Cannot connect to piwik when using import_logs.py to import server logs

corin · October 29, 2017, 8:15pm

I’m using a bitnami piwik installation on an aws amazon server. I have assigned a domain to my amazon instance and also installed SSL. Everything is working smooth while tracking with javascript.

Now I took one step further and tried to import my server logs into piwik using import_logs.py

I’m using this command to execute the python script:

python /opt/bitnami/apps/piwik/htdocs/misc/log-analytics/import_logs.py --url=https://mydomain.com --idsite=4 --recorders=4 --enable-http-errors --enable-http-redirects --enable-static --enable-bots /logs/myServerLogs

but I’m gettings this error:

2017-10-29 20:07:25,760: [INFO] Error when connecting to Piwik: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)>
2017-10-29 20:07:25,760: [INFO] Retrying request, attempt number 2
2017-10-29 20:07:35,812: [INFO] Error when connecting to Piwik: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)>
2017-10-29 20:07:35,812: [INFO] Retrying request, attempt number 3
2017-10-29 20:07:45,828: [INFO] Error when connecting to Piwik: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)>
2017-10-29 20:07:45,828: [INFO] Max number of attempts reached, server is unreachable!
Traceback (most recent call last):
  File "/opt/bitnami/apps/piwik/htdocs/misc/log-analytics/import_logs.py", line 2413, in <module>
    resolver = config.get_resolver()
  File "/opt/bitnami/apps/piwik/htdocs/misc/log-analytics/import_logs.py", line 1023, in get_resolver
    return StaticResolver(self.options.site_id)
  File "/opt/bitnami/apps/piwik/htdocs/misc/log-analytics/import_logs.py", line 1451, in __init__
    'SitesManager.getSiteFromId', idSite=self.site_id
  File "/opt/bitnami/apps/piwik/htdocs/misc/log-analytics/import_logs.py", line 1434, in call_api
    return cls._call_wrapper(cls._call_api, None, None, method, **kwargs)
  File "/opt/bitnami/apps/piwik/htdocs/misc/log-analytics/import_logs.py", line 1421, in _call_wrapper
    raise Piwik.Error(message, code)
__main__.Error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

What may have caused this?

Lukas · October 29, 2017, 8:18pm

Hi,

The log importer fails to verify the SSL certificate. Is it a self-signed cert?

Can you try something like SSL Server Test (Powered by Qualys SSL Labs) to check if there is an SSL error?

You can also try running curl -v https://piwik.yourdomain.example.com/

corin · October 29, 2017, 8:25pm

I’m getting This server's certificate chain is incomplete. Grade capped to B. when tried SSL Server Test: promonations.com (Powered by Qualys SSL Labs)

Also got:

* Rebuilt URL to: https://promonations.com/
*   Trying 34.236.63.155...
* Connected to promonations.com (34.236.63.155) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /opt/bitnami/common/openssl/certs/curl-ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

for the curl command

I can tell there’s something wrong but not sure what and why

Lukas · October 30, 2017, 4:07pm

Hi, I get the same results here.
Chrome and Firefox are able to access the site but curl isn’t.

According to the sslabs test your cert depends on the trust of two intermediate certificates. You’ll need to setup your webserver so it sends them with your certificate.

Comodo (or whoever you brought the SSL cert from) should have a manual on how to do it.

(similar to https://gist.github.com/bradmontgomery/6487319)

corin · October 31, 2017, 12:42am

It’s a Comodo certificate, but I’ve bought it from a reseller (I guess), so I’ll get in touch with them for the installation guide. I keep you posted

corin · November 1, 2017, 8:58pm

I managed to solve the SSL issue by correctly adding the ca-bundle SSLCACertificateFile “/opt/bitnami/apache2/conf/server-ca.crt” file into the apache’s httpd.conf