Opened 2 years ago

Closed 2 years ago

#2943 closed Bug (fixed)

Fix SSL issue in archive.php

Reported by: FellmerLloyd Owned by: matt
Priority: normal Milestone: 1.7.x - Piwik 1.7.1
Component: Core Keywords:
Cc: Sensitive: no

Description

Occurs using a SSL secured PIWIK installation.

  • Windows Server 2008 R2, x64
  • IIS7, PHP 5.3

The archive.php script fails displaying an error:
curl:SSL3_GET_SERVER_CERTIFICATE SSL certificate problem, verify that the CA cert is OK.

The following hack solves this issue:
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);

Please fix this issue or explain a more secure workaround in the docs. Thanks.

Change History (11)

comment:1 Changed 2 years ago by matt (mattab)

  • Milestone set to 1.7.x - Piwik 1.7.1

Was your SSL certificate valid?

Should we accept non valid SSL certificate by default? Or should we have a new parameter --accept-invalid-certificate ?

comment:2 Changed 2 years ago by ziegenberg

Can be reproduced on Linux as well with Apache 2.2.15 and PHP 5.3.2.

The archive.php script fails with the following error:

Got invalid response from API request: https://[...] .
Response was 'curl_exec: SSL: certificate subject name 'domain1.example.com' does not match target host name 'domain2.example.com''

As everything happens within our Firewall we are absolutely OK with accepting the non-valid SSL cert.

+1 for --accept-invalid-certificate

comment:3 Changed 2 years ago by markei

+1 for --accept-invalid-certificate or a other config option.

comment:4 Changed 2 years ago by vipsoft (robocoder)

  • Keywords curl ssl removed
  • Resolution set to duplicate
  • Status changed from new to closed

Please fix this issue or explain a more secure workaround in the docs

"more secure"? Wouldn't disabing the SSL verification be a contradiction?

I'm marking this as a duplicate of #1867.

comment:5 Changed 2 years ago by vipsoft (robocoder)

  • Resolution duplicate deleted
  • Status changed from closed to reopened

sorry, #1867 has more scope.

comment:6 Changed 2 years ago by matt (mattab)

  • Owner set to matt
  • Status changed from reopened to new

I think it's worth fixing. The problem lies with the new feature force_ssl=1 - that currently breaks the archive.php - broken features is not good, so we need this option..

comment:7 Changed 2 years ago by vipsoft (robocoder)

I disagree.

I would prefer that sites that use a self-signed cert make the necessary server config changes to trust their cert as in this how-to:

http://turboflash.wordpress.com/2009/06/23/curl-adding-installing-trusting-new-self-signed-certificate/

comment:8 Changed 2 years ago by jens

The following hack solves this issue:


curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0); 
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0); 

Unfortunately, this is not sufficient. In http://dev.piwik.org/trac/browser/trunk/misc/cron/archive.php#L234 there is a call to request(url) and this in turn calls Piwik_Http::sendHttpRequestBy And I actually do not like to fiddle around with http://dev.piwik.org/trac/browser/trunk/core/Http.php#L89 as I guess this could have have side effects.

For now I disabled the cron archiving.

I would prefer that sites that use a self-signed cert make the necessary server config changes to trust their cert as in this how-to:


http://turboflash.wordpress.com/2009/06/23/curl-adding-installing-trusting-new-self-signed-certificate/

I have not superuser access to my piwik site (which also runs on FreeBSD). If you can outline / document how to set this up for just the user who runs archive.php I am happy to do this. But this looks pretty complicated to me, via $HOME/.ssl or something.

+1 for --accept-invalid-certificate as an option for archive.php

comment:9 Changed 2 years ago by FellmerLloyd

Hi all

We have a VALID SSL certificate!
The issuer is Equifax (trusded by all of my brosers, i.e. FF, Chrome, Opera & IE).
That's why I've opened a Ticket.

I agree that a self-signed certificate shouldn't be trusted by default.

Regards

comment:10 Changed 2 years ago by vipsoft (robocoder)

FellmerLloyd: in your case, php's curl+openssl doesn't know how to validate the certificate chain. You just need to drop a copy of cacert.pem into your piwik/core/DataFiles/ directory. You can get the latest version from:

That said, I believe Matt is considering a more general fix (e.g., checking to see if run from php-cli) that would avoid adding yet another config option.

comment:11 Changed 2 years ago by matt (mattab)

  • Resolution set to fixed
  • Status changed from new to closed

(In [5884]) Fixes #2943

  • adding --accept-invalid-ssl-certificate
  • I decided to commit this, to work around the broken feature. It is not a good practise to use invalid certificate.
  • Instead, you should drop a copy of cacert.pem into your piwik/core/DataFiles/ directory. You can get the latest version from: http://curl.haxx.se/ca/cacert.pem

I decided to fix this because I believe that using an invalid SSL certificate is still better than not using SSL.
Assuming users are happy to add this argument, piwik should be able to work without breaking.
However, it is clearly not recommmended as is highlighted in the --help output...

Note: See TracTickets for help on using tickets.