PHP OpenSSL requirements

Starting with version 9.1.0, Drupal core's Update Manager uses HTTPS to fetch information about available updates. This means that the PHP a Drupal site is using must have OpenSSL installed and properly configured. If PHP does not support OpenSSL, a site with the Update Manager enabled will see a "Failed to fetch available update data" error message at their available updates report.

If you see this error, there are a few steps you can take to get things working:

1. Confirm the site can connect to the Internet
2. Confirm OpenSSL is enabled
3. Confirm the site's certificate files are properly installed and configured
4. If needed, configure Update Manager to fallback to HTTP

Confirm the site can connect to the Internet

Before worrying about OpenSSL and HTTPS, the first step is to make sure the site can reach the public Internet at all. Consider:

• Is this a test site running on a local server or inside a container that doesn't have an Internet connection at all?
• Is the site behind a network proxy server? If so, is the network and the site properly configured to use that proxy?
• ...

The site must be able to access the public Internet at all, or none of the rest of these instructions will help.

Confirm OpenSSL is enabled

First, check if the site's PHP has OpenSSL enabled at all:

Administration > Reports > Status

Click on the "more information" link under PHP version (/admin/reports/status/php)

There should be a section called "openssl" and you should see something like:

OpenSSL support: enabled

If not, you'll have to consult the PHP openssl extension documentation on how to enable this extension in your php.ini configuration file. Basically, you'll need to uncomment or add a line like this: extension=php_openssl.so and probably restart your web server daemon (e.g. Apache). The details will vary depending on your hosting environment. If you're unsure, check with your system administrator or hosting provider.

Confirm the site's certificate files are properly installed and configured

You might see an error in your site's log files like one of these:

• SSL Certificate Problem: Unable to get local issuer certificate
• SSL Certificate Problem: Verify that the CA cert is OK.

If so, it means your site does not have the correct Certificate Authority (CA) certificates installed or that PHP cannot find the correct certificates. You can install a set of trusted certificates provided by cURL itself:

1. Download cacert.pem
2. Move the cacert.pem file to the affected computer, e.g.:
   • /etc/pki/tls/cacert.pem
   • C:\php\extras\ssl\cacert.pem
3. Edit the php.ini file and change the curl.cainfo parameter, e.g:
   • curl.cainfo = "/etc/pki/tls/cacert.pem"
   • curl.cainfo = "C:\php\extras\ssl\cacert.pem"

   Note that on some PHP configurations, you might need to set openssl.cafile, not curl.cainfo, to point to the cacert.pem file you downloaded.

4. Potentially restart your webserver (e.g., Apache) to get the php.ini changes to take effect.

For more information, see:

• https://docs.bolt.cm/3.7/howto/curl-ca-certificates
• https://curl.haxx.se/docs/sslcerts.html
• https://curl.haxx.se/libcurl/c/libcurl-errors.html
• https://stackoverflow.com/questions/13467648/configuring-curl-for-ssl

If needed, configure Update Manager to fallback to HTTP

If you do not have access to change your site's PHP configuration, or all else fails, you can configure Drupal's Update Manager to fallback to using HTTP. This is not recommended, and less secure (potentially exposing you to a "man-in-the-middle" attack where a malicious site claims to be updates.drupal.org and gives you false information). However, not having any indication that your site is missing available security updates for Drupal core and contributed modules and themes would probably be worse. So if you need to, you can set the following in your settings.php file:

$settings['update_fetch_with_http_fallback'] = TRUE;

In this case, the Update Manager will still try HTTPS first, but if that fails, instead of giving up and printing the error message, it will try again using HTTP and hopefully fetch available update data.

If you've got this setting defined, and you try to "Check manually" (using the link on your site's Available Updates report) and you still see error messages, make sure your website is connected to the internet, that your network settings are correct, etc. Debugging every possible situation where a site cannot make outbound requests is outside the scope of this documentation. Good luck!