SSL certificate for moodle.org: Difference between revisions
David Mudrak (talk | contribs) (Basic information about the SSL certificate and possible problems) |
(added rhel note, as I think the package name is the same) |
||
| Line 15: | Line 15: | ||
=== Update your operating system (recommended) === | === Update your operating system (recommended) === | ||
The recommended way to fix this problem is to update your server's operating system so that it contains recent SSL certificates of common certificate authorities. At Debian based distributions, these certificates are distributed in the ''ca-certificates'' package. Gentoo servers provide them via the ''app-misc/ca-certificates'' ebuild. It's also a good idea to make sure that the OpenSSL libraries (libssl) and cURL libraries (libcurl) are up-to-date at your server. | The recommended way to fix this problem is to update your server's operating system so that it contains recent SSL certificates of common certificate authorities. At Debian and RedHat based distributions, these certificates are distributed in the ''ca-certificates'' package. Gentoo servers provide them via the ''app-misc/ca-certificates'' ebuild. It's also a good idea to make sure that the OpenSSL libraries (libssl) and cURL libraries (libcurl) are up-to-date at your server. | ||
=== Provide the CA certificate manually === | === Provide the CA certificate manually === | ||
Revision as of 15:24, 4 December 2012
Synopsis
Your site may communicate with moodle.org sites - for example when it checks for available updates or when it installs an update. This communication is done via the secure HTTPS protocol. Your site validates the SSL certificate of the moodle.org site (such as the Moodle plugins directory) and verifies its identity. To pass this verification, there must be a certificate (in the PEM format) of the certificate authority (CA) that issued the certificate for moodle.org installed at your server.
The SSL certificate of moodle.org sites has been issued by the DigiCert CA and signed by their DigiCert High Assurance EV Root CA certificate.
Problem
If this CA certificate is missing, the remote site (moodle.org) can not be verified and your Moodle refuses to fetch the data (to protect you against so called man-in-the-middle attack). The exact location of that certificate at your server depends on the OS type and other settings. At Linux servers it may be typically found at /usr/share/ca-certificates/mozilla/DigiCert_High_Assurance_EV_Root_CA.crt for example.
Missing CA certificate causes error when checking for available updates and attempting to install them.
Solutions
Update your operating system (recommended)
The recommended way to fix this problem is to update your server's operating system so that it contains recent SSL certificates of common certificate authorities. At Debian and RedHat based distributions, these certificates are distributed in the ca-certificates package. Gentoo servers provide them via the app-misc/ca-certificates ebuild. It's also a good idea to make sure that the OpenSSL libraries (libssl) and cURL libraries (libcurl) are up-to-date at your server.
Provide the CA certificate manually
If updating the operating system is not an option for you and the administrator of the server refuses to update the CA certificates at the server (there's not a good argument for that though), here is a workaround for you. You can download the DigiCert High Assurance EV Root CA certificate from digicert.com and put it into your moodledata/moodleorgca.crt file. If the certificate is found there, Moodle will use it instead of relying on the one provided by the operating system.
It must be highlighted that you really should get the CA certificate to your server's operating system as described above. The solution based on moodleorgca.crt should be considered as a temporary only.
