SSL certificate verify failed over plain HTTP (non-SSL) in WordPress update

All of wordpress.org is an SSL-based site. Any HTTP request just gets routed through HTTPS via their nginx instance, probably with a rule like this:

server {       listen         80;       server_name    my.domain.com;       return         301 https://$server_name$request_uri;}

Here is what happened when downloading:

wget http://downloads.wordpress.org/release/wordpress-4.4.1-new-bundled.zip--2016-01-11 14:40:07--  http://downloads.wordpress.org/release/wordpress-4.4.1-new-bundled.zipResolving downloads.wordpress.org... 66.155.40.188, 66.155.40.189, 66.155.40.187, ...Connecting to downloads.wordpress.org|66.155.40.188|:80... connected.HTTP request sent, awaiting response... 301 Moved PermanentlyLocation: https://downloads.wordpress.org/release/wordpress-4.4.1-new-bundled.zip [following]--2016-01-11 14:40:07--  https://downloads.wordpress.org/release/wordpress-4.4.1-new-bundled.zipConnecting to downloads.wordpress.org|66.155.40.188|:443... connected.ERROR: cannot verify downloads.wordpress.org's certificate, issued by `/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2':  Unable to locally verify the issuer's authority.To connect to downloads.wordpress.org insecurely, use `--no-check-certificate'.Unable to establish SSL connection.

all downloading got redirected to ssl, and the certificate was signed by Go Daddy's most recent CA root.

download the latest certificate from wordpress git site from here, save it to your wp-includes/certificates directory as ca-bundle.crt, make sure the downloaded .crt replace the current one, then try update again.

The link you have for that file redirects to a HTTPS. You can see it in action at http://www.redirect-checker.org

CONGRATULATION. Everything seems to be fine.

http://downloads.wordpress.org/release/wordpress-4.4.1-new-bundled.zip
301 Moved Permanently
https://downloads.wordpress.org/release/wordpress-4.4.1-new-bundled.zip
200 OK

As for why you're getting that error, your server can't validate the certificate because it can't get the correct chain(CA). As you can see here, wordpress.org is correctly configured. Apparently your server won't trust the chain provided by the server. Most likely it's configured to to only accept CAs that are installed.

There's a couple of ways to play this. Both involve going to the GoDaddy Repository and downloading the Go Daddy Secure Certificate Authority - G2 file (it should be this file).

Now, what you need to do is

1. Ask you host to install this chain file on their server. They should do this for you if you point them to the repository. This should be trivial.
2. Hack the WP update script to use the CA chain directly. My bet is it's using the CURL request in this file to do the requesting. It might be another file altogether. You can tell the script doing the downloading to use that CA file. This is not as good a solution for you because you will probably have to hack that script every time.