WordPress, the popular blogging software written by Automattic, has a problem with SSL self signed certificates. Basically, they don’t work well in any of their newer software products or services.

In order to post an update, I must first log into my blog. This requires me entering a username and password into a login box in the usual way. By default, WordPress does not use the secure HTTPS protocol for this, instead it sends this password in the clear over HTTP.

This is not good, so I, like many others, force WordPress to carry out login and administration functions over HTTPS. This is relatively straightforward, and well documented in WordPress’ own documentation, but requires a SSL certificate.

You can obtain a SSL certificate in one of two ways. Either you pay for a third party issuer to give you one (which has the benefit of not triggering a warning in the browser), or you generate one yourself – a so called “Self Signed” certificate.

Self signed certificates are perfectly valid, but browsers will display a warning on sites which use them. A problem if you’re running a public facing service, but not if it’s just for your own private blog, and crucially the traffic is still encrypted.

The Problem

Unfortunately WordPress don’t seem to like self signed certificates.

The iOS WordPress client once worked fine with self signed certificates, but this functionality was removed in an update a few months ago. Attempts to connect now display an error about the certificate’s self signed status, but unlike all browsers, will not give you the option to proceed.

Jetpack, which is now replacing much of the functionality previously provided by separate WordPress plugins (most importantly WordPress stats), is completely broken.

When you attempt to activate the plugin, Jetpack complains about being unable to communicate with the site with the following error:

Error Details: The Jetpack server was unable to communicate with your site [IXR -32300: transport error: http_request_failed SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed]

There is no way to bypass this, since the cURL error originates on the Jetpack servers and would require a code change at their end to allow the self signed certificate.

WordPress remain tight-lipped

I am not alone in encountering these problems, but so far attempts to contact WordPress/Automattic for support by various mechanisms have all gone unanswered.

It is a legitimate point of view that certificate failures caused by self signed certificates should be a fatal. Personally, I think providing a mechanism to bypass these errors for those who know what they’re doing, is a better solution, but making it fatal is a legitimate point of view from a security standpoint.

I could resolve this issue by buying a certificate, although I have a number of good reasons, some financial and some technical, for why I have not yet done so. If Automattic were to point blank refuse to support self signed certificates in their products then I would have to find a way of making it work.

I also accept the possibility that I could have made a mistake in configuration, although I’m not sure what this could possibly be, and it is only Automattic products that are having issue.

I accept all this, however all requests for support in forum threads and direct, from myself and others, go unanswered. Bug reports for the iOS client are months old and are ignored. Similarly, direct support requests to Jetpack go unanswered.

Automattic: If self certified certificates are a feature that just won’t be supported, then please communicate with me and your other users, or at least update your FAQ. If you think I’ve made a configuration error then please say so. Please communicate, because this silence is infuriating!

Update 20/11/12: After much chasing around I’ve got a response, about JetPack at least. Seems that not allowing self signed certificates was originally a design decision (a clearer error message would have been nice!), however this decision has been re-thought and it is now seen as a bug. There is currently no time-scale as to when the issue will be addressed.

Another itch scratched, I would like to introduce a really simple Open Graph plugin for WordPress.

This plugin adds open graph headers to posts and pages on a per post basis.

It has no native interface, instead it listens out for og:* headers as input in the Custom Fields section of WordPress’ edit page and adds the ones it recognises to the page header as meta tags.

Once installed you will be able to add the following tags to posts:

  • og:title (defaults to page title)
  • og:type (defaults to “article”)
  • og:image (URL, no default)
  • og:url is also used, but this is automatically filled in

I wrote this in about an hour so it isn’t all that fancy, and was designed to solve a specific problem for me. Hopefully it’ll be useful to someone else out there.

Feel free to leave comments and send in any patches!

» Plugin page on Github

On this blog, I use the Friendfeed Activity Widget plugin developed by Evan Sims to display my friendfeed (eyes right).

This plugin appears to have a bug whereby items with thumbnails (flickr, youtube etc) will not display correctly. This may possibly be just on my site as nobody else seems to have reported the issue.

The issue seems to be a miss-detection of the entity type in the code, incorrectly assigning flickr and youtube types to the default “list” type. I have hacked together a quick patch which seems to be working for me (but crucially doesn’t fix the underlying problem).

Normally I wouldn’t post this sort of thing here, however it would appear that Evan is no longer maintaining the plugin and has turned off comments. Hopefully, if you are having the same issue as I was, this might be useful to you.

» friendfeed-activity-widget-mp.zip – My modification of 1.1.3

Image from Friendfeed.com