Support

I am aware and this is exactly why we're offering the built-in update system. The most disturbing thing is that we have already found out why it's happening, how to fix it in Joomla!, gave them the solution free of charge... and they decided to ignore it.

Our site is using HTTPS to protect your personal information against hackers while it's in transit through the open Internet. This is a standard protection employed by all major companies including Microsoft, Apple, Google, Mozilla and so on. HTTPS encryption is based on cryptographic certificates (SSL certificates) issued and cryptographically signed by a Certificate Authority (CA).

When your site is connecting to our server to download an update it does so through HTTPS. During the connection initialization the system needs to verify the authenticity of the SSL certificate. It does so by looking up the Certificate Authority of the SSL certificate of our site against its precompiled list of Certificate Authorities (a.k.a. the "CA cache"). If it finds no match or cannot verify the signature it declines the connection. This is what happens with your server.

We have tracked that issue down to some servers having outdated CA caches or no CA cache at all. In this case Joomla! uses its own CA cache provided by haxx.se, the makers of the cURL networking library. Unfortunately, this CA cache is missing a few hundreds of CAs. The solution is to use a more up-to-date CA cache, like the one provided with CentOS – the operating system of choice for most hosts out there, in fact the operating system powering joomla.org sites' servers. This is the analysis we did to the Joomla! Production Leadership Team, they understood it but one person decided to block this change for no reason other than "it works for me, we won't change it".

Our built-in updater bypasses Joomla!'s extensions updater altogether. We use our OWN download library, with our OWN CA cache (from an up-to-date CentOS installation), our OWN XML parser, our OWN update notifications and our OWN download code. We only use Joomla!'s code to extract and install the update ZIP package because we are obliged to do so by the Joomla! Extensions Directory rules (if we write our own installer they are going to delist all of our software for 6 months – nevermind that I am one of the last THREE people who understand how Joomla!'s extensions installer and updater actually works!).

TL;DR: Joomla! is broken, they don't let us fix it, use the "built-in" update method which is the only viable workaround we are allowed to provide.

PS: If that doesn't help then your server has an outdated version of OpenSSL which doesn't support SSL certificates with SHA-256 signatures. If this is the case ask your host to update OpenSSL to version 1.0 or later (the latest 1.1 release is strongly recommended) and recompile PHP against the new libopenssl and remember to restart the web server daemon. None of these can be performed by the end user (you), but are fairly trivial to perform by any competent host.