WooCommerce REST API hung up or leaking with local development

Issue Summary

Attempting to use the WooCommerce REST API within a custom WP theme, internally to create and manage products. When trying to make a request, running into multiple issues.

Troubleshooting Questions

Using Local by Flywheel as my environment, I have followed the instructions here to get set up and running with the WC API: https://woocommerce.github.io/woocommerce-rest-api-docs/#authentication

Issues I am running into, when trying different things:

  • When on HTTPS, it throws the error of self signed certificate. I have tried everything online, setting the verify_ssl to false, using both the Automatic vendor plugin or just making a simple PHP cURL request

  • The request works in POSTman, and when I export the cURL PHP code verbatim, add it into the theme, when this block of code gets hit, there is some sort of data leak, or the process gets hung up. When I am debugging using breakpoints, it gets hung up

  • I have tried disabling ALL plugins, except WooCommerce, and issue persists.

  • WC REST API requests gets hung up and throws a timeout error, even when the timeout is set to 0, or a high number of 400

  • Are you able to create a new, plain WordPress site in Local and access it in a Browser?

Describe the steps that others can take to replicate this issue. If you have screenshots that can help clarify what is happening, please include them!

  • Install WooCommerce plugin
  • Make a cURL request to get all products via the WC REST API within a custom theme

System Details

  • Which version of Local is being used?

  • What Operating System (OS) and OS version is being used?
    MAC OS 10.15.7

  • Attach the Local Log. See this Community Forum post for instructions on how to do so:
    No recent logs found

Do you have an example fo the PHP code that’s making the request?

In general, I’ve found that using WordPress’ family of HTTP request functions is a good idea because it helps abstract away the nuances of handling SSL certs.

The wp_remote_request() function is the more generic one, but there are others for more specific HTTP verbs:

Hey Ben,

Thanks for getting back to me.

I have tried numerous different ways to make the API call.

The calls are working in POSTman, and here is a direct code export:

    $curl = curl_init();

    curl_setopt_array($curl, array(
        CURLOPT_URL => 'http://website.local/wp-json/wc/v3/products/3424',
        CURLOPT_ENCODING => '',
        CURLOPT_MAXREDIRS => 10,
        CURLOPT_TIMEOUT => 0,
        CURLOPT_HTTPHEADER => array(
          'Authorization: OAuth oauth_consumer_key="ck_fac97131cb7asda32033edf1e368ca607ebcece47",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1623349011",oauth_nonce="MATQth54Ntr",oauth_version="1.0",oauth_signature="niVL%2BhMHundj7He6056O5smJlcg%3D"'

    $response = curl_exec($curl);

    if (curl_errno($curl)) {
        $error_msg = curl_error($curl);

    return $response;

I have also tried using the WooCommerce PHP package, as follows:

       $woocommerce = new Client(
                'wp_api' => true,
                'version' => 'wc/v3',
                'timeout' => 400,

        return $woocommerce->get('products/794');

and then also tried your recommendation of using the wp_remote_get as follows:

$remote_url = 'http://website.local/wp-json/wc/v3/products/3424';
$args = array(
    'headers'     => array(
        'Authorization: OAuth oauth_consumer_key="ck_fac97131cbsdssd70458a033edf1e368ca607ebcece47",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1623605862",oauth_nonce="Knesdsd3MynCMMU",oauth_version="1.0",oauth_signature="7IxZpRL8ebkNmnNZTsdsd2ds3RawwWk%3D"',
$result = wp_remote_get( $remote_url, $args );

Unfortunately, all attempths above, either return in a timeout error, or a self signed SSL certificate error.

@ben.turner any other ideas of something that I can try? Or any idea what may be causing this issue? Still unable to resolve it.

Thank you!

  • Alex

I wonder if Local’s router is messing with the authorization headers.

One thing you can try to zero in on the issue is to try setting the Local to use localhost Router Mode under “Preferences > Advanced”

This should prompt you to update the url within the DB to something like localhost:10005

Once that’s done, can you try making those requests again and see if you get different errors? Note that you won’t be able to make HTTPS requests since Local can’t manage the certificate for localhost, but that might help us zero in on Local’s router as the issue.

I’ve done some more QA on this today and have come to the conclusion that this is hard stuff! :smiley:

Here are a few takeaways:

  1. I see the error of cURL Error: SSL certificate problem: self signed certificate somewhat regularly, and in many cases, that’s due to the certificates that WordPress bundles not including the self-signed certificate of the Local site. This answer on StackOverflow has the general fix which is basically, export the Local site’s certificate as a .pem file and append it to WordPress’ bundled certs in wp-includes/certificates/ca-bundle.crt

    When I do that, I am able to make certain requests over HTTPS against the Local site’s rest api. I wasn’t able to get requests to the woo api to work.

  2. The Woocommerce composer package is nice, but I never was able to get it to make secure requests, only regular requests when verify_ssl was false. I think this is related to above and the fact that this package doesn’t consider the bundled certs that come with WP.

I can take another look at a later time, but as of right now, I’m thinking the easiest thing is to temporarily set the verify_ssl to false and continue with the rest of the application logic.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.