Support

This is unrelated to Admin Tools. Please contact your host.

It happens when Joomla! tries to load the update package from our site. We have a properly signed SSL certificate which is using an SHA256 signature for the certificate (otherwise Google Chrome and Firefox will display it as an insecure site). Unfotunately, SHA256 signatures use a different Certificate Authority root and require a new-ish version of OpenSSL to validate.

And there comes a bug/missing feature of Joomla! to screw things up. Joomla! uses its own copy of certificate authorities (caroot.pem) which is up-to-date. However, it only uses it if your host supports curl and has disabled URL fopen() wrappers. When the host has enabled URL fopen() wrappers the host's CA bundle is used. Since it's out of date or their OpenSSL version is old (it really shouldn't be, because of Heartbleed) the certificate validation fails and you get this error message. FYI, I submitted a patch to that Joomla! bug / missing feature quite a while ago but it will only make it in Joomla! 3.4 :(

So, really, on our end we are more than OK. The problem seems to be at your host's side. I hope the additional information helps.

The problem is that Google forced us all to upgrade our SSL certificates to ones with a SHA256 signature. If you've noticed, our site has an EV SSL certificate which displays our company name and a green icon or bar (depending on browser). If we didn't upgrade Google Chrome would display our site the same way it displays HTTPS sites with self-signed certificate: a big, yellow warning that the site is untrusted. Of course that would be catastrophic for business. Who would buy a security solution from a site their browser reports as having failed to perform the most basic security check? Catering for Google leaves us open to the problem I mentioned, which is also bad for business.

So it was impact analysis: not updating the SSL certificate would cause 30% to 50% loss of income, killing our business. The Joomla! bug will barely cause 0.3%. Not a hard choice: we have to honestly screw a few people to prevent most people from thinking we are screwing them. I am NOT happy with Google.

Oh, the biggest irony? When Google announce their plan regarding Google Chrome their own sites DID NOT use SHA-256 signed certificates. Instead, they were using the SHA-1 signed certificates their own engineers deemed as "insecure". The only technology company which was already using an SHA-256 signed certificate was... (drumroll)... THEIR ARCH-RIVAL, APPLE. So, basically, Google was telling everybody that their sites were nowhere near as secure as Apple's. Way to score an own goal, I say!