@tassoman opened this Issue on January 15th 2016 Contributor

I'm trying to write a plugin that manage HTTP queries to Piwik Reporting APIs. It should verify our staging installation meets production environment.

I've started using Piwik\HTTP::fetchRemoteFile($urlToFile) method and I was stuck in the problem exposed somehow in #7580. My problem is our certificate is self-signed instead root public.

So I've decided to build myself an HTTPS call without certificate verification :sob: and I discovered Guzzle\HTTP\Client using PHPStorm IDE

Having no clue of what am I doing :astonished: I've tried to readthedocs discovering that $client = new GuzzleHttp\Client();

Then I've ended up there should be Ā«somethingĀ». A rapid grep of composer.lock showed Piwik's Guzzle is still v3 that's now deprecated by v5. Finally, the stable documentation writes about v6.

Now I'm confused :confused:

@tsteur commented on January 17th 2016 Member

Are you writing a Piwik plugin? In this case you can directly access the API without going over HTTP by using the Request::processRequest method http://developer.piwik.org/api-reference/Piwik/API/Request#processrequest like this https://github.com/piwik/piwik/blob/2.16.0-b2/plugins/SegmentEditor/SegmentList.php#L21-L23

We don't really use Guzzle. It is required by another dependency (I think by AWS-SDK-PHP). It probably requires Guzzle 3 because it's compatible with PHP 5.3+ whereas Guzzle 4 requires PHP 5.4+ and latest version requires PHP 5.5+. So we couldn't really use a newer version for now but we're not using it anyway. Please use Piwik\Http instead.

Maybe this solves the problem with your certificate and allows you to actually use Http class http://forum.piwik.org/t/certificate-error-on-update-to-2-12-1-solved-tu/15124/4?u=thomas_piwik . Otherwise we'd need to maybe reopen #7580

@tassoman commented on January 18th 2016 Contributor

Hi @tsteur thank you for your fast reply.
Now I understand using Guzzle\Http\Client is not the right choice.
I've already tried using Request::processRequest but it's useful when you're querying the local Piwik's installation. My will is to query staging and production installations from Dev machine, today all them are three different Piwik's versions.
I've also tried setting [curl.cacert] inside Dev's php.ini configuration but didn't worked, looks like I was missing something.
Doing a raw curl from the shell ended up the certificate chain is missing one cert.
Finally, if sysops can't bring me the full chain certificates I think I sadly need to get rid of verification.
Using Piwik\Http directly I can't get rid of verification (-k) because of security risk. Do
You think I can extend it by writing Piwik\Plugins\MyPlugin\Http inside my Dev environment?

@tsteur commented on January 18th 2016 Member

You can maybe extend it inside your dev environment. I'm not quite sure about you're setup. So you are working on a plugin for Piwik, and within this plugin you request data from different environments (QA, Test, Prod, ...)?

You could otherwise download maybe another simple library and ship it with your plugin. Eg you can put a library inside your libs folder of the plugin but you'd need to load it manually.

Doing a raw curl from the shell ended up the certificate chain is missing one cert.

So it seems like there's a problem with certs in general?

@tassoman commented on January 19th 2016 Contributor

Yes the problem is with my certificates chain. So I've managed the thing insecurely avoiding the certificate verification (-k --insecure curl way), it's enough for a Development installation because it works entirely inside the intranet.

I got the things done extending the Piwik\Http class by Piwik\Plugins\MyPlugin\Https. Then Piwik\Plugins\MyPlugin\Commands\MyCommand creates the Https object.

This Https object just overrides configCurlCertificate() by:

public static function configCurlCertificate(&$ch)
  if (file_exists(PIWIK_INCLUDE_PATH . '/core/DataFiles/cacert.pem')) {
    <a class='mention' href='https://github.com/curl_setopt'>@curl_setopt</a>($ch, CURLOPT_CAINFO, PIWIK_INCLUDE_PATH . '/core/DataFiles/cacert.pem');
  // This is the insecure way: -k --insecure
  <a class='mention' href='https://github.com/curl_setopt'>@curl_setopt</a>($ch, CURLOPT_SSL_VERIFYHOST, fasle);
  <a class='mention' href='https://github.com/curl_setopt'>@curl_setopt</a>($ch, CURLOPT_SSL_VERIFYPEER, fasle);
@tsteur commented on January 19th 2016 Member

Glad to hear :+1:

This Issue was closed on January 17th 2016
Powered by GitHub Issue Mirror