SSL certificate for moodle.org: Difference between revisions
David Mudrak (talk | contribs) m (Confirming the solution based on cacert.pem file from the cURL site) |
|||
(5 intermediate revisions by 5 users not shown) | |||
Line 1: | Line 1: | ||
{{Security}} | {{Security}} | ||
== Synopsis == | == Synopsis == | ||
'''NOTE: This has been updated as of 04/11/2013 - Moodle has moved to the GeoTrust Certificate Authority''' | |||
When you, as an administrator, [[Notifications|check for available updates]] or [[Automatic updates deployment|install an update]], your Moodle site needs to communicate with moodle.org. This communication is done via the secure HTTPS protocol. Your Moodle site validates the SSL certificate of moodle.org (such as the [https://moodle.org/plugins Moodle plugins directory]) and verifies its identity. To pass this verification, there must be a certificate (in the PEM format) of the [http://en.wikipedia.org/wiki/Certificate_authority certificate authority (CA)] that issued the certificate for moodle.org installed on your server. | When you, as an administrator, [[Notifications|check for available updates]] or [[Automatic updates deployment|install an update]], your Moodle site needs to communicate with moodle.org. This communication is done via the secure HTTPS protocol. Your Moodle site validates the SSL certificate of moodle.org (such as the [https://moodle.org/plugins Moodle plugins directory]) and verifies its identity. To pass this verification, there must be a certificate (in the PEM format) of the [http://en.wikipedia.org/wiki/Certificate_authority certificate authority (CA)] that issued the certificate for moodle.org installed on your server. | ||
The SSL certificate for moodle.org has been issued by the [ | The SSL certificate for moodle.org has been issued by the [http://www.geotrust.com/resources/root-certificates/ GeoTrust Certificate Authority]. | ||
== Problem == | == Problem == | ||
If this CA certificate is missing, the remote site (moodle.org) can not be verified and so your Moodle site will refuse to fetch the data (to protect you against so called man-in-the-middle attack). The exact location of the certificate on your server depends on the OS type and other settings. On Linux servers it may be typically found at ''/usr/share/ca-certificates/mozilla/ | If this CA certificate is missing, the remote site (moodle.org) can not be verified and so your Moodle site will refuse to fetch the data (to protect you against so called man-in-the-middle attack). The exact location of the certificate on your server depends on the OS type and other settings. On Linux servers it may be typically found at ''/usr/share/ca-certificates/mozilla/GeoTrust_Primary_Certification_Authority.crt'' for example. | ||
A missing CA certificate results in an error when checking for available updates and attempting to install them. | A missing CA certificate results in an error when checking for available updates and attempting to install them. | ||
Line 16: | Line 18: | ||
=== Update your operating system (recommended) === | === Update your operating system (recommended) === | ||
The recommended way to fix this problem is to update your server's operating system so that it contains recent SSL certificates from common certificate authorities. For Debian and RedHat based distributions, | The recommended way to fix this problem is to update your server's operating system so that it contains recent SSL certificates from common certificate authorities. This does not seem to help for Windows servers though. At Windows, the cURL library bundled with PHP does not use the CA certificates installed in the OS and you will have to use the alternative solution described below. | ||
For Debian and RedHat based distributions, CA certificates are distributed in the ''ca-certificates'' package. Gentoo servers provide them via the ''app-misc/ca-certificates'' ebuild. It's also a good idea to make sure that the OpenSSL libraries (libssl) and cURL libraries (libcurl) are up-to-date on your server. | |||
=== Provide the CA certificate manually === | === Provide the CA certificate manually === | ||
If updating the operating system is not an option for you | If updating the operating system is not an option for you, or the administrator of the server refuses to update the CA certificates on the server (despite there being no good reason for not doing so), or updating the CA installed in the OS did not help (such as in case of Windows servers), a possible workaround is to download the bundle of required certificates from the [http://curl.haxx.se/ca/ cURL] site. You need to download the file [http://curl.haxx.se/ca/cacert.pem cacert.pem] from there and put it into your ''moodledata/moodleorgca.crt'' file (i.e. download the cacert.pem file, rename it to moodleorgca.crt and upload it into your mooodledata). If this file is found in moodledata, Moodle will use it instead of relying on certificates provided by the operating system. | ||
It must be highlighted that having the CA certificate on your server's operating system as described above is really the recommended solution. The solution based on moodleorgca.crt should only be considered as a temporary fix (although it seems to be the only way to make it work at Windows servers). | |||
Alternatively, the direct root certificate can be found here, which you may download and install on your system. | |||
[http://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Primary_CA.pem GeoTrust Primary CA] | |||
Edit (CentOS 6) 12-FEB-2016 | |||
The curl.haxxx.se workaround does not work well with Turnitin (turnitintwo) in CentOS 6. | |||
To undo: | |||
# yum reinstall openssl ca-certificates | |||
Use the update-ca-trust command to update the CA store. | |||
# update-ca-trust | |||
[[es:SSL certificate for moodle.org]] | |||
[[ja:moodle.orgのSSL証明書]] |
Latest revision as of 19:08, 12 February 2016
Synopsis
NOTE: This has been updated as of 04/11/2013 - Moodle has moved to the GeoTrust Certificate Authority
When you, as an administrator, check for available updates or install an update, your Moodle site needs to communicate with moodle.org. This communication is done via the secure HTTPS protocol. Your Moodle site validates the SSL certificate of moodle.org (such as the Moodle plugins directory) and verifies its identity. To pass this verification, there must be a certificate (in the PEM format) of the certificate authority (CA) that issued the certificate for moodle.org installed on your server.
The SSL certificate for moodle.org has been issued by the GeoTrust Certificate Authority.
Problem
If this CA certificate is missing, the remote site (moodle.org) can not be verified and so your Moodle site will refuse to fetch the data (to protect you against so called man-in-the-middle attack). The exact location of the certificate on your server depends on the OS type and other settings. On Linux servers it may be typically found at /usr/share/ca-certificates/mozilla/GeoTrust_Primary_Certification_Authority.crt for example.
A missing CA certificate results in an error when checking for available updates and attempting to install them.
Solutions
Update your operating system (recommended)
The recommended way to fix this problem is to update your server's operating system so that it contains recent SSL certificates from common certificate authorities. This does not seem to help for Windows servers though. At Windows, the cURL library bundled with PHP does not use the CA certificates installed in the OS and you will have to use the alternative solution described below.
For Debian and RedHat based distributions, CA certificates are distributed in the ca-certificates package. Gentoo servers provide them via the app-misc/ca-certificates ebuild. It's also a good idea to make sure that the OpenSSL libraries (libssl) and cURL libraries (libcurl) are up-to-date on your server.
Provide the CA certificate manually
If updating the operating system is not an option for you, or the administrator of the server refuses to update the CA certificates on the server (despite there being no good reason for not doing so), or updating the CA installed in the OS did not help (such as in case of Windows servers), a possible workaround is to download the bundle of required certificates from the cURL site. You need to download the file cacert.pem from there and put it into your moodledata/moodleorgca.crt file (i.e. download the cacert.pem file, rename it to moodleorgca.crt and upload it into your mooodledata). If this file is found in moodledata, Moodle will use it instead of relying on certificates provided by the operating system.
It must be highlighted that having the CA certificate on your server's operating system as described above is really the recommended solution. The solution based on moodleorgca.crt should only be considered as a temporary fix (although it seems to be the only way to make it work at Windows servers).
Alternatively, the direct root certificate can be found here, which you may download and install on your system. GeoTrust Primary CA
Edit (CentOS 6) 12-FEB-2016 The curl.haxxx.se workaround does not work well with Turnitin (turnitintwo) in CentOS 6. To undo:
- yum reinstall openssl ca-certificates
Use the update-ca-trust command to update the CA store.
- update-ca-trust