@DevDavido opened this Issue on October 1st 2021

Since the DST Root CA X3 certificate expired yesterday, I'm getting tons of errors from Matomos console archive process.
The command that is executed via shell is console core:archive --url=https://matomo.domain.com/

Expected Behavior

No errors.

Current Behavior

ERROR [2021-10-01 15:58:52] 28630 Error unserializing the following response from ?module=API&method=CoreAdminHome.archiveReports&idSite=3&period=week&date=2021-09-27&format=json&trigger=archivephp: 'Got invalid response from API request: https://matomo.domain.com/?module=API&method=CoreAdminHome.archiveReports&idSite=3&period=week&date=2021-09-27&format=json&trigger=archivephp&. Response was 'curl_exec: SSL certificate problem: certificate has expired. Hostname requested was: matomo.domain.com''

Context

Running curl like curl -v https://matomo.domain.com/?module=API&method=CoreAdminHome.archiveReports&idSite=3&period=week&date=2021-09-27&format=json&trigger=archivephp& doesn't produce any errors nor does executing such a test script:

error_reporting(E_ALL);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://matomo.domain.com/?module=API&method=CoreAdminHome.archiveReports&idSite=3&period=week&date=2021-09-27&format=json&trigger=archivephp&");
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$output = curl_exec($ch);
curl_close($ch);

Your Environment

  • Matomo Version: 4.4.1
  • PHP Version: 7.2.18
  • Server Operating System: Ubuntu 14.04 LTS
@Findus23 commented on October 1st 2021 Member

Hi,

Matomo overwrites the ca bundle like this:
https://github.com/matomo-org/matomo/blob/482cf02b00876f799516036cef52c061136a0954/core/Http.php#L973-L986

So if you added custom_cacert_pem to your General section of the config.ini.php, then it uses that file.

Otherwise it uses the file that Composer\CaBundle\CaBundle::getBundledCaBundlePath() returns which is most likely vendor/composer/ca-bundle/res/cacert.pem.

Originally we shipped https://curl.haxx.se/ca/cacert.pem with Matomo and updated it every few releases. But to automate this, we switched over to this composer package:
https://github.com/composer/ca-bundle

It seems like the latest Matomo version ships with 1.2.8 of that bundle with certificates from Wed Jul 22 03:12:14 2020 GMT.

It might be that updating the bundle fixes this issue.

@Findus23 commented on October 1st 2021 Member

Reading https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ I now understand the issue:

For most nearly all users the DST Root CA X3 certificate expiration should not matter as long as one trusts the ISRG Root X1 certificate (which both Matomo and all major distributions already do for a long time).

But OpenSSL 1.0.2 has a bug that means that if the DST Root CA X3 is in the ca-bundle (even if the other one is also available), the connection fails.
So you can fix this by either removing the certificate from the bundle (on Matomo's end we can do this by updating the composer package to 1.2.11) or (maybe even better) updating to a more modern version of OpenSSL.

I strongly recommend you to do the latter in the long term. I assume you know that Ubuntu 14.04 LTS doesn't receive any security updates since April 2019 unless you are paying Canonical for an extended support contract (in which case you should probably contact them to help you fix the system ca bundle and point Matomo to it via the custom_cacert_pem option)

@DevDavido commented on October 2nd 2021

Thank you @Findus23 for your detailed feedback. As mentioned by you, updating the config/config.ini.php file by adding an updated cacert.pem as custom_cacert_pem directive solved the issue.

@dev-101 commented on October 8th 2021

This looks related, although it happened during Matomo automated update to 4.5.0.
My server is not exactly up-to-date (will soon switch to new hosting), but still this is weird.
OpenSSL version 1.1.1 11 Sep 2018 (Library: OpenSSL 1.1.1k 25 Mar 2021)

matomo-update-ssl-issue

I had to use HTTP in the end to perform update.

@Findus23 commented on October 8th 2021 Member

@dev-101 Honestly I can't help much as I know that the TLS setup on builds.matomo.org is correct (see ssllabs) and apart from the openssl 1.0.2 issue, I am not aware of any issue.
So I'd recommend you to debug this by first trying to make http requests using the command line curl and if that works a simple PHP script using curl.

@tsteur commented on October 10th 2021 Member

@Findus23 I reckon we can actually close this issue since we merged the CA bundle update and it's in the 4.5 release? People may have issues though when they try to upgrade to 4.5 (nothing we can do about it now) but afterwards it should be fine I reckon.

@nicobayati commented on October 18th 2021

Hello, is planned to fix this bug for Matomo 3.14.1?

We want to update to the latest version 4.x, unfortunately we can't do it that fast and would be happy to get a fix for the old version.

Thanks

@tsteur commented on October 20th 2021 Member

@sgiehl @Findus23 I'm assuming to make this work for 3.X we would simply need to update our cacert.pem with the content of vendor/composer/ca-bundle/res/cacert.pem?

@nicobayati I think you could replace the content of the file $matomoDir/core/DataFiles/cacert.pem manually with the content from this file https://raw.githubusercontent.com/composer/ca-bundle/main/res/cacert.pem and then it might work maybe. This way you might get it to work right away.

This Issue was closed on October 11th 2021
Powered by GitHub Issue Mirror