Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cronjob error: "curl_exec: SSL certificate problem: ..." #11077

Closed
mr-manuel opened this issue Dec 25, 2016 · 10 comments
Closed

cronjob error: "curl_exec: SSL certificate problem: ..." #11077

mr-manuel opened this issue Dec 25, 2016 · 10 comments
Labels
answered For when a question was asked and we referred to forum or answered it.

Comments

@mr-manuel
Copy link

mr-manuel commented Dec 25, 2016
edited

Hi there :)

after setting "force_ssl = 1" in the config.ini.php, I get this error every time the system execute the cronjob:

Empty or invalid response 'Got invalid response from API request: https://piwik.mydomain.sample/?module=API&method=API.get&idSite=2&period=day&date=last52&format=php&trigger=archivephp&token_auth=removed. Response was 'curl_exec: SSL certificate problem: unable to get local issuer certificate. Hostname requested was: portal.md-service.net'' for website id 2, Time elapsed: 0.204s, skipping

The error is for every website id the same. The SSL certificate is a public one and valid until 2019. Without the "force_ssl = 1" setting the cronjob works without problems, but I'd like to activate SSL for more security. Any ideas?

I have Piwik 3.0 and PHP 5.6.

If you need more informations just let me know :)
@mattab
Copy link
Member

mattab commented Dec 26, 2016

What PHP CURL OpenSSL version are you using?

you can see this in phpinfo() output such as this:
phpinfo

@mr-manuel
Copy link
Author

Hi, thanks for your reply!

This is the output:

curl

@mattab
Copy link
Member

mattab commented Dec 26, 2016

@mr-manuel I'm not sure what the problem is, but could you try upgrade your CURL version as it's quite old. It may work better with your SSL certificate?

@mr-manuel
Copy link
Author

Hi, now I asked my hoster to update CURL. This might take a while. Thanks

@mr-manuel
Copy link
Author

mr-manuel commented Jan 3, 2017
edited

Hi again, now they told me that I can change by myself the "ca-certificates.crt" file.
I found a recent one on https://curl.haxx.se/docs/caextract.html but the extension is *.pem.
I tryed to convert the *.pem to *.crt with the command openssl x509 -outform der -in cacert.pem -out cacert.crt but I get only a file that is about 889 bytes? Thanks for helping!

@mr-manuel
Copy link
Author

Now by chance I rechecked my certificate and find out, that I didn't have inserted the CA bundle on the webserver. After inserting CA bundle from my certificate all works fine. Sorry for inconvenience and thanks for your patience!

@mattab
Copy link
Member

mattab commented Jan 3, 2017

Now by chance I rechecked my certificate and find out, that I didn't have inserted the CA bundle on the webserver. After inserting CA bundle from my certificate all works fine. Sorry for inconvenience and thanks for your patience!

@mr-manuel What do you mean by this, could you maybe write the steps you took here, as it could help other users with the same issue? Thanks!

@mr-manuel
Copy link
Author

Sure :)
I checked the certificate via command line: curl -vvI https://piwik.mydomain.sample

The output was following:

* About to connect() to piwik.mydomain.sample port 443 (#0)
*   Trying 37.xxx.xxx.xxx...
* connected
* Connected to piwik.mydomain.sample (37.xxx.xxx.xxx) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.

So I checked in my webhoster dashboard the SSL certificate for piwik.mydomain.sample and saw that the field for the ca-bundle code was empty. I pasted in the code which I got from the CA Authority and a few minutes later all worked :)

Hope that this can also help others

@mattab
Copy link
Member

mattab commented Jan 3, 2017

Thanks @mr-manuel

I pasted in the code which I got from the CA Authority and a few minutes later all worked :)

Is the code you refer to, similar to our list of cacert.pem? https://github.com/piwik/piwik/blob/master/core/DataFiles/cacert.pem

@mr-manuel
Copy link
Author

No the code is not similar. The code is from the *.ca file you get, when you buy a certificate.

@mattab mattab added the answered For when a question was asked and we referred to forum or answered it. label Jan 9, 2017
@dwayne45 dwayne45 mentioned this issue Dec 19, 2023
Open
@sirinartk sirinartk mentioned this issue Dec 20, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
answered For when a question was asked and we referred to forum or answered it.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mattab @mr-manuel