@tuxmaster opened this Issue on May 9th 2018

Updates and modules for matomo self will work fine with an outgoing proxy.
But the geoip2 database download will fails with:

curl_exec: SSL received a record that exceeded the maximum permissible length.. Hostname requested was: geolite.maxmind.com

System: CentOS 7.4 with php72 (7.2 ) from the remi repo.

@Findus23 commented on May 9th 2018 Member

Hi,

Matomo tries to download the GeoIp2 database via https, which seems to fail in your case.

https://github.com/matomo-org/matomo/blob/18ad4f7f04d01b90fb9fc1d623585b5033092ed8/plugins/GeoIp2/LocationProvider/GeoIp2.php#L22

Can you check that your proxy doesn't modify the request?

@tuxmaster commented on May 9th 2018

And the normal updates are loaded via http instant of https?
Call it under the console it will work:
https_proxy=https://RPOXY:PORT curl -v https://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz >/tmp/test

https_proxy=https://RPOXY:PORT curl -v https://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz >/tmp/test
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* About to connect() to RPOXY:PORT (#0)

  • Trying XXX.XXXX.XXX.XXX ...
  • Connected to RPOXY (XXX.xx.xx.xx) port PORT (#0)
  • Establish HTTP proxy tunnel to geolite.maxmind.com:443

    CONNECT geolite.maxmind.com:443 HTTP/1.1
    Host: geolite.maxmind.com:443
    User-Agent: curl/7.29.0
    Proxy-Connection: Keep-Alive

    < HTTP/1.1 200 Connection established
    <

  • Proxy replied OK to CONNECT request
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  • SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • Server certificate:
  • subject: CN=*.maxmind.com,OU=PremiumSSL Wildcard,O=MaxMind Inc.,STREET=14 Spring Street,STREET=3rd Floor,L=Waltham,ST=MA,postalCode=02451,C=US
  • start date: Sep 19 00:00:00 2016 GMT
  • expire date: Okt 31 23:59:59 2018 GMT
  • common name: *.maxmind.com
  • issuer: CN=COMODO RSA Organization Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

    GET /download/geoip/database/GeoLite2-City.tar.gz HTTP/1.1
    User-Agent: curl/7.29.0
    Host: geolite.maxmind.com
    Accept: /

    < HTTP/1.1 200 OK
    < Date: Wed, 09 May 2018 07:50:12 GMT
    < Content-Type: application/gzip
    < Content-Length: 26578063
    < Connection: keep-alive
    < Set-Cookie: __cfduid=d324f166bb833b10c54f8a59bcfe0de511525852212; expires=Thu, 09-May-19 07:50:12 GMT; path=/; domain=.maxmind.com; HttpOnly
    < Content-Disposition: attachment; filename=GeoLite2-City_20180501.tar.gz
    < Last-Modified: Tue, 01 May 2018 17:00:59 GMT
    < CF-Cache-Status: HIT
    < Expires: Wed, 09 May 2018 11:50:12 GMT
    < Cache-Control: public, max-age=14400
    < Accept-Ranges: bytes
    < Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    < Server: cloudflare
    < CF-RAY: 418292e6fbf72d6b-TXL
    <
    { [data not shown]
    100 25.3M 100 25.3M 0 0 18.5M 0 0:00:01 0:00:01 --:--:-- 18.5M

  • Connection #0 to host RPOXY left intact
@sgiehl commented on May 9th 2018 Member

IIRC normal updates have a fallback to HTTP if HTTPS fails. The GeoIP stuff hasn't. You can try to set it up manually and use the http address instead.

@tuxmaster commented on May 9th 2018

Yes, change it to http will work.

Powered by GitHub Issue Mirror