Moodle
  1. Moodle
  2. MDL-36903

Download pre-check for plugin ZIP packages

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 2.4
    • Fix Version/s: 2.4
    • Component/s: Administration
    • Labels:
    • Testing Instructions:
      Hide

      Testing difficulty: HARD (requires root access to the machine)

      In this test, you are about to simulate a situation of missing certificate for the certification authority (CA) that signed the HTTPS certificate for moodle.org sites. Previously, the absence of the certificate caused ugly error screens at the end of the deployment process. We want to make sure that the 'Install this update' button is not displayed at all.

      1. Please use the test instructions from MDL-35238 and prepare the fake.php script to replace the default one. Make it so that fake.php will report an available update and the download URL of the zip will be at https://moodle.org/plugins/... (the real URL of a ZIP uploaded into the Plugins).
      2. TEST: Check for available updates and make sure the available update for your plugin is reported.
      3. Now we must remove the DigiCert's certificate from your operating system. Please refer to your SSL compile-time configuration to find out the paths where SSL certs are stored. At my machine, certificates are in /etc/ssl/certs/ and the one we want to remove (move it somewhere so you can put it back after testing!) is called DigiCert_High_Assurance_EV_Root_CA.pem. It may have different name at your machine, but it should be the one published at https://www.digicert.com/digicert-root-certificates.htm as the "DigiCert High Assurance EV Root CA".
      4. Once that certificate is missing from your OS, reload the page that informs you about available updates.
      5. TEST: Make sure that no "Install this update" button is displayed. Instead, you should see "Can not download the package" help link (with "More help" link that does not lead to any existing docs page yet). Please note, if you have removed some certificate and the button is still there, the chances are that you removed the wrong certificate. Please double check before you fail this test. Thanks.
      6. Now, download the file https://www.digicert.com/testroot/DigiCertHighAssuranceEVRootCA.crt and put it into moodledata/moodleorgca.crt
      7. Reload the page that informs you about available updates again.
      8. TEST: Make sure the "Install this update" button is displayed again.
      9. TEST: Make sure the plugin can be updated via that button.

      Note: Instead of fake.php, you can use the default provider and some plugin that already has a 2.4 version published in the Plugins directory
      Note: If you have a site with missing DigiCert already, just skip the step with moving it to a temporary place.
      Note: There is moodledata/mdeploy/mdeploy.log file that may contain useful information for you (this info will be added to docs)

      Show
      Testing difficulty: HARD (requires root access to the machine) In this test, you are about to simulate a situation of missing certificate for the certification authority (CA) that signed the HTTPS certificate for moodle.org sites. Previously, the absence of the certificate caused ugly error screens at the end of the deployment process. We want to make sure that the 'Install this update' button is not displayed at all. Please use the test instructions from MDL-35238 and prepare the fake.php script to replace the default one. Make it so that fake.php will report an available update and the download URL of the zip will be at https://moodle.org/plugins/ ... (the real URL of a ZIP uploaded into the Plugins). TEST: Check for available updates and make sure the available update for your plugin is reported. Now we must remove the DigiCert's certificate from your operating system. Please refer to your SSL compile-time configuration to find out the paths where SSL certs are stored. At my machine, certificates are in /etc/ssl/certs/ and the one we want to remove (move it somewhere so you can put it back after testing!) is called DigiCert_High_Assurance_EV_Root_CA.pem. It may have different name at your machine, but it should be the one published at https://www.digicert.com/digicert-root-certificates.htm as the "DigiCert High Assurance EV Root CA". Once that certificate is missing from your OS, reload the page that informs you about available updates. TEST: Make sure that no "Install this update" button is displayed. Instead, you should see "Can not download the package" help link (with "More help" link that does not lead to any existing docs page yet). Please note, if you have removed some certificate and the button is still there, the chances are that you removed the wrong certificate. Please double check before you fail this test. Thanks. Now, download the file https://www.digicert.com/testroot/DigiCertHighAssuranceEVRootCA.crt and put it into moodledata/moodleorgca.crt Reload the page that informs you about available updates again. TEST: Make sure the "Install this update" button is displayed again. TEST: Make sure the plugin can be updated via that button. Note: Instead of fake.php, you can use the default provider and some plugin that already has a 2.4 version published in the Plugins directory Note: If you have a site with missing DigiCert already, just skip the step with moving it to a temporary place. Note: There is moodledata/mdeploy/mdeploy.log file that may contain useful information for you (this info will be added to docs)
    • Affected Branches:
      MOODLE_24_STABLE
    • Fixed Branches:
      MOODLE_24_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-36903-updates-ssl

      Description

      As experienced by some early testers (see https://moodle.org/mod/forum/discuss.php?d=216584&parent=943531 for example), mdeploy.php can easily run into problems with fetching ZIPs via SSL (typically outdated certificates at the machine, old cURL library installed etc). It would be nice to try and fetch a small file from the repository (or maybe just a HEAD request?) over HTTPS to make sure the download is expected to succeed in mdeploy.php. If such a pre-check fails, a nice message would be displayed instead of the "Install this update" button.

        Gliffy Diagrams

        1. moodleorgca.crt
          251 kB
          Leo Furze-Waddock

          Issue Links

            Activity

            Hide
            Aparup Banerjee added a comment -

            is there a way to also automate the CA being trusted by the system or moodle (or php) so that we can distribute the CA's credentials along with moodle ?

            ie: what this seems to be implying http://php.net/manual/en/function.m-setssl-cafile.php

            Show
            Aparup Banerjee added a comment - is there a way to also automate the CA being trusted by the system or moodle (or php) so that we can distribute the CA's credentials along with moodle ? ie: what this seems to be implying http://php.net/manual/en/function.m-setssl-cafile.php
            Hide
            Michael de Raadt added a comment -

            Yes, unfortunately, we cannot assume all servers can make SSL cURL requests. For example, XAMPP (as distributed with the pre-built Windows distribution) does not.

            Show
            Michael de Raadt added a comment - Yes, unfortunately, we cannot assume all servers can make SSL cURL requests. For example, XAMPP (as distributed with the pre-built Windows distribution) does not.
            Hide
            David Mudrak added a comment -

            FYI, the current plan is: The failed pre-check will lead to a docs page that will recommend 1) update OS certificates if possible or (if not, eg at shared hostings) 2) download the certificate from https://www.digicert.com/digicert-root-certificates.htm and upload it to moodledata. According my testing, it should work. And if we change the CA, we will just update the docs page and they will download different CA cert to moodledata.

            The patch coming soon.

            Show
            David Mudrak added a comment - FYI, the current plan is: The failed pre-check will lead to a docs page that will recommend 1) update OS certificates if possible or (if not, eg at shared hostings) 2) download the certificate from https://www.digicert.com/digicert-root-certificates.htm and upload it to moodledata. According my testing, it should work. And if we change the CA, we will just update the docs page and they will download different CA cert to moodledata. The patch coming soon.
            Hide
            David Mudrak added a comment -

            The following changes since commit f42c34a38a51de6f6202de430df9cdb9fcee6fe2:
             
              On demand release 2.4beta+ (2012-11-23 16:07:34 +0800)
             
            are available in the git repository at:
              git://github.com/mudrd8mz/moodle.git MDL-36903-updates-ssl
             
            David Mudrák (4):
                  MDL-36903 Verify the SSL certificate of available updates provider
                  MDL-36903 Pre-check the ZIP download before executing the mdeploy.php utility
                  MDL-36903 Make mdeploy.php use the custom CA certificate if it exists
                  MDL-36903 Add a link to Moodle documentation from mdeploy error pages
             
             admin/renderer.php |    9 +++++-
             lang/en/plugin.php |    6 ++++
             lib/pluginlib.php  |   67 +++++++++++++++++++++++++++++++++++++++++++++++++++-
             mdeploy.php        |   14 ++++++++++-
             4 files changed, 92 insertions(+), 4 deletions(-)
            
            

            Show
            David Mudrak added a comment - The following changes since commit f42c34a38a51de6f6202de430df9cdb9fcee6fe2:   On demand release 2.4beta+ (2012-11-23 16:07:34 +0800)   are available in the git repository at: git://github.com/mudrd8mz/moodle.git MDL-36903-updates-ssl   David Mudrák (4): MDL-36903 Verify the SSL certificate of available updates provider MDL-36903 Pre-check the ZIP download before executing the mdeploy.php utility MDL-36903 Make mdeploy.php use the custom CA certificate if it exists MDL-36903 Add a link to Moodle documentation from mdeploy error pages   admin/renderer.php | 9 +++++- lang/en/plugin.php | 6 ++++ lib/pluginlib.php | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++- mdeploy.php | 14 ++++++++++- 4 files changed, 92 insertions(+), 4 deletions(-)
            Hide
            David Mudrak added a comment -

            Rebased against v2.4.0-rc1

            Show
            David Mudrak added a comment - Rebased against v2.4.0-rc1
            Hide
            Dan Poltawski added a comment -

            Testing this on OSX by:

            • Installing 2.3 version of topcol course format
            • Setting 'required maturity' of updates to alpha level
            • Going to system keychain, telling OSX to not trust all digitcert HA certificates
            • Doing curl test to ensure its not trusting wiht system:

              url https://moodle.org
              curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
              error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
              More details here: http://curl.haxx.se/docs/sslcerts.html
               
              curl performs SSL certificate verification by default, using a "bundle"
               of Certificate Authority (CA) public keys (CA certs). If the default
               bundle file isn't adequate, you can specify an alternate file
               using the --cacert option.
              If this HTTPS server uses a certificate signed by a CA represented in
               the bundle, the certificate verification probably failed due to a
               problem with the certificate (it might be expired, or the name might
               not match the domain name in the URL).
              If you'd like to turn off curl's verification of the certificate, use
               the -k (or --insecure) option.
              

            Show
            Dan Poltawski added a comment - Testing this on OSX by: Installing 2.3 version of topcol course format Setting 'required maturity' of updates to alpha level Going to system keychain, telling OSX to not trust all digitcert HA certificates Doing curl test to ensure its not trusting wiht system: url https://moodle.org curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html   curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
            Hide
            Dan Poltawski added a comment -

            Noticed that when I check for updates I get:

            Unable to fetch available updates data - unexpected cURL error.
             
            More information about this error
             
            Debug info: cURL error 60: SSL certificate problem, verify that the CA cert is OK. Details:
            error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
            Error code: err_response_curl
            Stack trace:
            line 832 of /lib/pluginlib.php: available_update_checker_exception thrown
            line 718 of /lib/pluginlib.php: call to available_update_checker->get_response()
            line 481 of /admin/index.php: call to available_update_checker->fetch()
            
            

            Show
            Dan Poltawski added a comment - Noticed that when I check for updates I get: Unable to fetch available updates data - unexpected cURL error.   More information about this error   Debug info: cURL error 60: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Error code: err_response_curl Stack trace: line 832 of /lib/pluginlib.php: available_update_checker_exception thrown line 718 of /lib/pluginlib.php: call to available_update_checker->get_response() line 481 of /admin/index.php: call to available_update_checker->fetch()
            Hide
            Dan Poltawski added a comment -

            It seems we must be missing some more pre permission checks, because I then got:

            Moodle deployment utility had a trouble with your request. See the docs page and the debugging information for more details.
             
            exception 'backup_folder_exception' with message 'Unable to backup the current version of the plugin (moving failed)' in mdeploy.php:755
            Stack trace:
            #0 mdeploy.php(1326): worker->execute()
            #1 {main}
            

            Show
            Dan Poltawski added a comment - It seems we must be missing some more pre permission checks, because I then got: Moodle deployment utility had a trouble with your request. See the docs page and the debugging information for more details.   exception 'backup_folder_exception' with message 'Unable to backup the current version of the plugin (moving failed)' in mdeploy.php:755 Stack trace: #0 mdeploy.php(1326): worker->execute() #1 {main}
            Hide
            Dan Poltawski added a comment -

            Eek, that left me with an empty topcoll folder.

            Show
            Dan Poltawski added a comment - Eek, that left me with an empty topcoll folder.
            Hide
            Dan Poltawski added a comment -

            When I sorted out the directory persmisions, I got:

            Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: Cannot modify header information - headers already sent by (output started at /Users/danp/git/integration/mdeploy.php:1050) in /Users/danp/git/integration/mdeploy.php on line 1237
            

            Show
            Dan Poltawski added a comment - When I sorted out the directory persmisions, I got: Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Australia/Perth' for 'WST/8.0/no DST' instead in /Users/danp/git/integration/mdeploy.php on line 1050 Warning: Cannot modify header information - headers already sent by (output started at /Users/danp/git/integration/mdeploy.php:1050) in /Users/danp/git/integration/mdeploy.php on line 1237
            Hide
            Dan Poltawski added a comment -

            I have created two issues for the two things I discovered:

            MDL-36962 mdeploy.php needs to set default timezone
            MDL-36963 Automatic updates deployer needs to check directory permisisons too

            Show
            Dan Poltawski added a comment - I have created two issues for the two things I discovered: MDL-36962 mdeploy.php needs to set default timezone MDL-36963 Automatic updates deployer needs to check directory permisisons too
            Hide
            Dan Poltawski added a comment -

            Integrated this now, thanks david.

            Show
            Dan Poltawski added a comment - Integrated this now, thanks david.
            Hide
            Dan Poltawski added a comment -

            Tested and passed, although note the linked issues I discovered while testing.

            I have added the docs_required flag to ensure we create these help pages for the certificate errors. We must remember to do it here, because nobody is gonna be able to do it unless they are deeply technically inolved with this!

            Show
            Dan Poltawski added a comment - Tested and passed, although note the linked issues I discovered while testing. I have added the docs_required flag to ensure we create these help pages for the certificate errors. We must remember to do it here, because nobody is gonna be able to do it unless they are deeply technically inolved with this!
            Hide
            Eloy Lafuente (stronk7) added a comment -

            Just in time for Moodle 2.4.0 release, thanks!

            Closing, ciao

            Show
            Eloy Lafuente (stronk7) added a comment - Just in time for Moodle 2.4.0 release, thanks! Closing, ciao
            Hide
            Martin Dougiamas added a comment -

            Why is the cert location in moodledata when there is already a /moodledata/mdeploy/auth directory?

            Show
            Martin Dougiamas added a comment - Why is the cert location in moodledata when there is already a /moodledata/mdeploy/auth directory?
            Hide
            Martin Dougiamas added a comment -

            Tested again on a real site that needed this and it works, though we really need to document at

            http://docs.moodle.org/24/en/admin/mdeploy/notdownloadable and
            http://docs.moodle.org/24/en/error/core_plugin/err_response_curl

            Show
            Martin Dougiamas added a comment - Tested again on a real site that needed this and it works, though we really need to document at http://docs.moodle.org/24/en/admin/mdeploy/notdownloadable and http://docs.moodle.org/24/en/error/core_plugin/err_response_curl
            Hide
            David Mudrak added a comment -

            Why is the cert location in moodledata when there is already a /moodledata/mdeploy/auth directory?

            Because the moodleorgca.crt is used by the Moodle core itself, should it need it. Not just by mdeploy.php utility. The location has been discussed in the chat with no objections raised.

            Show
            David Mudrak added a comment - Why is the cert location in moodledata when there is already a /moodledata/mdeploy/auth directory? Because the moodleorgca.crt is used by the Moodle core itself, should it need it. Not just by mdeploy.php utility. The location has been discussed in the chat with no objections raised.
            Hide
            Leo Furze-Waddock added a comment -

            I have downloaded the the certificate from Digicert, renamed it moodleorgca.crt, placed it in the root of the moodledata directory which has full access permissions. Yet I still get the error below when checking for updates. I have updated pluginlib.php to use 'http' until I can resolve this issue.

            Debug info: cURL error 60: SSL certificate problem, verify that the CA cert is OK. Details:
            error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
            Error code: err_response_curl
            Stack trace:
            line 832 of \lib\pluginlib.php: available_update_checker_exception thrown
            line 718 of \lib\pluginlib.php: call to available_update_checker->get_response()
            line 481 of \admin\index.php: call to available_update_checker->fetch()

            Moodle v2.4+ (Build 20121208)
            SQL Server 2008 R2 Express with Advanced Services Service Pack 2
            Windows Server 2008 R2 Standard Edition Service Pack 1
            IIS 7.5
            PHP Version 5.3.13
            MS Drivers 3.0 for PHP v5.3 for SQL Server in IIS

            Show
            Leo Furze-Waddock added a comment - I have downloaded the the certificate from Digicert, renamed it moodleorgca.crt, placed it in the root of the moodledata directory which has full access permissions. Yet I still get the error below when checking for updates. I have updated pluginlib.php to use 'http' until I can resolve this issue. Debug info: cURL error 60: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Error code: err_response_curl Stack trace: line 832 of \lib\pluginlib.php: available_update_checker_exception thrown line 718 of \lib\pluginlib.php: call to available_update_checker->get_response() line 481 of \admin\index.php: call to available_update_checker->fetch() Moodle v2.4+ (Build 20121208) SQL Server 2008 R2 Express with Advanced Services Service Pack 2 Windows Server 2008 R2 Standard Edition Service Pack 1 IIS 7.5 PHP Version 5.3.13 MS Drivers 3.0 for PHP v5.3 for SQL Server in IIS
            Hide
            David Mudrak added a comment -

            Leo, can you please try and get the wget utility installed at your server. I found http://gnuwin32.sourceforge.net/packages/wget.htm by a quick googling, there might be alternatives though. Once you have it, we can try fetching the info via the command line.

            Show
            David Mudrak added a comment - Leo, can you please try and get the wget utility installed at your server. I found http://gnuwin32.sourceforge.net/packages/wget.htm by a quick googling, there might be alternatives though. Once you have it, we can try fetching the info via the command line.
            Hide
            Leo Furze-Waddock added a comment -

            Hi David,

            Thanks for your response.

            I've installed wget and attempted to connect using no options:- It failed - Please see response below;

            C:\Program Files (x86)\GnuWin32\bin>wget https://download.moodle.org/api/1.1/updates.php

            SYSTEM_WGETRC = c:/progra~1/wget/etc/wgetrcsyswgetrc = C:\Program Files (x86)\GnuWin32/etc/wgetrc

            -2012-12-12 10:08:40- https://download.moodle.org/api/1.1/updates.php
            Resolving download.moodle.org... 108.162.205.153, 108.162.204.153
            Connecting to download.moodle.org|108.162.205.153|:443... connected.
            ERROR: cannot verify download.moodle.org's certificate, issued by `/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1': Unable to locally verify the issuer's authority.
            ERROR: certificate common name `moodle.org' doesn't match requested host name `download.moodle.org'.
            To connect to download.moodle.org insecurely, use `--no-check-certificate'.
            Unable to establish SSL connection.

            Show
            Leo Furze-Waddock added a comment - Hi David, Thanks for your response. I've installed wget and attempted to connect using no options:- It failed - Please see response below; C:\Program Files (x86)\GnuWin32\bin>wget https://download.moodle.org/api/1.1/updates.php SYSTEM_WGETRC = c:/progra~1/wget/etc/wgetrcsyswgetrc = C:\Program Files (x86)\GnuWin32/etc/wgetrc - 2012-12-12 10:08:40 - https://download.moodle.org/api/1.1/updates.php Resolving download.moodle.org... 108.162.205.153, 108.162.204.153 Connecting to download.moodle.org|108.162.205.153|:443... connected. ERROR: cannot verify download.moodle.org's certificate, issued by `/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1': Unable to locally verify the issuer's authority. ERROR: certificate common name `moodle.org' doesn't match requested host name `download.moodle.org'. To connect to download.moodle.org insecurely, use `--no-check-certificate'. Unable to establish SSL connection.
            Hide
            David Mudrak added a comment -

            OK, it seems that DigiCert has changed something. As you can see, the moodle.org's certificate has been signed by 'DigiCert High Assurance EV CA-1'. Please locate the cert at https://www.digicert.com/digicert-root-certificates.htm - it is listed among 'Intermediate Certificates' - and upload that one as moodleorgca.crt. Then try to check for updates again. Please let me know here how it goes. We might have to update the docs page.

            Show
            David Mudrak added a comment - OK, it seems that DigiCert has changed something. As you can see, the moodle.org's certificate has been signed by 'DigiCert High Assurance EV CA-1'. Please locate the cert at https://www.digicert.com/digicert-root-certificates.htm - it is listed among 'Intermediate Certificates' - and upload that one as moodleorgca.crt. Then try to check for updates again. Please let me know here how it goes. We might have to update the docs page.
            Hide
            Leo Furze-Waddock added a comment -

            Sorry, no joy & no change

            I did what you said and even tried importing the certificate into the windows certificate store - Not sure PHP apps can access that though.

            Moodle Response

            Debug info: cURL error 60: SSL certificate problem, verify that the CA cert is OK. Details:
            error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
            Error code: err_response_curl
            Stack trace:
            line 832 of \lib\pluginlib.php: available_update_checker_exception thrown
            line 718 of \lib\pluginlib.php: call to available_update_checker->get_response()
            line 481 of \admin\index.php: call to available_update_checker->fetch()

            Wget Response

            C:\Program Files (x86)\GnuWin32\bin>wget https://download.moodle.org/api/1.1/updates.php

            SYSTEM_WGETRC = c:/progra~1/wget/etc/wgetrc syswgetrc = C:\Program Files (x86)\GnuWin32/etc/wgetrc

            -2012-12-12 11:09:46- https://download.moodle.org/api/1.1/updates.php
            Resolving download.moodle.org... 108.162.204.153, 108.162.205.153
            Connecting to download.moodle.org|108.162.204.153|:443... connected.
            ERROR: cannot verify download.moodle.org's certificate, issued by `/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1': Unable to locally verify the issuer's authority.
            ERROR: certificate common name `moodle.org' doesn't match requested host name `download.moodle.org'.
            To connect to download.moodle.org insecurely, use `--no-check-certificate'.
            Unable to establish SSL connection.

            Show
            Leo Furze-Waddock added a comment - Sorry, no joy & no change I did what you said and even tried importing the certificate into the windows certificate store - Not sure PHP apps can access that though. Moodle Response Debug info: cURL error 60: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Error code: err_response_curl Stack trace: line 832 of \lib\pluginlib.php: available_update_checker_exception thrown line 718 of \lib\pluginlib.php: call to available_update_checker->get_response() line 481 of \admin\index.php: call to available_update_checker->fetch() Wget Response C:\Program Files (x86)\GnuWin32\bin>wget https://download.moodle.org/api/1.1/updates.php SYSTEM_WGETRC = c:/progra~1/wget/etc/wgetrc syswgetrc = C:\Program Files (x86)\GnuWin32/etc/wgetrc - 2012-12-12 11:09:46 - https://download.moodle.org/api/1.1/updates.php Resolving download.moodle.org... 108.162.204.153, 108.162.205.153 Connecting to download.moodle.org|108.162.204.153|:443... connected. ERROR: cannot verify download.moodle.org's certificate, issued by `/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1': Unable to locally verify the issuer's authority. ERROR: certificate common name `moodle.org' doesn't match requested host name `download.moodle.org'. To connect to download.moodle.org insecurely, use `--no-check-certificate'. Unable to establish SSL connection.
            Hide
            David Mudrak added a comment -

            And what does the wget say if you run it as

            C:\Program Files (x86)\GnuWin32\bin>wget --ca-certificate=C:\Provide\Path\To\Your\moodleorgca.crt https://download.moodle.org/api/1.1/updates.php
            

            Show
            David Mudrak added a comment - And what does the wget say if you run it as C:\Program Files (x86)\GnuWin32\bin>wget --ca-certificate=C:\Provide\Path\To\Your\moodleorgca.crt https://download.moodle.org/api/1.1/updates.php
            Hide
            Leo Furze-Waddock added a comment -

            no joy

            C:\Program Files (x86)\GnuWin32\bin>wget --ca-certificate=C:\inetpub\vhosts\staging.courses\moodledata\moodleorgca.crt https://download.moodle.org/api/1.1/updates.php

            SYSTEM_WGETRC = c:/progra~1/wget/etc/wgetrc syswgetrc = C:\Program Files (x86)\GnuWin32/etc/wgetrc

            -2012-12-12 11:37:47- https://download.moodle.org/api/1.1/updates.php

            Resolving download.moodle.org... 108.162.205.153, 108.162.204.153
            Connecting to download.moodle.org|108.162.205.153|:443... connected.
            ERROR: cannot verify download.moodle.org's certificate, issued by `/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1': Unable to locally verify the issuer's authority. ERROR: certificate common name `moodle.org' doesn't match requested host name `download.moodle.org'.
            To connect to download.moodle.org insecurely, use `--no-check-certificate'.
            Unable to establish SSL connection.

            Show
            Leo Furze-Waddock added a comment - no joy C:\Program Files (x86)\GnuWin32\bin>wget --ca-certificate=C:\inetpub\vhosts\staging.courses\moodledata\moodleorgca.crt https://download.moodle.org/api/1.1/updates.php SYSTEM_WGETRC = c:/progra~1/wget/etc/wgetrc syswgetrc = C:\Program Files (x86)\GnuWin32/etc/wgetrc - 2012-12-12 11:37:47 - https://download.moodle.org/api/1.1/updates.php Resolving download.moodle.org... 108.162.205.153, 108.162.204.153 Connecting to download.moodle.org|108.162.205.153|:443... connected. ERROR: cannot verify download.moodle.org's certificate, issued by `/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1': Unable to locally verify the issuer's authority. ERROR: certificate common name `moodle.org' doesn't match requested host name `download.moodle.org'. To connect to download.moodle.org insecurely, use `--no-check-certificate'. Unable to establish SSL connection.
            Hide
            Leo Furze-Waddock added a comment - - edited

            wget docs states

            −−ca−certificate=file
            Use file as the file with the bundle of certificate authorities (‘‘CA’’) to verify the peers. The certificates must be in PEM format.

            Perhaps I should try to source a bundle file from http://curl.haxx.se/docs/caextract.html

            I'll let you know how it goes

            Show
            Leo Furze-Waddock added a comment - - edited wget docs states −−ca−certificate=file Use file as the file with the bundle of certificate authorities (‘‘CA’’) to verify the peers. The certificates must be in PEM format. Perhaps I should try to source a bundle file from http://curl.haxx.se/docs/caextract.html I'll let you know how it goes
            Hide
            Leo Furze-Waddock added a comment -

            OK - It's working now!

            It needs the ca-bundle.crt avaialble at http://curl.haxx.se/ca/cacert.pem - Just copy the contents into a text file and rename it to moodleorgca.crt and place this in the root of the moodledata directory.

            Thanks for your help David - Much appreciated!

            FYI: wget still complains;

            C:\Program Files (x86)\GnuWin32\bin>wget --ca-certificate=C:\inetpub\vhosts\staging.courses\moodledata\moodleorgca.crt https://download.moodle.org/api/1.1/updates.php

            SYSTEM_WGETRC = c:/progra~1/wget/etc/wgetrc
            syswgetrc = C:\Program Files (x86)\GnuWin32/etc/wgetrc

            -2012-12-12 21:25:13- https://download.moodle.org/api/1.1/updates.php
            Resolving download.moodle.org... 108.162.205.153, 108.162.204.153
            Connecting to download.moodle.org|108.162.205.153|:443... connected.
            ERROR: certificate common name `moodle.org' doesn't match requested host name `download.moodle.org'.
            To connect to download.moodle.org insecurely, use `--no-check-certificate'.
            Unable to establish SSL connection.

            Show
            Leo Furze-Waddock added a comment - OK - It's working now! It needs the ca-bundle.crt avaialble at http://curl.haxx.se/ca/cacert.pem - Just copy the contents into a text file and rename it to moodleorgca.crt and place this in the root of the moodledata directory. Thanks for your help David - Much appreciated! FYI: wget still complains; C:\Program Files (x86)\GnuWin32\bin>wget --ca-certificate=C:\inetpub\vhosts\staging.courses\moodledata\moodleorgca.crt https://download.moodle.org/api/1.1/updates.php SYSTEM_WGETRC = c:/progra~1/wget/etc/wgetrc syswgetrc = C:\Program Files (x86)\GnuWin32/etc/wgetrc - 2012-12-12 21:25:13 - https://download.moodle.org/api/1.1/updates.php Resolving download.moodle.org... 108.162.205.153, 108.162.204.153 Connecting to download.moodle.org|108.162.205.153|:443... connected. ERROR: certificate common name `moodle.org' doesn't match requested host name `download.moodle.org'. To connect to download.moodle.org insecurely, use `--no-check-certificate'. Unable to establish SSL connection.
            Hide
            Leo Furze-Waddock added a comment -

            Source: http://curl.haxx.se/ca/cacert.pem

            ca-bundle.crt = copy contents of source above into text file. Rename to moodleorgca.crt

            Show
            Leo Furze-Waddock added a comment - Source: http://curl.haxx.se/ca/cacert.pem ca-bundle.crt = copy contents of source above into text file. Rename to moodleorgca.crt
            Hide
            Mary Cooch added a comment -

            (Housekeeping) Removing docs_required as I see the error pages have been documented.

            Show
            Mary Cooch added a comment - (Housekeeping) Removing docs_required as I see the error pages have been documented.

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: