New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Console Archive] CURL: SSL certificate problem with expired certificate #18089
Comments
Hi, Matomo overwrites the ca bundle like this: Lines 973 to 986 in 482cf02
So if you added Otherwise it uses the file that Originally we shipped It seems like the latest Matomo version ships with It might be that updating the bundle fixes this issue. |
Reading https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ I now understand the issue: For most nearly all users the DST Root CA X3 certificate expiration should not matter as long as one trusts the But OpenSSL 1.0.2 has a bug that means that if the I strongly recommend you to do the latter in the long term. I assume you know that Ubuntu 14.04 LTS doesn't receive any security updates since April 2019 unless you are paying Canonical for an extended support contract (in which case you should probably contact them to help you fix the system ca bundle and point Matomo to it via the |
Thank you @Findus23 for your detailed feedback. As mentioned by you, updating the |
@dev-101 Honestly I can't help much as I know that the TLS setup on builds.matomo.org is correct (see ssllabs) and apart from the openssl 1.0.2 issue, I am not aware of any issue. |
@Findus23 I reckon we can actually close this issue since we merged the CA bundle update and it's in the 4.5 release? People may have issues though when they try to upgrade to 4.5 (nothing we can do about it now) but afterwards it should be fine I reckon. |
Hello, is planned to fix this bug for Matomo 3.14.1? We want to update to the latest version 4.x, unfortunately we can't do it that fast and would be happy to get a fix for the old version. Thanks |
@sgiehl @Findus23 I'm assuming to make this work for 3.X we would simply need to update our cacert.pem with the content of @nicobayati I think you could replace the content of the file |
Since the DST Root CA X3 certificate expired yesterday, I'm getting tons of errors from Matomos console archive process.
The command that is executed via shell is
console core:archive --url=https://matomo.domain.com/
Expected Behavior
No errors.
Current Behavior
Context
Running curl like
curl -v https://matomo.domain.com/?module=API&method=CoreAdminHome.archiveReports&idSite=3&period=week&date=2021-09-27&format=json&trigger=archivephp&
doesn't produce any errors nor does executing such a test script:Your Environment
The text was updated successfully, but these errors were encountered: