simon.schönbeck.dk

Tag: certificate

  • Failing to update a very old WordPress version

    Download failed.: cURL error 60: SSL certificate problem: unable to get local issuer certificate

    Installation Failed

    If you receive the above error when updating a stale installation of WordPress read on.

    Every installation of WordPress comes with its own Certificate Authority (CA) file which gets refreshed automatically upon each version update. If you have not updated your installation of WordPress for a few years the certificates within have expired and therefore cURL will not be able to verify the integrity of the server you are connecting to and fail the download and update process.

    Verifying the chain of trust is important to avoid pulling WordPress from the wrong source in the event that you may be exposed e.g. to a man in the middle (MITM), DNS hijacking, etc. scenario.

    To resolve the issue we need to break out of this catch 22 situation where we need the latest version of WordPress to update to the latest version of WordPress… d’oh!

    Some would simply download a fresh WordPress installation directly on the server, however it can be error prone risking your old installation’s data, plus the fact that the included updater runs its checks and updates both core files and database. So the quickest way is to simply overwrite the old certificates file at wp-includes/certificates/ca-bundle.crt with the latest one from WordPress’ development repository:

    https://raw.githubusercontent.com/WordPress/WordPress/refs/heads/master/wp-includes/certificates/ca-bundle.crt

    Once replaced cURL will no longer have any issues connecting to WordPress, retrieving the latest version and completing the update.

  • “Unable to load stream. Please make sure port 7446 is open on your NVR.”

    In case you are seeing the error message “Unable to load stream. Please make sure port 7446 is open on your NVR.” when trying to watch the live camera stream on your Unifi Video NVR system from Ubiquiti, then the solution is rather simple.

    The error is caused by the self-issued certificate that comes by default with the Unifi NVR. As Mozilla Firefox has strict SSL (HTTPS) rules making sure that one does not connect to the wrong or fake website as could happen in e.g. a phishing attempt. I have not tried myself but from what I have read apparently Google Chrome does not enforce this in the same manner making the stream work out of the box in Chrome.

    The solution is to open the URL to the video stream directly in a separate tab or window so that you can accept the self-signed certificate for the session:

    https://NVR_IP_address:7446

    The page itself will return an error after the certificate is accepted but that is fine, it is simply to accept the certificate. After that simply reload the NVR interface and the HTTPS video stream will work fine

    Please note that if you are accessing the NVR from an external network you may have a firewall instance blocking the actual port. This instead would require port forwarding to be set up and that is a different story.

  • Pidgin certificate prompt

    Today using the version of Pidgin that came with Fedora 10 I received the following certificate prompt:

    Accept certificate for ows.messenger.msn.com?
    The root certificate this one claims to be issued by is unknown to Pidgin.

    The majority of cases of unknown certificate issuers are due to the chain of trust breaking down. This break down in the certificate chain is mainly caused by the software in question not including the intermediate certificate authorities certificates. Without these intermediate certificates the software can not verify through the certificate hierarchy up till the root certificate and therefore prompts the user about what to do.

    The options I received in the Pidgin prompt were:

    View certificate
    Accept
    Reject

    Upon selecting “View certificate” I am presented with the following details:

    Common name: ows.messenger.msn.com
    Fingerprint (SHA1): a9:9c:2d:ee:4a:d1:c8:7d:a7:c5:c3:05:32:98:5f:ee:57:87:73:8a
    Activation date: Tue Jan 29 14:37:21 2008
    Expiration date: Wed Jan 28 14:37:21 2009

    So far everything looks as it is a bona fide certificate but to verify the identity completely I load the page https://ows.messenger.msn.com/ in Firefox. As expected no certificate warnings were received and I opened the certificate viewer to see its details and confirmed the data matches up with the data received in Pidgin:

    certificate
    Certificate Viewer

    I can safely trust this certificate as Firefox has verified through the certificate chain that all intermediate certificates are valid too:

    certificate_chain
    Certificate Chain

    This certificate is simply used by Microsoft for the Live Messenger offline messaging service. Although you normally would trust verified certificates it did happen in the past that certificates were incorrectly issued to the wrong people. So always be cautious!