Having trouble activating a license or installing an extension? It's not just you
If you try to activate a Groundhogg license or install an extension through the Groundhogg helper, you may get an error message saying “cURL error 60: SSL certificate problem: certificate has expired”. You aren’t the only one who gets that error message, and there is something you can do.
What does this error mean?
To put it in terms that everyone can understand, if you have a SSL certificate by Let’s Encrypt (which is free) there recently was an old Let’s Encrypt certificate that expired. After it’s expired it means it can’t be used anymore. For the majority of people there isn’t any difference or issue, but for some people there may be an issue.
The exact issue is with the cert.pem file that is used by the openssl library in PHP.
What can I do?
If you don’t run your own hosting then I would suggest contacting your hosting company (using whatever methods they have available) and tell them the error message you are having and give them a link to this. We are also including what hosting companies can do to fix the issue so that your hosting company can solve the issue for you.
I work for a hosting company, and we got sent a link to this by a customer. What can we do?
You need to disable or remove the expired root certificate from the chain of certificates. You should be able to go through what certificates you have on your server and remove the expired one.
You also have to adapt the API you use to get a Let's Encrypt certificate. From Let’s Encrypt’s recent blog post “you’ll need to make sure of two things: 1) all clients of your API must trust ISRG Root X1 (not just DST Root CA X3), and 2) if clients of your API are using OpenSSL,they must use version 1.1.0 or later. In OpenSSL 1.0.x, a quirk in certification verification means that even clients that trust ISRG Root X1 will fail when presented with the Android-compatible certificate chain we are recommending by default.”
You should then get the new Let’s Encrypt certificate and verify it’s correct before letting your customers know the issue is solved.
If you want more information regarding the production chain changes then there is a thread on Let’s Encrypt you can read. If you have any questions about this there is a thread on Let’s Encrypt that you can post on.
When will it be solved?
We don’t know when the issue will be solved, but we believe it will be solved when your hosting company removes the old certificate that expired and adapts their code to get the new Let’s Encrypt certificate.
Once the company solves the issue then the error message shouldn’t appear anymore.