Akeeba Backup for Joomla!

Friday, 26 September 2014 04:58 CDT

lausianne

Hi Nicholas,

when trying to update Backup or Admin Tools, I get this error:

SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I found other tickes about the same problem, where you suggested to switch off SSL in the config. Couldn't find it. I don't have this issue on other sites, same hosting, same versions (I did not actually check all versions on all sites - but I like to keep everything up to date.)

Thanks for your help!

Regards, Ralf.

EDIT: Sorry, I actually do have the same issue on other sites, same hosting!

EDIT 2: But: on some it works - I just updated AB 3.11.3 Pro and AT 3.0.3 Pro on two sites without problem (still same hosting ...)

Edited by lausianne on 2014-09-26 05:09 CDT

Friday, 26 September 2014 05:58 CDT

nicholas

This is unrelated to Admin Tools. Please contact your host.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 26 September 2014 06:52 CDT

lausianne

Well, it only happens with your extensions, and has never happened before. So I thought it was somehow related to your extensions. There must be something about these two extensions of yours that's different than other extensions and different than earlier versions of your extensions. If I had a clue, I'd perhaps know better what to tell the hoster. I'll now just send them the message and see what they say.

Friday, 26 September 2014 08:34 CDT

nicholas

It happens when Joomla! tries to load the update package from our site. We have a properly signed SSL certificate which is using an SHA256 signature for the certificate (otherwise Google Chrome and Firefox will display it as an insecure site). Unfotunately, SHA256 signatures use a different Certificate Authority root and require a new-ish version of OpenSSL to validate.

And there comes a bug/missing feature of Joomla! to screw things up. Joomla! uses its own copy of certificate authorities (caroot.pem) which is up-to-date. However, it only uses it if your host supports curl and has disabled URL fopen() wrappers. When the host has enabled URL fopen() wrappers the host's CA bundle is used. Since it's out of date or their OpenSSL version is old (it really shouldn't be, because of Heartbleed) the certificate validation fails and you get this error message. FYI, I submitted a patch to that Joomla! bug / missing feature quite a while ago but it will only make it in Joomla! 3.4 :(

So, really, on our end we are more than OK. The problem seems to be at your host's side. I hope the additional information helps.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 26 September 2014 08:48 CDT

lausianne

Wow, thanks, that's elaborate. I forwarded this to the hoster. The real problem, from a practical point of view, might be that you are too far ahead of everybody else ... ;-)

Friday, 26 September 2014 09:32 CDT

nicholas

The problem is that Google forced us all to upgrade our SSL certificates to ones with a SHA256 signature. If you've noticed, our site has an EV SSL certificate which displays our company name and a green icon or bar (depending on browser). If we didn't upgrade Google Chrome would display our site the same way it displays HTTPS sites with self-signed certificate: a big, yellow warning that the site is untrusted. Of course that would be catastrophic for business. Who would buy a security solution from a site their browser reports as having failed to perform the most basic security check? Catering for Google leaves us open to the problem I mentioned, which is also bad for business.

So it was impact analysis: not updating the SSL certificate would cause 30% to 50% loss of income, killing our business. The Joomla! bug will barely cause 0.3%. Not a hard choice: we have to honestly screw a few people to prevent most people from thinking we are screwing them. I am NOT happy with Google.

Oh, the biggest irony? When Google announce their plan regarding Google Chrome their own sites DID NOT use SHA-256 signed certificates. Instead, they were using the SHA-1 signed certificates their own engineers deemed as "insecure". The only technology company which was already using an SHA-256 signed certificate was... (drumroll)... THEIR ARCH-RIVAL, APPLE. So, basically, Google was telling everybody that their sites were nowhere near as secure as Apple's. Way to score an own goal, I say!

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 26 September 2014 09:50 CDT

lausianne

That last part made me laugh. Fortunately I'm not directly affected yet, other than these minor errors. But someday I'll have to do something about it, too, since it now affects rankings. Some extra paid work for me, perhaps. Yet I'd rather do some creative work than dealing with SSL and certificates etc... Thanks again for the background info. Have a safe weekend!

Support