Curl_exec: Peer's certificate issuer has been marked as not trusted by the user.. Hostname requested was: plugins.piwik.org


(Marco) #1

After updating from Piwik 2.16.2 to 3.0.2 an error occurred on the settings page: “curl_exec: Peer’s certificate issuer has been marked as not trusted by the user… Hostname requested was: plugins.piwik.org”.

Our Piwik installation is running in an intern, secure area and our requests are sent through a SSL terminator with a different root certificate.

How can we accept an invalid SSL certificate in Piwik?

Thank you for your help!


(Alex R) #2

Hi
i am having the same issue.

who knows how to solve this?

thanks


(Lukas Winkler) #3

Hi,

The issue is that your PHP curl doesn’t trust the Host SSL certificate. I guess you are using Windows as Curl isn’t shipping the root certificates there anymore. You’ll need to configure that manually.


https://curl.haxx.se/docs/sslcerts.html


(Alex R) #4

Hi, Lukas
thank you for looking into it.

even though our Piwik is on Linux, I tried to add curl.cainfo = “PATH_TO/cacert.pem” to php.ini.
it didn’t help.

the second link is too long and too complicated for me…

any other ideas?

thanks


(Lukas Winkler) #5

Hi,
Which Linux distribution are you using?
plugins.piwik.org is using a Let’s Encrypt certificate, so could you try running curl https://helloworld.letsencrypt.org/ to see if it works.

On debian-like distributions the root certificates are bundled in ca-certificates so if that package is (really) outdated, this may happen.


(Dave Neu) #6

Hi, I ran into this same problem (internally-hosted webserver behind an SSL-inspecting proxy).

Matomo includes its own certificate bundle in two places. Under the software’s unpacked directory, look for

core/DataFiles/cacert.pem
vendor/composer/ca-bundle/res/cacert.pem

Those are the cert bundles you need to care about. In particular, core's is used for all the basic ssl functionality (I’m not 100% sure what vendor is used for yet, but probably better to assume you need both than be sad later),

Assuming you’re on a system that already trusts the re-signing certs your proxy uses, you should be able to move those out of the way (I renamed them to cacert.pem.orig) and symlink the bundle files to your system cacert store (eg /etc/pki/tls/cert.pem on redhat-type systems, /etc/ssl/certs/ca-certificates.crt,

You could also append the necessary certs to those bundle files directly (probably your corporate root cert and an intermediate cert).

Hope that helps you!


(Marco) #7

Thanks Dave! Works like a charm! :smiley: