Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix SSL issue in archive.php #2943

Closed
anonymous-matomo-user opened this issue Feb 17, 2012 · 11 comments
Closed

Fix SSL issue in archive.php #2943

anonymous-matomo-user opened this issue Feb 17, 2012 · 11 comments
Assignees
Labels
Bug For errors / faults / flaws / inconsistencies etc.
Milestone

Comments

@anonymous-matomo-user
Copy link

Occurs using a SSL secured PIWIK installation.

  • Windows Server 2008 R2, x64
  • IIS7, PHP 5.3

The archive.php script fails displaying an error:
curl:SSL3_GET_SERVER_CERTIFICATE SSL certificate problem, verify that the CA cert is OK.

The following hack solves this issue:
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);

Please fix this issue or explain a more secure workaround in the docs. Thanks.

@mattab
Copy link
Member

mattab commented Feb 19, 2012

Was your SSL certificate valid?

Should we accept non valid SSL certificate by default? Or should we have a new parameter --accept-invalid-certificate ?

@ziegenberg
Copy link
Contributor

Can be reproduced on Linux as well with Apache 2.2.15 and PHP 5.3.2.

The archive.php script fails with the following error:

Got invalid response from API request: https://[...] .
Response was 'curl_exec: SSL: certificate subject name 'domain1.example.com' does not match target host name 'domain2.example.com''

As everything happens within our Firewall we are absolutely OK with accepting the non-valid SSL cert.

+1 for --accept-invalid-certificate

@anonymous-matomo-user
Copy link
Author

+1 for --accept-invalid-certificate or a other config option.

@robocoder
Copy link
Contributor

Please fix this issue or explain a more secure workaround in the docs

"more secure"? Wouldn't disabing the SSL verification be a contradiction?

I'm marking this as a duplicate of #1867.

@robocoder
Copy link
Contributor

sorry, #1867 has more scope.

@mattab
Copy link
Member

mattab commented Feb 19, 2012

I think it's worth fixing. The problem lies with the new feature force_ssl=1 - that currently breaks the archive.php - broken features is not good, so we need this option..

@robocoder
Copy link
Contributor

I disagree.

I would prefer that sites that use a self-signed cert make the necessary server config changes to trust their cert as in this how-to:

http://turboflash.wordpress.com/2009/06/23/curl-adding-installing-trusting-new-self-signed-certificate/

@anonymous-matomo-user
Copy link
Author

The following hack solves this issue:

  curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0); 
  curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0); 

Unfortunately, this is not sufficient. In https://github.com/piwik/piwik/blob/master/misc/cron/archive.php#L234 there is a call to request(url) and this in turn calls Piwik_Http::sendHttpRequestBy And I actually do not like to fiddle around with https://github.com/piwik/piwik/blob/master/core/Http.php#L89 as I guess this could have have side effects.

For now I disabled the cron archiving.

I would prefer that sites that use a self-signed cert make the necessary server config changes to trust their cert as in this how-to:

http://turboflash.wordpress.com/2009/06/23/curl-adding-installing-trusting-new-self-signed-certificate/

I have not superuser access to my piwik site (which also runs on FreeBSD). If you can outline / document how to set this up for just the user who runs archive.php I am happy to do this. But this looks pretty complicated to me, via $HOME/.ssl or something.

+1 for --accept-invalid-certificate as an option for archive.php

@anonymous-matomo-user
Copy link
Author

Hi all

We have a VALID SSL certificate!
The issuer is Equifax (trusded by all of my brosers, i.e. FF, Chrome, Opera & IE).
That's why I've opened a Ticket.

I agree that a self-signed certificate shouldn't be trusted by default.

Regards

@robocoder
Copy link
Contributor

FellmerLloyd: in your case, php's curl+openssl doesn't know how to validate the certificate chain. You just need to drop a copy of cacert.pem into your piwik/core/DataFiles/ directory. You can get the latest version from:

That said, I believe Matt is considering a more general fix (e.g., checking to see if run from php-cli) that would avoid adding yet another config option.

@mattab
Copy link
Member

mattab commented Feb 23, 2012

(In [5884]) Fixes #2943

  • adding --accept-invalid-ssl-certificate
  • I decided to commit this, to work around the broken feature. It is not a good practise to use invalid certificate.
  • Instead, you should drop a copy of cacert.pem into your piwik/core/DataFiles/ directory. You can get the latest version from: http://curl.haxx.se/ca/cacert.pem

I decided to fix this because I believe that using an invalid SSL certificate is still better than not using SSL.
Assuming users are happy to add this argument, piwik should be able to work without breaking.
However, it is clearly not recommmended as is highlighted in the --help output...

@anonymous-matomo-user anonymous-matomo-user added this to the 1.7.x - Piwik 1.7.1 milestone Jul 8, 2014
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug For errors / faults / flaws / inconsistencies etc.
Projects
None yet
Development

No branches or pull requests

4 participants