Since the DST Root CA X3 certificate expired yesterday, I'm getting tons of errors from Matomos console archive process.
The command that is executed via shell is
console core:archive --url=https://matomo.domain.com/
ERROR [2021-10-01 15:58:52] 28630 Error unserializing the following response from ?module=API&method=CoreAdminHome.archiveReports&idSite=3&period=week&date=2021-09-27&format=json&trigger=archivephp: 'Got invalid response from API request: https://matomo.domain.com/?module=API&method=CoreAdminHome.archiveReports&idSite=3&period=week&date=2021-09-27&format=json&trigger=archivephp&. Response was 'curl_exec: SSL certificate problem: certificate has expired. Hostname requested was: matomo.domain.com''
Running curl like
curl -v https://matomo.domain.com/?module=API&method=CoreAdminHome.archiveReports&idSite=3&period=week&date=2021-09-27&format=json&trigger=archivephp& doesn't produce any errors nor does executing such a test script:
error_reporting(E_ALL); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "https://matomo.domain.com/?module=API&method=CoreAdminHome.archiveReports&idSite=3&period=week&date=2021-09-27&format=json&trigger=archivephp&"); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $output = curl_exec($ch); curl_close($ch);
Matomo overwrites the ca bundle like this:
So if you added
custom_cacert_pem to your General section of the config.ini.php, then it uses that file.
Otherwise it uses the file that
Composer\CaBundle\CaBundle::getBundledCaBundlePath() returns which is most likely
Originally we shipped
https://curl.haxx.se/ca/cacert.pem with Matomo and updated it every few releases. But to automate this, we switched over to this composer package:
It seems like the latest Matomo version ships with
1.2.8 of that bundle with certificates from
Wed Jul 22 03:12:14 2020 GMT.
It might be that updating the bundle fixes this issue.
Reading https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ I now understand the issue:
For most nearly all users the DST Root CA X3 certificate expiration should not matter as long as one trusts the
ISRG Root X1 certificate (which both Matomo and all major distributions already do for a long time).
But OpenSSL 1.0.2 has a bug that means that if the
DST Root CA X3 is in the ca-bundle (even if the other one is also available), the connection fails.
So you can fix this by either removing the certificate from the bundle (on Matomo's end we can do this by updating the composer package to 1.2.11) or (maybe even better) updating to a more modern version of OpenSSL.
I strongly recommend you to do the latter in the long term. I assume you know that Ubuntu 14.04 LTS doesn't receive any security updates since April 2019 unless you are paying Canonical for an extended support contract (in which case you should probably contact them to help you fix the system ca bundle and point Matomo to it via the
This looks related, although it happened during Matomo automated update to 4.5.0.
My server is not exactly up-to-date (will soon switch to new hosting), but still this is weird.
OpenSSL version 1.1.1 11 Sep 2018 (Library: OpenSSL 1.1.1k 25 Mar 2021)
I had to use HTTP in the end to perform update.
@dev-101 Honestly I can't help much as I know that the TLS setup on builds.matomo.org is correct (see ssllabs) and apart from the openssl 1.0.2 issue, I am not aware of any issue.
So I'd recommend you to debug this by first trying to make http requests using the command line curl and if that works a simple PHP script using curl.
@Findus23 I reckon we can actually close this issue since we merged the CA bundle update and it's in the 4.5 release? People may have issues though when they try to upgrade to 4.5 (nothing we can do about it now) but afterwards it should be fine I reckon.
Hello, is planned to fix this bug for Matomo 3.14.1?
We want to update to the latest version 4.x, unfortunately we can't do it that fast and would be happy to get a fix for the old version.
@nicobayati I think you could replace the content of the file
$matomoDir/core/DataFiles/cacert.pem manually with the content from this file https://raw.githubusercontent.com/composer/ca-bundle/main/res/cacert.pem and then it might work maybe. This way you might get it to work right away.