@fdellwing opened this Issue on November 21st 2018 Contributor

Follow up from https://forum.matomo.org/t/certificate-issues-during-update/30238/7

  1. Please document this behaviour somewhere. I was not aware of this fact until @mattab pointed it out.
  2. Add on option to disable this behaviour, it does not need to be accessible via UI but should be doable via config.php.
@brettp commented on February 13th 2019

This just took hours of time to debug. The thread linked above doesn't have a resolution because the OP and Matomo dev switched to email.

Is this considered a bug? Is it being worked on? Will a PR help?

From a user perspective, it's unexpected for Matomo to disregard globally installed system certs. This is not a good practice, and actually masks the real problem in the situation it's meant to address ("an endless number of people who can’t use Matomo because they are using an outdated os and don’t have the Let’s Encrypt certificate") .

@fdellwing commented on February 13th 2019 Contributor

This is not considered a bug and there are no plans to change the behaviour. But there definitely has to be an blog article describing the problem and what to do and an advanced option to disable this feature.

The solution for you is to add your trusted cert to core/DataFiles/cacert.pem.

The new option could definitely be added via a PR.

@brettp commented on February 13th 2019

I'd argue this needs to be addressed not in a generic blog post, but when the problem presents itself: the error messages. It's common and easily Google-able knowledge to update the global certs and php.ini for that curl error, but Matomo's unorthodox config is almost completely undiscoverable by searching.

If it is a blog post, it'd do well to be pinned to the top of every page in large, flashing, red text...

@tsteur commented on February 13th 2019 Member

Instead of allowing to disable it (or additionally), would it be helpful to retry if the request fails without the cacert?

@brettp commented on February 13th 2019

If it retries using the system ca, yes! But it'd also be useful to be able to set a config value to a cert path, and to alert the user to do so if a retry is successful

@fdellwing commented on February 14th 2019 Contributor

@tsteur That would be a good addition to the config option :)

@mattab commented on June 29th 2019 Member

see FAQ documenting new INI setting: https://matomo.org/faq/troubleshooting/faq_34226/ (will be available in 3.10.0)

This Issue was closed on May 5th 2019
Powered by GitHub Issue Mirror