New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix SSL issue in archive.php #2943
Comments
Was your SSL certificate valid? Should we accept non valid SSL certificate by default? Or should we have a new parameter --accept-invalid-certificate ? |
Can be reproduced on Linux as well with Apache 2.2.15 and PHP 5.3.2. The archive.php script fails with the following error:
As everything happens within our Firewall we are absolutely OK with accepting the non-valid SSL cert. +1 for --accept-invalid-certificate |
+1 for --accept-invalid-certificate or a other config option. |
"more secure"? Wouldn't disabing the SSL verification be a contradiction? I'm marking this as a duplicate of #1867. |
sorry, #1867 has more scope. |
I think it's worth fixing. The problem lies with the new feature force_ssl=1 - that currently breaks the archive.php - broken features is not good, so we need this option.. |
I disagree. I would prefer that sites that use a self-signed cert make the necessary server config changes to trust their cert as in this how-to: |
The following hack solves this issue:
Unfortunately, this is not sufficient. In https://github.com/piwik/piwik/blob/master/misc/cron/archive.php#L234 there is a call to request(url) and this in turn calls Piwik_Http::sendHttpRequestBy And I actually do not like to fiddle around with https://github.com/piwik/piwik/blob/master/core/Http.php#L89 as I guess this could have have side effects. For now I disabled the cron archiving. I would prefer that sites that use a self-signed cert make the necessary server config changes to trust their cert as in this how-to: I have not superuser access to my piwik site (which also runs on FreeBSD). If you can outline / document how to set this up for just the user who runs archive.php I am happy to do this. But this looks pretty complicated to me, via $HOME/.ssl or something. +1 for --accept-invalid-certificate as an option for archive.php |
Hi all We have a VALID SSL certificate! I agree that a self-signed certificate shouldn't be trusted by default. Regards |
FellmerLloyd: in your case, php's curl+openssl doesn't know how to validate the certificate chain. You just need to drop a copy of cacert.pem into your piwik/core/DataFiles/ directory. You can get the latest version from: That said, I believe Matt is considering a more general fix (e.g., checking to see if run from php-cli) that would avoid adding yet another config option. |
(In [5884]) Fixes #2943
I decided to fix this because I believe that using an invalid SSL certificate is still better than not using SSL. |
Occurs using a SSL secured PIWIK installation.
The archive.php script fails displaying an error:
curl:SSL3_GET_SERVER_CERTIFICATE SSL certificate problem, verify that the CA cert is OK.
The following hack solves this issue:
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
Please fix this issue or explain a more secure workaround in the docs. Thanks.
The text was updated successfully, but these errors were encountered: