Cannot update network due to a specific site

Hello everyone!
Our main WPMU has an error when we try to update the network (after installing WordPress 5.0.1).

Attention! Un problème est survenu lors de la mise à jour de https://www.agquebec.com. Votre serveur peut ne pas être en mesure de se connecter à certains sites qui y sont installés. Message d'erreur : cURL error 35: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure.

We had this error on a previous website due to WPML, but this time we can't find why it's happening.
- We don't have more details in debug.log
- The SSL Certificate seems to be fully valid
- It's not the only site with this factor, but its DNS are external (nameservers pointing elsewhere)

Anyone has an idea of something we can try or improve before we try to deactivate the non-network plugins one by one?

We'd like to learn what this network update is for exactly and what could make it fail like this. :slight_smile:

  • Ash
    • WordPress Hacker

    Hello Magik Web

    The error you are getting seems related to TLS version. Would you please make sure you have TLS version at least 1.2?

    When wordpress releases an update, sometimes it needs to make some changes in the database. In a single site it happens on the go. But for a multisite, as you may have hundreds of sites, so wordpress doesn't make the update as it can fail due to limited max_execution_time on every server, So you need to initiate that manually wordpress does it in batch by batch.

    Hope it helps! Please feel free to ask more questions if you have any.

    Have a nice day!

    Cheers,
    Ash

    • Ash
      • WordPress Hacker

      Is there a way we can trigger the update for that site specifically without waiting for the batches to reach it (it's the 55th I think)?

      I am not aware of any such way to update a specific subsite :slight_frown:

      Attention! Un problème est survenu lors de la mise à jour de https://www.agquebec.com. Votre serveur peut ne pas être en mesure de se connecter à certains sites qui y sont installés. Message d'erreur : cURL error 35: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure.

      Would you please translate this into English? I have tried google translator but it seems meaningless.

      Also, the error seems related to curl. Did you try to contact your host about the error? Do they have any suggestion on this?

      Have a nice day!

      Cheers,
      Ash

  • Ash
    • WordPress Hacker

    Hello Magik Web

    I was just going to say that, glad you found the thread. So, let's try adding these:

    add_filter('https_ssl_verify', '__return_false');
    add_filter('https_local_ssl_verify', '__return_false');

    SSL verification usually avvoid SSL errors. Though I don't recommend to keep this for always, so if the network upgradation is done, remove the code.

    Please let us know if that works for you. Have a nice day!

    Cheers,
    Ash

  • Vince
    • Flash Drive

    Hello Ash,
    I added the lines in a network activated plugin and it had no effect for that specific error. That's kinda odd considering nothing should be verifying the SSL now.

    We're thinking it could be from a plugin that's ignoring that parameter, maybe.

    We'll keep digging deeper until we have a better understanding/solution. If you have any ideas we can try, let us know!

  • Nithin
    • Support Wizard

    Hi Magik Web,

    This looks more related to the server side though, I don't see any mentions about cURL versions in the above responses, could you also double check what's the cURL version? Such issue could appear, if the cURL version is lesser then 7.40.

    https://unix.stackexchange.com/questions/192944/how-to-fix-curl-sslv3-alert-handshake-failure

    Could you please double check this with your hosting provider, and check whether PHP/cURL could be upgraded to latest version?

    If the cURL running is latest version, and still the issue occurs. Could you please check whether disabling all the plugins in your system, and running a network upgrade makes any difference, or not? This is to rule out any plugins conflicts too.

    Regards,
    Nithin

  • Vince
    • Flash Drive

    Hello Nithin,
    Thank you for the follow-up!
    The problem was resolved, here is the conclusion.

    There were multiple SSL Certificates involved for the same domain name because of CloudFlare (Flexible instead of Full Strict). The cURL error was because there was no proper SSL Certificate behind the CloudFlare one (on the origin server).

    Disabling CloudFlare fixed the error when updating the network.

    It would be great if there was a way to forcefully disable cURL's verification (on top of the filters that had no effect).

    Thank you everyone, once again you helped us look in the right direction.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.