OK, I figured it out.
Removing that certificate from ClassicPress’ certificate bundle is part of the fix. However, if a web server is using the cURL extension with an old version of OpenSSL, and the expired “DST Root CA X3” certificate is still present in the system certificate store, then this fix is not enough.
In that case the only ways to get these requests working again are to upgrade PHP/cURL, remove the certificate from the system certificate store, or disable certificate verification entirely.
I’ve created a small plugin that will diagnose and work around this situation in the most secure way possible:
There are three different modes it can operate in, depending on the web server configuration.
(1) Do nothing if the server is not suffering from this issue:
(2) Automatically use a corrected certificate bundle if this is an issue that ClassicPress can fix by itself:
This is a much better alternative than disabling all certificate verification.
For these sites, the issue will also be fixed once the PR above is merged and shipped in a new release of ClassicPress. This plugin will be able to help users of these sites to get that update applied.
(3) Provide the option to switch to insecure requests for a few minutes if there is no other solution. The real fix is to upgrade/reconfigure the webserver but this can help get upgrades and other tasks unblocked in the meantime: