Errors on a single host using wp_remote_get() unless sslverify is set to false

This is probably the wrong place to get into the details of certificate verification, and I am not sure I understand all of it so this answer going to focus on the wordpress API.

The issue with certificate verification is that you need a list of root certificates of the issuer companies in order to verify a specific cert. That list changes and therefor servers need to be updates with the info. Obviously supporting “browser like functionality” is not one of the main things that server admins think of, and your software might end on a server in which it is not defined at all, or just being stale info.

Otto’s answer details how wordpress core handles it, and it does it by providing its on bundle of root certs, and it is used by default by the wordpress http API (checked for 4.4, not sure when it is started). Still your plugin might be installed on earlier version which contains stale info (at this point in time, just a week or so before 4.5 is launched only about 50% of wordpress sites run 4.4).

So what can you do?

  1. easy option: Let the user decide. In the end it is his call how secure he wants his site to be. It might be that he can’t or doesn’t want to do the effort of updating his root certs.

  2. Supply your own root certificates with the plugin. This way you can push updates whenever the root certificates need to update. The relevant core api that handles it is WP_HTTP::request with the sslcertificates parameter in the $args parameter. Higher level HTTP API function probably pass that parameter in one way or another to it.

Related Posts:

  1. Divert http to https with WordPress on IIS
  2. wp_remote_get – curl error 28 connection timed out – using SANS in URL
  3. Allow non-SSL pages to use https or Force non-SSL pages to http?
  4. All content is HTTPS, but browsers warn of HTTP mixed content [closed]
  5. Website Migration (with https) to a new domain(http)
  6. Why does WordPress uses HTTPS for JS, CSS on EC2
  7. Implications of not completing all tasks when switching to HTTPS
  8. How to switch static files back to using HTTP instead of HTTPS?
  9. The plain HTTP request was sent to HTTPS port in wordpress [closed]
  10. Changing my URL in General Settings cause the site to crash
  11. NET::ERR_CERT_REVOKED in Chrome, when the certificate is not actually revoked
  12. https connection using CURL from command line
  13. “ssl module in Python is not available” when installing package with pip3
  14. How to generate a self-signed SSL certificate using OpenSSL?
  15. Convert .pem to .crt and .key
  16. Simple Java HTTPS server
  17. HTTPS connection Python
  18. Java: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  19. What exactly is cacert.pem for?
  20. OpenSSL: unable to verify the first certificate for Experian URL
  21. ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED in Google Chrome
  22. How do you sign a Certificate Signing Request with your Certification Authority?
  23. Java Keytool error after importing certificate , “keytool error: java.io.FileNotFoundException & Access Denied”
  24. Issues with installing python libraries on Windows : CondaHTTPError: HTTP 000 CONNECTION FAILED for url
  25. WordPress wp-admin https redirect loop
  26. Is it safe to use sslverify => true for with wp_remote_get/wp_remote_post
  27. Howto force SSL for all requests?
  28. Local version of a WordPress site – SSL/HTTPS enforced?
  29. bloginfo() and get_template_directory_uri() with SSL?
  30. Favicon causes mixed content warning over SSL
  31. After updating site to use SSL all images in posts point to http://
  32. Adding https to wordpress website
  33. Upgrade to SSL Breaks Admin Dashboard
  34. wp_remote_get() not retrieving pages properly
  35. What’s the right move with SSL for user based site?
  36. I am locked out of my WordPress site after changing site URL from Http to Https
  37. Enabling SSL on wordpress results in 404
  38. SSL setup: wp-login css doesn’t load over httpS
  39. In WP versions >= 4.0, is FORCE_SSL_LOGIN forcing HTTPS for the entire admin session?
  40. Separating HTTP and HTTPS content with WordPress, Varnish, and an SSL terminator?
  41. SSL Certificate and WordPress
  42. Pointing SSL Enabled URL at Single WordPress Page
  43. Occasional HTTPS Mixed Content Warning
  44. Google maps causing mixed content in header
  45. 403 error on admin login page
  46. Cloudflare and SSL breaks wordpress – Mixed Content & Unable to use Admin
  47. XML asset fails to load using https
  48. un-loading https
  49. WordPress site shows “File not found.” if opened through https
  50. How to set up HTTPS WordPress from Install Step?
  51. Address a single page to SSL https secure protocol?
  52. Certain header elements not served over https
  53. wordpress http to https windows server
  54. Jetpack “Connect to WordPress” serving insecure content under HTTPS
  55. Website access with http and https
  56. How to force non SSL on just one page?
  57. Need ideas for HTTPS multiple domain solution
  58. WordPress 4.0 Forces entire site into SSL
  59. Site not reachable due to change from HTTP to HTTPS [closed]
  60. How to keep WP from using https to get to wordpress.org?
  61. How do I find non-SSL problems on my SSL page?
  62. SSL doesn’t work on certain pages – what is wrong?
  63. WordPress site shown as Not Secure on Chrome when SSL certificate is valid
  64. ERR_TOO_MANY_REDIRECTS on wordpress page [closed]
  65. Disable WordPress accessing WordPress.org to check for updates
  66. URLs not being output with https
  67. How to protect login via SSL but not the rest of the dashboard
  68. ERR_CONNECTION_REFUSED
  69. The REST API request failed due to an error. cURL error 60: SSL certificate problem: certificate has expired
  70. Do I install WordPress from my Cpanel on https or http, if my website has valid certificate?
  71. How to move my local wordpress to https?
  72. Specific Page/Post Need to Stay Non SSL
  73. ERR_SSL_PROTOCOL_ERROR
  74. Problem forcing San SSL certificate on WordPress
  75. SSL Certificate
  76. https images not displaying
  77. Front-end pages messed up due to HTTPS
  78. How to send user data from one website to another
  79. site on subdomain is redirecting to main site after installing wildcard ssl cert on both
  80. Forcing SSL (Bad Theme coding)
  81. WordPress Insecure Content
  82. SSL certificate breaks CSS (in combination with W3TC)
  83. I just updated my SSL certificate and now my site looses formatting when
  84. I would like to add ssl certificate to my already existing wordpress site
  85. WordPress and SSL
  86. My WordPress site SSL is in red crossed color and can’t load at first time?
  87. Any idea on how to fix this error when forcing SSL on a certain page?
  88. SSL problems with WordPress
  89. SSL/HTTPS Redirect Loop
  90. How to force static assets with HTTP sources to load over HTTPS?
  91. Issue when site move from ssl domain to new domain without ssl
  92. Displaying a remote SSL certificate details using CLI tools
  93. Is it bad to redirect http to https?
  94. Wildcard SSL certificate for second-level subdomain
  95. Properly setting up a “default” nginx server for https
  96. Does each subdomain need it’s own SSL certificate?
  97. Does each server behind a load balancer need their own SSL certificate?
  98. Generating a self-signed cert with openssl that works in Chrome 58
  99. How to force HTTP and stop SSL completey on WordPress website
  100. wordpress is auto using http: not https: as it needs to because the server is http behind a reverse proxy https, how do I stop it?