Note: You are currently viewing documentation for Moodle 2.8. Up-to-date documentation for the latest stable version of Moodle may be available here: SSL certificate for moodle.org.

SSL certificate for moodle.org

From MoodleDocs
Revision as of 06:21, 3 January 2013 by David Mudrak (talk | contribs) (Undo revision 102620 by Rezeau (talk))

Synopsis

When you, as an administrator, check for available updates or install an update, your Moodle site needs to communicate with moodle.org. This communication is done via the secure HTTPS protocol. Your Moodle site validates the SSL certificate of moodle.org (such as the Moodle plugins directory) and verifies its identity. To pass this verification, there must be a certificate (in the PEM format) of the certificate authority (CA) that issued the certificate for moodle.org installed on your server.

The SSL certificate for moodle.org has been issued by the DigiCert CA and signed by their DigiCert High Assurance EV Root CA certificate.

Problem

If this CA certificate is missing, the remote site (moodle.org) can not be verified and so your Moodle site will refuse to fetch the data (to protect you against so called man-in-the-middle attack). The exact location of the certificate on your server depends on the OS type and other settings. On Linux servers it may be typically found at /usr/share/ca-certificates/mozilla/DigiCert_High_Assurance_EV_Root_CA.crt for example.

A missing CA certificate results in an error when checking for available updates and attempting to install them.

Solutions

Update your operating system (recommended)

The recommended way to fix this problem is to update your server's operating system so that it contains recent SSL certificates from common certificate authorities. For Debian and RedHat based distributions, these certificates are distributed in the ca-certificates package. Gentoo servers provide them via the app-misc/ca-certificates ebuild. It's also a good idea to make sure that the OpenSSL libraries (libssl) and cURL libraries (libcurl) are up-to-date on your server.

Provide the CA certificate manually

If updating the operating system is not an option for you and the administrator of the server refuses to update the CA certificates on the server (despite there being no good reason for not doing so), a possible workaround is to download the DigiCert High Assurance EV Root CA certificate from digicert.com and put it into your moodledata/moodleorgca.crt file. If the certificate is found there, Moodle will use it instead of relying on the one provided by the operating system.

It must be highlighted that having the CA certificate on your server's operating system as described above is really the recommended solution. The solution based on moodleorgca.crt should only be considered as a temporary fix.