RAMP Documentation

SSL and Basic 401 Auth Configuration

SSL

We recommend HTTPS communication between servers.

  • RAMP currently does not support insecure communication over HTTPS.
  • If you have a self signed certificate you will likely get errors during the deploy phase.

Wildcard Certificates

SSL certificates work on a trusted-signer model – you (via your browser, say) have a list of public keys of certificate authorities who are trusted to sign SSL certificates; when you try to connect to an SSL site, you check that the certificate that server is using is signed by somebody you trust. Wildcard certificates often require additional “chained” trust certificates – a certificate that is signed by one of the commonly-trusted authorities, that in turn is trusted to sign other certificates; some of these chained certificates are available in web browsers, and others are served up by the web server at the same time as the server’s SSL certificate is.

cURL (the http client library that WP generally uses) has a much more limited (and less frequently-updated) list of trusted certificate authorities than web browsers do (and in some configurations has no default list); the expectation is that if you need to use cURL, you’re deep enough that you want to handle your own certificate trust chain.

You may run into an instance where the signer of the wildcard cert isn’t trusted by cURL. There are two ways to fix this: the expedient way and the correct way.

The correct way is to tell cURL about the trust chain you’re using. This is only practical in PHP 5.3.7+, since before that the curl.cainfo php.ini directive didn’t exist <http://php.net/manual/en/curl.configuration.php> and you’d have to edit core WP files to add the cURL option call, but assuming that’s the case, on both staging and production servers:

  • Start with the cacert.pem bundle from here: http://curl.haxx.se/docs/caextract.html
  • Append to it any chained CA certs the wildcard certificate requires
  • Save the modified cacert.pem file somewhere appropriate
  • In php.ini, set curl.cainfo to the absolute path of the modified cacert.pem file
  • Restart apache/php-fpm/etc as appropriate

SSL verification can be disabled for RAMP’s communication by setting the following constant in your wp-config.php file:

define('RAMP_DISABLE_SSL_VERIFY', true);

Obviously, this is less secure than the methods recommended above.

Basic (401) Authentication

If a remote server is behind HTTP Basic (401) Authentication some modifications to the server’s `.htaccess` file will be required for RAMP to properly function. Modify the HTTP Authentication section of your `.htaccess` file with the modifications shown below to enable RAMP to properly communicate with the remote server:

# Standard HTTP Auth

AuthType Basic
AuthName "My Protected Server"
AuthUserFile /path/to/.htpasswd
Require valid-user

# additions for RAMP

SetEnvIf Request_URI "(/wp-content/uploads/)" allow
SetEnvIf Request_URI "(admin-ajax\.php|xmlrpc\.php|async-upload\.php|wp-cron\.php)$" allow
Order allow,deny
Allow from env=allow
Satisfy any

See also: