This just took hours of time to debug. The thread linked above doesn't have a resolution because the OP and Matomo dev switched to email.

Is this considered a bug? Is it being worked on? Will a PR help?

From a user perspective, it's unexpected for Matomo to disregard globally installed system certs. This is not a good practice, and actually masks the real problem in the situation it's meant to address ("an endless number of people who can’t use Matomo because they are using an outdated os and don’t have the Let’s Encrypt certificate") .

This is not considered a bug and there are no plans to change the behaviour. But there definitely has to be an blog article describing the problem and what to do and an advanced option to disable this feature.

The solution for you is to add your trusted cert to core/DataFiles/cacert.pem.

The new option could definitely be added via a PR.

I'd argue this needs to be addressed not in a generic blog post, but when the problem presents itself: the error messages. It's common and easily Google-able knowledge to update the global certs and php.ini for that curl error, but Matomo's unorthodox config is almost completely undiscoverable by searching.

If it is a blog post, it'd do well to be pinned to the top of every page in large, flashing, red text...

Instead of allowing to disable it (or additionally), would it be helpful to retry if the request fails without the cacert?

If it retries using the system ca, yes! But it'd also be useful to be able to set a config value to a cert path, and to alert the user to do so if a retry is successful

@tsteur That would be a good addition to the config option :)

see FAQ documenting new INI setting: https://matomo.org/faq/troubleshooting/faq_34226/ (will be available in 3.10.0)