dougiamas added a comment - Tested again on a real site that needed this and it works, though we really need to document at http://docs.moodle.org/24/en/admin/mdeploy/notdownloadable and http://docs.moodle.org/24/en/error/core_plugin/err_response_curl
          Hide
          David Mudrak added a comment -

          Why is the cert location in moodledata when there is already a /moodledata/mdeploy/auth directory?

          Because the moodleorgca.crt is used by the Moodle core itself, should it need it. Not just by mdeploy.php utility. The location has been discussed in the chat with no objections raised.

          Show
          David Mudrak added a comment - Why is the cert location in moodledata when there is already a /moodledata/mdeploy/auth directory? Because the moodleorgca.crt is used by the Moodle core itself, should it need it. Not just by mdeploy.php utility. The location has been discussed in the chat with no objections raised.
          Hide
          Leo Furze-Waddock added a comment -

          I have downloaded the the certificate from Digicert, renamed it moodleorgca.crt, placed it in the root of the moodledata directory which has full access permissions. Yet I still get the error below when checking for updates. I have updated pluginlib.php to use 'http' until I can resolve this issue.

          Debug info: cURL error 60: SSL certificate problem, verify that the CA cert is OK. Details:
          error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
          Error code: err_response_curl
          Stack trace:
          line 832 of \lib\pluginlib.php: available_update_checker_exception thrown
          line 718 of \lib\pluginlib.php: call to available_update_checker->get_response()
          line 481 of \admin\index.php: call to available_update_checker->fetch()

          Moodle v2.4+ (Build 20121208)
          SQL Server 2008 R2 Express with Advanced Services Service Pack 2
          Windows Server 2008 R2 Standard Edition Service Pack 1
          IIS 7.5
          PHP Version 5.3.13
          MS Drivers 3.0 for PHP v5.3 for SQL Server in IIS

          Show
          Leo Furze-Waddock added a comment - I have downloaded the the certificate from Digicert, renamed it moodleorgca.crt, placed it in the root of the moodledata directory which has full access permissions. Yet I still get the error below when checking for updates. I have updated pluginlib.php to use 'http' until I can resolve this issue. Debug info: cURL error 60: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Error code: err_response_curl Stack trace: line 832 of \lib\pluginlib.php: available_update_checker_exception thrown line 718 of \lib\pluginlib.php: call to available_update_checker->get_response() line 481 of \admin\index.php: call to available_update_checker->fetch() Moodle v2.4+ (Build 20121208) SQL Server 2008 R2 Express with Advanced Services Service Pack 2 Windows Server 2008 R2 Standard Edition Service Pack 1 IIS 7.5 PHP Version 5.3.13 MS Drivers 3.0 for PHP v5.3 for SQL Server in IIS
          Hide
          David Mudrak added a comment -

          Leo, can you please try and get the wget utility installed at your server. I found http://gnuwin32.sourceforge.net/packages/wget.htm by a quick googling, there might be alternatives though. Once you have it, we can try fetching the info via the command line.

          Show
          David Mudrak added a comment - Leo, can you please try and get the wget utility installed at your server. I found http://gnuwin32.sourceforge.net/packages/wget.htm by a quick googling, there might be alternatives though. Once you have it, we can try fetching the info via the command line.
          Hide
          Leo Furze-Waddock added a comment -

          Hi David,

          Thanks for your response.

          I've installed wget and attempted to connect using no options:- It failed - Please see response below;

          C:\Program Files (x86)\GnuWin32\bin>wget https://download.moodle.org/api/1.1/updates.php

          SYSTEM_WGETRC = c:/progra~1/wget/etc/wgetrcsyswgetrc = C:\Program Files (x86)\GnuWin32/etc/wgetrc

          -2012-12-12 10:08:40- https://download.moodle.org/api/1.1/updates.php
          Resolving download.moodle.org... 108.162.205.153, 108.162.204.153
          Connecting to download.moodle.org|108.162.205.153|:443... connected.
          ERROR: cannot verify download.moodle.org's certificate, issued by `/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1': Unable to locally verify the issuer's authority.
          ERROR: certificate common name `moodle.org' doesn't match requested host name `download.moodle.org'.
          To connect to download.moodle.org insecurely, use `--no-check-certificate'.
          Unable to establish SSL connection.

          Show
          Leo Furze-Waddock added a comment - Hi David, Thanks for your response. I've installed wget and attempted to connect using no options:- It failed - Please see response below; C:\Program Files (x86)\GnuWin32\bin>wget https://download.moodle.org/api/1.1/updates.php SYSTEM_WGETRC = c:/progra~1/wget/etc/wgetrcsyswgetrc = C:\Program Files (x86)\GnuWin32/etc/wgetrc - 2012-12-12 10:08:40 - https://download.moodle.org/api/1.1/updates.php Resolving download.moodle.org... 108.162.205.153, 108.162.204.153 Connecting to download.moodle.org|108.162.205.153|:443... connected. ERROR: cannot verify download.moodle.org's certificate, issued by `/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1': Unable to locally verify the issuer's authority. ERROR: certificate common name `moodle.org' doesn't match requested host name `download.moodle.org'. To connect to download.moodle.org insecurely, use `--no-check-certificate'. Unable to establish SSL connection.
          Hide
          David Mudrak added a comment -

          OK, it seems that DigiCert has changed something. As you can see, the moodle.org's certificate has been signed by 'DigiCert High Assurance EV CA-1'. Please locate the cert at https://www.digicert.com/digicert-root-certificates.htm - it is listed among 'Intermediate Certificates' - and upload that one as moodleorgca.crt. Then try to check for updates again. Please let me know here how it goes. We might have to update the docs page.

          Show
          David Mudrak added a comment - OK, it seems that DigiCert has changed something. As you can see, the moodle.org's certificate has been signed by 'DigiCert High Assurance EV CA-1'. Please locate the cert at https://www.digicert.com/digicert-root-certificates.htm - it is listed among 'Intermediate Certificates' - and upload that one as moodleorgca.crt. Then try to check for updates again. Please let me know here how it goes. We might have to update the docs page.
          Hide
          Leo Furze-Waddock added a comment -

          Sorry, no joy & no change

          I did what you said and even tried importing the certificate into the windows certificate store - Not sure PHP apps can access that though.

          Moodle Response

          Debug info: cURL error 60: SSL certificate problem, verify that the CA cert is OK. Details:
          error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
          Error code: err_response_curl
          Stack trace:
          line 832 of \lib\pluginlib.php: available_update_checker_exception thrown
          line 718 of \lib\pluginlib.php: call to available_update_checker->get_response()
          line 481 of \admin\index.php: call to available_update_checker->fetch()

          Wget Response

          C:\Program Files (x86)\GnuWin32\bin>wget https://download.moodle.org/api/1.1/updates.php

          SYSTEM_WGETRC = c:/progra~1/wget/etc/wgetrc syswgetrc = C:\Program Files (x86)\GnuWin32/etc/wgetrc

          -2012-12-12 11:09:46- https://download.moodle.org/api/1.1/updates.php
          Resolving download.moodle.org... 108.162.204.153, 108.162.205.153
          Connecting to download.moodle.org|108.162.204.153|:443... connected.
          ERROR: cannot verify download.moodle.org's certificate, issued by `/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1': Unable to locally verify the issuer's authority.
          ERROR: certificate common name `moodle.org' doesn't match requested host name `download.moodle.org'.
          To connect to download.moodle.org insecurely, use `--no-check-certificate'.
          Unable to establish SSL connection.

          Show
          Leo Furze-Waddock added a comment - Sorry, no joy & no change I did what you said and even tried importing the certificate into the windows certificate store - Not sure PHP apps can access that though. Moodle Response Debug info: cURL error 60: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Error code: err_response_curl Stack trace: line 832 of \lib\pluginlib.php: available_update_checker_exception thrown line 718 of \lib\pluginlib.php: call to available_update_checker->get_response() line 481 of \admin\index.php: call to available_update_checker->fetch() Wget Response C:\Program Files (x86)\GnuWin32\bin>wget https://download.moodle.org/api/1.1/updates.php SYSTEM_WGETRC = c:/progra~1/wget/etc/wgetrc syswgetrc = C:\Program Files (x86)\GnuWin32/etc/wgetrc - 2012-12-12 11:09:46 - https://download.moodle.org/api/1.1/updates.php Resolving download.moodle.org... 108.162.204.153, 108.162.205.153 Connecting to download.moodle.org|108.162.204.153|:443... connected. ERROR: cannot verify download.moodle.org's certificate, issued by `/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1': Unable to locally verify the issuer's authority. ERROR: certificate common name `moodle.org' doesn't match requested host name `download.moodle.org'. To connect to download.moodle.org insecurely, use `--no-check-certificate'. Unable to establish SSL connection.
          Hide
          David Mudrak added a comment -

          And what does the wget say if you run it as

          C:\Program Files (x86)\GnuWin32\bin>wget --ca-certificate=C:\Provide\Path\To\Your\moodleorgca.crt https://download.moodle.org/api/1.1/updates.php
          
          Show
          David Mudrak added a comment - And what does the wget say if you run it as C:\Program Files (x86)\GnuWin32\bin>wget --ca-certificate=C:\Provide\Path\To\Your\moodleorgca.crt https: //download.moodle.org/api/1.1/updates.php
          Hide
          Leo Furze-Waddock added a comment -

          no joy

          C:\Program Files (x86)\GnuWin32\bin>wget --ca-certificate=C:\inetpub\vhosts\staging.courses\moodledata\moodleorgca.crt https://download.moodle.org/api/1.1/updates.php

          SYSTEM_WGETRC = c:/progra~1/wget/etc/wgetrc syswgetrc = C:\Program Files (x86)\GnuWin32/etc/wgetrc

          -2012-12-12 11:37:47- https://download.moodle.org/api/1.1/updates.php

          Resolving download.moodle.org... 108.162.205.153, 108.162.204.153
          Connecting to download.moodle.org|108.162.205.153|:443... connected.
          ERROR: cannot verify download.moodle.org's certificate, issued by `/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1': Unable to locally verify the issuer's authority. ERROR: certificate common name `moodle.org' doesn't match requested host name `download.moodle.org'.
          To connect to download.moodle.org insecurely, use `--no-check-certificate'.
          Unable to establish SSL connection.

          Show
          Leo Furze-Waddock added a comment - no joy C:\Program Files (x86)\GnuWin32\bin>wget --ca-certificate=C:\inetpub\vhosts\staging.courses\moodledata\moodleorgca.crt https://download.moodle.org/api/1.1/updates.php SYSTEM_WGETRC = c:/progra~1/wget/etc/wgetrc syswgetrc = C:\Program Files (x86)\GnuWin32/etc/wgetrc - 2012-12-12 11:37:47 - https://download.moodle.org/api/1.1/updates.php Resolving download.moodle.org... 108.162.205.153, 108.162.204.153 Connecting to download.moodle.org|108.162.205.153|:443... connected. ERROR: cannot verify download.moodle.org's certificate, issued by `/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1': Unable to locally verify the issuer's authority. ERROR: certificate common name `moodle.org' doesn't match requested host name `download.moodle.org'. To connect to download.moodle.org insecurely, use `--no-check-certificate'. Unable to establish SSL connection.
          Hide
          Leo Furze-Waddock added a comment - - edited

          wget docs states

          −−ca−certificate=file
          Use file as the file with the bundle of certificate authorities (‘‘CA’’) to verify the peers. The certificates must be in PEM format.

          Perhaps I should try to source a bundle file from http://curl.haxx.se/docs/caextract.html

          I'll let you know how it goes

          Show
          Leo Furze-Waddock added a comment - - edited wget docs states −−ca−certificate=file Use file as the file with the bundle of certificate authorities (‘‘CA’’) to verify the peers. The certificates must be in PEM format. Perhaps I should try to source a bundle file from http://curl.haxx.se/docs/caextract.html I'll let you know how it goes
          Hide
          Leo Furze-Waddock added a comment -

          OK - It's working now!

          It needs the ca-bundle.crt avaialble at http://curl.haxx.se/ca/cacert.pem - Just copy the contents into a text file and rename it to moodleorgca.crt and place this in the root of the moodledata directory.

          Thanks for your help David - Much appreciated!

          FYI: wget still complains;

          C:\Program Files (x86)\GnuWin32\bin>wget --ca-certificate=C:\inetpub\vhosts\staging.courses\moodledata\moodleorgca.crt https://download.moodle.org/api/1.1/updates.php

          SYSTEM_WGETRC = c:/progra~1/wget/etc/wgetrc
          syswgetrc = C:\Program Files (x86)\GnuWin32/etc/wgetrc

          -2012-12-12 21:25:13- https://download.moodle.org/api/1.1/updates.php
          Resolving download.moodle.org... 108.162.205.153, 108.162.204.153
          Connecting to download.moodle.org|108.162.205.153|:443... connected.
          ERROR: certificate common name `moodle.org' doesn't match requested host name `download.moodle.org'.
          To connect to download.moodle.org insecurely, use `--no-check-certificate'.
          Unable to establish SSL connection.

          Show
          Leo Furze-Waddock added a comment - OK - It's working now! It needs the ca-bundle.crt avaialble at http://curl.haxx.se/ca/cacert.pem - Just copy the contents into a text file and rename it to moodleorgca.crt and place this in the root of the moodledata directory. Thanks for your help David - Much appreciated! FYI: wget still complains; C:\Program Files (x86)\GnuWin32\bin>wget --ca-certificate=C:\inetpub\vhosts\staging.courses\moodledata\moodleorgca.crt https://download.moodle.org/api/1.1/updates.php SYSTEM_WGETRC = c:/progra~1/wget/etc/wgetrc syswgetrc = C:\Program Files (x86)\GnuWin32/etc/wgetrc - 2012-12-12 21:25:13 - https://download.moodle.org/api/1.1/updates.php Resolving download.moodle.org... 108.162.205.153, 108.162.204.153 Connecting to download.moodle.org|108.162.205.153|:443... connected. ERROR: certificate common name `moodle.org' doesn't match requested host name `download.moodle.org'. To connect to download.moodle.org insecurely, use `--no-check-certificate'. Unable to establish SSL connection.
          Hide
          Leo Furze-Waddock added a comment -

          Source: http://curl.haxx.se/ca/cacert.pem

          ca-bundle.crt = copy contents of source above into text file. Rename to moodleorgca.crt

          Show
          Leo Furze-Waddock added a comment - Source: http://curl.haxx.se/ca/cacert.pem ca-bundle.crt = copy contents of source above into text file. Rename to moodleorgca.crt
          Hide
          Mary Cooch added a comment -

          (Housekeeping) Removing docs_required as I see the error pages have been documented.

          Show
          Mary Cooch added a comment - (Housekeeping) Removing docs_required as I see the error pages have been documented.

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: