errors – WP SiteHealth check reports “The REST API encountered an unexpected result”. Where to setup SSL *client* cert for *internal* WP use?

Question

I’m running WP 5.7 on Linux. It’s an Nginx server.

I’m setting up an internal site with policy that requires all services using SSL client cert verification enabled.

The WP host listener has ssl config that

server {
    listen 127.0.0.1:20000 ssl;
    ssl_certificate        "/projA/wp.projA.server.crt.pem";
    ssl_certificate_key    "/projA/wp.projA.server.key.pem";
    ssl_client_certificate "/projA/corp_ca.crt.pem";
    ssl_verify_client on;
    ssl_verify_depth 2;
    ...

So far so good. Access is limited to external-connecting SSL-verified clients only. Most everything’s working over SSL without any problems.

When I check WP “Site Health” I get this notice

"The REST API encountered an unexpected result.

The REST API is one way WordPress, and other applications, communicate with the server. One example is the block editor screen, which relies on this to display, and save, your posts and pages.

The REST API call gave the following unexpected result: (400) <html> <head><title>400 No required SSL certificate was sent</title></head> <body> <center><h1>400 Bad Request</h1></center> <center>No required SSL certificate was sent</center> <hr><center>nginx</center> </body> </html> ."

I’m not completely clear but that looks like WP ‘internals’ trying to connect to itself.

And that I need to tell WP to use & submit a “/projA/wp.projA.client.{crt,key}.pem” key pair,
or disable ssl verification for internal use.

I’ve tracked down these

https://github.com/FiloSottile/mkcert/issues/165
https://wordpress.org/support/topic/wp-http-error-curl-error-60-ssl-certificate-problem-self-signed-certificate/
https://wordpress.stackexchange.com/questions/72529/filter-any-http-request-uri

and finally this

https://surniaulula.com/2018/apps/wordpress/fix-sslverifyfalse-for-plugin-theme-update-checks/

and setup a plugin that sets

if ( '127.0.0.1' === $_SERVER['REMOTE_ADDR'] ) {
    add_filter( 'https_ssl_verify', '__return_true', PHP_INT_MAX );
    add_filter( 'http_request_args', 'http_request_force_ssl_verify', PHP_INT_MAX );
    function http_request_force_ssl_verify( $args ) {
        $args[ 'sslverify' ] = false;
        return $args;
    }
}

THAT works for disabling the verify request.

I’d rather get it right than turn it off.

Where do I setup the SSL client cert WP should use for API connections like above?

EDIT:

Great. With that plugin function, it doesn’t report the problem as a “Recommended Improvement” anymore. NOW it’s a “Critial Issue”.

So clearly NOT better.

0
arty 1 week 2021-04-05T19:36:56-05:00 0 Answers 0 views 0

Leave an answer

Browse
Browse