@aqustiq opened this Issue on April 27th 2022

Unable to execute check for https://matomo.myxdomain.com/config/config.ini.php: curl_exec: SSL certificate problem: unable to get local issuer certificate. Hostname requested was: matomo.myxdomain.com Unable to execute check for https://matomo.myxdomain.com/tmp/cache/tracker/matomocache_general.php: curl_exec: SSL certificate problem: unable to get local issuer certificate. Hostname requested was: matomo.myxdomain.com All private directories are inaccessible from the internet.
-- | --
Unable to execute check for https://matomo.myxdomain.com/tmp/: curl_exec: SSL certificate problem: unable to get local issuer certificate. Hostname requested was: matomo.myxdomain.com Unable to execute check for https://matomo.myxdomain.com/tmp/empty: curl_exec: SSL certificate problem: unable to get local issuer certificate. Hostname requested was: matomo.myxdomain.com Unable to execute check for https://matomo.myxdomain.com/lang/en.json: curl_exec: SSL certificate problem: unable to get local issuer certificate. Hostname requested was: matomo.myxdomain.com All private directories are inaccessible from the internet.

I checked all these URL's with curl from the server itself and have no issues to connect.

Matomo is fully functional just System Check complains about.

Your Environment

  • Matomo Version: 4.9.1
  • PHP Version: 7.3.3
  • Server Operating System: RHEL 8
  • Additionally installed plugins: Default
  • Browser: Firefox 99.0.1
  • Operating System: Win10
@bx80 commented on April 27th 2022 Contributor

Hi @aqustiq, thanks for making contact.

The system check connects to your server via HTTPS using curl to determine if those files are publicly accessible. From the error message it looks like your server's certificate is not trusted by curl.

You can test this by attempting to connect directly with curl on your server:

curl https://matomo.myxdomain.com/README.md

It could be that your certificate authority list is out of date and needs to be updated, this FAQ explains how to update it.

@aqustiq commented on April 28th 2022

Hi @aqustiq, thanks for making contact.

The system check connects to your server via HTTPS using curl to determine if those files are publicly accessible. From the error message it looks like your server's certificate is not trusted by curl.

You can test this by attempting to connect directly with curl on your server:

curl https://matomo.myxdomain.com/README.md

It could be that your certificate authority list is out of date and needs to be updated, this FAQ explains how to update it.

Hi @bx80 ,
How I mentioned in first post when I access those URLs from the server with curl I have no certificate error.
I tested also URL which you provided and here the result:

[]# curl https://matomo.myxdomain.com/README.md
# Matomo (formerly Piwik) - matomo.org

[![Latest Stable Version](https://poser.pugx.org/matomo/matomo/v/stable)](https://matomo.org/download/)
[![Latest Unstable Version](https://poser.pugx.org/matomo/matomo/v/unstable)](https://builds.matomo.org/)
[![License](https://poser.pugx.org/piwik/piwik/license)](https://matomo.org/free-software/)

## Code Status

[![Build Status](https://travis-ci.com/matomo-org/matomo.svg?branch=4.x-dev)](https://app.travis-ci.com/matomo-org/matomo/branches)
[![Percentage of issues still open](http://isitmaintained.com/badge/open/matomo-org/matomo.svg)](http://isitmaintained.com/project/matomo-org/matomo "Percentage of issues still open")

## Description

Matomo is the leading Free/Libre open analytics platform.

Matomo is a full-featured PHP MySQL software program that you download and install on your own webserver.
At the end of the five-minute installation process, you will be given a JavaScript code.
Simply copy and paste this tag on websites you wish to track and access your analytics reports in real-time.

Matomo aims to be a Free software alternative to Google Analytics and is already used on more than 1,400,000 websites. Privacy is built-in!

## Mission Statement

> « To create, as a community, the leading international open source digital analytics platform, that gives every user full control of their data. »

Or in short:
> « Liberate Web Analytics »

## License

Matomo is released under the GPL v3 (or later) license, see [LICENSE](LICENSE).

## Requirements

  * PHP 7.2.5 or greater
  * MySQL version 5.5 or greater, or MariaDB
  * PHP extension pdo and pdo_mysql, or the MySQLi extension
  * Matomo is OS / server independent

See https://matomo.org/docs/requirements/.`

I have cut rest of the output but the idea is that I have no problem to access the website with curl from the server.

@Wecoboss commented on July 27th 2022

Hi,
I have the same problem. I have installed matomo through Infomaniak and it run fine until a recent update. Since then, I have these certificates errors even if every check is green. However I can't connect a wordpress site throug the matomo plugin because of this certificate error.

I have tried the following fix but without success:

Many thanks in advance for your help.

@bx80 commented on July 28th 2022 Contributor

Hi @Wecoboss, thanks for the extra info, and sorry @aqustiq for not getting back sooner,

Digging a bit deeper into this:

When Matomo uses curl via PHP it overrides the use of the system certificate authority bundle by always setting the CURLOPT_CAINFO option to one of the following:

  • If the custom_cacert_pem config option is set and the file exists and is accessible then it will be used.
  • If not then the vendor/composer/ca-bundle/res/cacert.pem file from the composer package composer/ca-bundle is used.

curl run from the command line will normally use the system certificate authority bundle, so that might well work while curl used from Matomo does not.

Could you try the following steps to resolve this error, if this works then please let me know and I will update the FAQs.

Update the ca-bundle composer package

  • The latest version of ca-bundle is 1.3.3 (as of 2022-07-28)
  • You can see what version is currently installed by running php composer.phar info | grep ca-bundle in the Matomo installation folder.
  • If it is not the latest version then run php composer.phar update --no-dev.
  • This will update the package to the latest version which should hopefully resolve the issue.

Force Matomo to use the system ca certs bundle

If updating the composer package didn't work then you can try to force Matomo to use the system certs bundle.

  • Find the location of your system ca cert bundle, it will be different depending on your distribution, common locations are:
/etc/pki/tls/certs/ca-bundle.crt     Fedora, Redhat, CentOS (ca-certificates package)
/etc/ssl/certs/ca-certificates.crt   Debian, Ubuntu, Gentoo, Arch Linux (ca-certificates package)
/etc/ssl/ca-bundle.pem               SUSE, openSUSE (ca-certificates package)
/usr/ssl/certs/ca-bundle.crt         Cygwin
/usr/local/etc/openssl/cert.pem      OS X homebrew, openssl package
/usr/local/etc/openssl<a class='mention' href='https://github.com/1'>@1</a>.1/cert.pem  OS X homebrew, openssl<a class='mention' href='https://github.com/1'>@1</a>.1 package
  • Make sure the file exists and is readable ls -l /replace/with/your/path should show permissions like -rw-r--r--

  • If the file doesn't exist then you may need to install the appropriate operating system package (apt install ca-certificates / yum install ca-certificates / brew install ca-certificates, etc)

  • Edit config/config.ini.php and add custom_cacert_pem = "/replace/with/your/path" to the [General] section

Confirm that curl works correctly from the command line

If forcing the system ca cert bundle doesn't work, then it may be out of date, to check this:

  • Run curl https://replace-with-your-matomo-domain-and-path.com/README.md
  • If the unable to get local issuer certificate error is shown here then the system cert bundle is probably out of date.
  • Run apt update; apt upgrade or whatever commands are appropriate for your operating system to update it's packages.
@saschabrockel commented on October 25th 2022

Hi @aqustiq, thanks for making contact.

The system check connects to your server via HTTPS using curl to determine if those files are publicly accessible. From the error message it looks like your server's certificate is not trusted by curl.

You can test this by attempting to connect directly with curl on your server:

curl https://matomo.myxdomain.com/README.md

It could be that your certificate authority list is out of date and needs to be updated, this FAQ explains how to update it.

I have a fresh install of Ubuntu and I'm running Matomo with Docker. Also a fresh install. I also have this error but for me, it is true that somehow the URL can never be resolved with curl: curl: (6) Could not resolve host: stats.xyz.de

So I tried to recreate the certificate in NGINX Proxy Manager but it did not work. I don't know what is wrong. I mean everything else works well. From outside the server, it seems to work fine. One random time the curl call on the server also worked but it was like 1 of 100.

@bx80 commented on October 25th 2022 Contributor

Hi @saschabrockel, thanks for reaching out.

If curl is reporting that the host cannot be resolved then it probably isn't a certificate issue.

Can curl resolve other hosts? curl https://demo.matomo.org/README.md If not then it could be a network issue.
Can you ping the host? ping stats.xyz.de If not then it could be a DNS issue.

I'd suggest posting on the Matomo forums where someone might be able to help you further.

@saschabrockel commented on October 25th 2022

Hey, @bx80 thank you for the quick response. Other hosts can be resolved. It is only this one URL of my self-hosted Matomo instance that can not be reached. That is why I don't understand what is going on. Pinging the website with curl or google works fine.

Okay I've just tried it again. The error in Matomo is gone and it works now... I did nothing for the last 20 hours. Love IT 😆

@bx80 commented on October 25th 2022 Contributor

@saschabrockel Perhaps it was DNS propagation delay, always a bit random to troubleshoot! Good to hear it's working for you now :smiley:

@aqustiq commented on October 26th 2022

Hello bx80,

I have tried your recommendations but nothing worked even in version 4.12.2. Site works fine so if no quick fix for this I don't bother to live with it.

Also I have no issues to accesss Readme file from the server itself:
`[root@server-devs matomo]# curl https://server-dev.internal.xxxx.xx/README.md

Matomo (formerly Piwik) - matomo.org

Latest Stable Version
Latest Unstable Version
License

Code Status

Build Status
Percentage of issues still open

Description

Matomo is the leading Free/Libre open analytics platform.

Matomo is a full-featured PHP MySQL software program that you download and install on your own webserver.
At the end of the five-minute installation process, you will be given a JavaScript code.
Simply copy and paste this tag on websites you wish to track and access your analytics reports in real-time.

Matomo aims to be a Free software alternative to Google Analytics and is already used on more than 1,400,000 websites. Privacy is built-in!

Mission Statement

.......
`

This Issue was closed on October 26th 2022
Powered by GitHub Issue Mirror