I look after the Swindon & District Amateur Radio Club website and during the last week parts of the site broke. The website is a WordPress framework with various plugins to add functionality. One of these plugins uses a Google Calendar to drive the programme page. This is the functionality which broke.
I got errors being displayed by the widget telling me that Google’s SSL certificate could not be verified. That sounds strange I thought, this is Google. I checked the “Chain of Trust” in my browser and all looked fine. I eventually noticed that Google had updated their certificate on 17th September and were effectively signing it themselves (Google Internet Authority G2) which in turn was signed by GeoTrust.
Researching further I found that Curl uses very old CA bundle which obviously didn’t contain references to the new CAs. Many people online were advising just to configure Curl not to verify the CAs. THIS IS A BAD MOVE – DO NOT FOLLOW THIS ADVICE.
To fix the problem, I downloaded a new bundle which is converted from the database Mozilla maintains. (http://curl.haxx.se/ca/cacert.pem) I stored this file in my PHP directory and added an entry in my php.ini file.
Restarted IIS and the problem was resolved.
Being a .NET developer, I could have done without the grief of using PHP but we are where we are.
Hope this helps someone.