Certificate issues during update


We have some troubles to make the automatic update for matomo and for the plugins working. The installation is behind a proxy which is using our own certificate.
For Plugins:

curl_exec: Peer’s Certificate issuer is not recognized… Hostname requested was: plugins.matomo.org

We tested curl am same server as our matomo installation. that is working fine, we get successful response freom https://plugins.matomo.org .
But if we try within matomo we got the error
Do we need to install our certificate inside matomo or what would be the way that matomo “find” our certificat?

(Fabian Dellwing) #2

As I already told you in the other post: Matomo does not handle certificates. These connections are made via PHPs curl.

Please try to add curl.cainfo = /path/to/your/trusted/ca.pem to your php.ini.


Your help is appreciated.
Unfortunately it is noting we didn’t try.

; A default value for the CURLOPT_CAINFO option. This is required to be an
; absolute path.
curl.cainfo = /etc/pki/ca-trust/source/anchors/xxxxxxx.pem

And curl on the server is working:

Connected to proxy.xxxxxx.xx(xx.xx.xx.xx) port 8080 (#0)
* Establish HTTP proxy tunnel to plugins.matomo.org:443
* Proxy auth using Basic with user 'xxxxxxx'
CONNECT plugins.matomo.org:443 HTTP/1.1
 Host: plugins.matomo.org:443
 Proxy-Authorization: Basic b3JnXGRpZW5zdF9seHJlcG86VG9yXzMzX2FsZCQ=
User-Agent: curl/7.29.0
Proxy-Connection: Keep-Alive
HTTP/1.0 200 Connection established

 Proxy replied OK to CONNECT request
* Initializing NSS with certpath: sql:/etc/xxxx/xxxx
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* 	subject: CN=plugins.matomo.org
* 	start date: Oct 18 10:46:24 2018 GMT
* 	expire date: Oct 18 10:46:24 2019 GMT
* 	common name: plugins.matomo.org
* 	issuer: xxxxxxxxxxx
> HEAD / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: plugins.matomo.org
> Accept: */*

(Fabian Dellwing) #4

Just to be sure: You restarted PHP after changing the php.ini?

Otherwise I’m sadly not able to help you. SSL resigning is out of my knowledge.


yes we did.
I will have to setup a meeting with our server guys. something is really wrong here. :sob:

(Matthieu Aubry) #6

FYI @fdellwing Matomo does have some control over the trusted certificates. we actually bundle our own cacert.pem file here: matomo/cacert.pem at 3.x-dev · matomo-org/matomo · GitHub
and this file is used by the PHP curl functions.

So maybe it would work when adding your own certificate to the Matomo cacert.pem file @ResponsibleUser - let’s continue discussion by email maybe.

(Fabian Dellwing) #7

Why do you do this? Where is this documented? And how can I disable that “feature”?

(Lukas Winkler) #8

Because otherwise there would be an endless number of people who can’t use Matomo because they are using an outdated os and don’t have the Let’s Encrypt certificate.

Wordpress seems to be doing the same (But have not updated it since 2015 and added their own CAs?)

I try to keep it updated with the latest ones from curl - Extract CA Certs from Mozilla which are exported from the latest Firefox releases.