[wp-trac] [WordPress Trac] #63820: cURL error 60 caused by flawed ca-bundle.crt in WordPress 6.8.2

WordPress Trac noreply at wordpress.org
Tue Aug 12 13:22:21 UTC 2025 

#63820: cURL error 60 caused by flawed ca-bundle.crt in WordPress 6.8.2
--------------------------+-----------------------------
 Reporter:  wpcteam       |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:  6.8.2
 Severity:  major         |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 After updating to WordPress 6.8.2, secure cURL requests to certain servers
 (e.g., `https://www3.moneris.com`) are failing with `cURL error 60: SSL
 certificate problem: self signed certificate in certificate chain`. This
 appears to be caused by a flaw in the `ca-bundle.crt` file included in the
 WordPress 6.8.2 core update.

 Environment:

 - WordPress Version: 6.8.2
 - PHP Version: [Enter PHP version, e.g., 7.4, 8.1]
 - Server: cPanel/CloudLinux with OpenSSL 1.1.1+

 Steps to Reproduce:

 1.  Set up a server with WordPress 6.8.2.
 2.  Create a PHP test script in the document root that makes a cURL
 request to `https://www3.moneris.com` and explicitly sets `CURLOPT_CAINFO`
 to the path of the `wp-includes/certificates/ca-bundle.crt` file.
 3.  Execute the script.

 Expected Results:

 The cURL request should succeed without an SSL error.

 Actual Results:

 The request fails with `cURL error 60`.

 Additional Details / Analysis:

 Further investigation has shown that the `ca-bundle.crt` file from the
 previous WordPress version (6.8.1) works correctly. The issue is with the
 new bundle rebased on Mozilla's data from May 20, 2025. This suggests a
 specific root certificate (related to Entrust.net) was either removed or
 changed in a way that breaks the trust chain for some endpoints when used
 with modern versions of OpenSSL. Downgrading just the `ca-bundle.crt` file
 to the version from 6.8.1 resolves the issue as a temporary workaround.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/63820>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list