0

I upgraded my MediaWiki to 1.35 and want to use the VisualEditor. Problem is the error below, when I click on the edit button:

Error contacting the Parsoid/RESTBase server: (curl error: 60) SSL peer certificate or SSH remote key was not OK

It is a private wiki, running behind an apache reverse proxy with an Letsencrypt SSL certificate. Anybody has an idea what to do here?

praetorianer777
  • 309
  • 3
  • 12

3 Answers3

1

The error messages comes from the parsing API that VisualEditor's own PHP backend is sending a request to. There might be something wrong with how the URL is specified (e.g. you are using localhost instead of the domain which is in the certificate), the web server might be configured incorrectly (you can check with some SSL testing tool), the operating system might have an outdated cert bundle...

My guess would be this request (where MediaWiki tries to make a web request to itself) doesn't go through the reverse proxy, so the cert is not added, but the URL scheme is nevertheless HTTPS, which makes curl freak out. The fix is probably to set $wgInternalServer to the HTTP version of $wgServer (or just localhost, depending on your setup).

Tgr
  • 27,442
  • 12
  • 81
  • 118
  • I tried your suggestions and set $wgInternalServer to http, https and localhost in the Localsettings.php, but nothing worked... I have a windows server with apache. The wiki is also hosted on the same machine, so the apache does not work as reverse proxy in this case,... there is just a redirection from http to https. The Letsencrypt certificates are valid till december – praetorianer777 Nov 01 '20 at 09:36
  • You'll need to add some debugging to that curl call then. It's probably in ApiVisualEditor.php. – Tgr Nov 01 '20 at 19:22
  • Could please you tell me how I can do that? – praetorianer777 Nov 02 '20 at 17:45
  • https://www.mediawiki.org/wiki/Manual:How_to_debug has some tips, although you'll probably just need generic PHP debugging methods here. – Tgr Nov 03 '20 at 02:52
0

Had the error after an update to version 1.35.2. Internal https communication does not work with self-signed certificates. Change in the file /etc/ssl/openssl.cnf CipherString = DEFAULT @ SECLEVEL = 2 to CipherString = DEFAULT @ SECLEVEL = 1

soiza
  • 1
0

We encountered this error in our Wiki too. While the error shown in MediaWiki says:

Error contacting the Parsoid/RESTBase server: (curl error: 60) SSL peer certificate or SSH remote key was not OK

Our detection system gave us a more standard:

cURL error 60: SSL certificate problem: unable to get local issuer certificate (see https://curl.haxx.se/libcurl/c/libcurl-errors.html)

We inspected our SSL certificates as a consequence, although there were no visible SSL errors when browsing the site.

The problem was, in our case:

  • Misconfigured SSL settings: we were missing the CA (Certificate Authority) SSL Certificate next to our SSL Certificate (using DirectAdmin with a Sectigo certificate).

Adding the CA SSL Certificate key immediately solved the problem.

Dioscorides
  • 98
  • 1
  • 4