cURL error 60: SSL certificate problem: self signed certificate in certificate chain in WordPress

Switchboard used for musical production with the mute button lit up.
How to mute the SSL certificate problem

If you're developing locally using something like Valet and are trying to update WordPress, a plugin, or a theme, and see this error message, it could mean that something (like Netskope) is injecting their own SSL certificates into your request.

You can confirm whether that is your issue by going to wordpress.org and inspecting the SSL certificate in your browser. If you're using Brave (or Chrome) as your web browser, the steps are as follows:

  • Click on the lock to the left of the URL
  • Click on Connection is secure
  • Click on Certificate is valid
  • Look at who issued the certificate

It should look something like this:

Screenshot of WordPress.org's SSL certificate
SSL certificate issued by: Sectigo Limited

But if you're seeing this:

SSL certificate issued by: goscope.com

Then this could very well be your problem.

Disable SSL verification

The easiest way to circumvent this problem is to disable SSL verification for local websites running on your machine.

Create a new file called disable-ssl-verification.php in wp-content/mu-plugins.

Then paste the following code into it:

<?php

/**
 * Plugin Name: Disable SSL Verification
 * Description: WordPress themes and plugin can't be updated when using a self-signed SSL certificate. This plugin disables SSL verification if the WordPress site is loaded using a <code>.test</code> domain.
 * Version: 1.0.0
 * Author: Ryan Sechrest
 */

if (!isset($_SERVER['SERVER_NAME'])) {
    return;
}
if (!str_ends_with($_SERVER['SERVER_NAME'], '.tst')) {
    return;
}
add_filter('https_ssl_verify', '__return_false');
  • We're checking to see if there is a SERVER_NAME set, e.g. example.org.test
  • Then we're checking to see if the server name ends with .test
  • If both conditions are true, then we return false to the https_ssl_verify WordPress filter to disable SSL verification

Now try to perform your update in WordPress again and it should work.

As an aside, if you're not familiar with mu-plugins, it's similar to a plugin, but it doesn't have to be activated in the WordPress admin. mu-plugins are always active if they exist. You can see them in the WordPress admin by going to Plugins and then filtering by Must-Use.

If you have any problems or need help tweaking this code snippet, leave a comment below.

Featured image by Mike Baumeister.