Hi, I ran into this same problem (internally-hosted webserver behind an SSL-inspecting proxy).
Matomo includes its own certificate bundle in two places. Under the software’s unpacked directory, look for
Those are the cert bundles you need to care about. In particular,
core's is used for all the basic ssl functionality (I’m not 100% sure what
vendor is used for yet, but probably better to assume you need both than be sad later),
Assuming you’re on a system that already trusts the re-signing certs your proxy uses, you should be able to move those out of the way (I renamed them to cacert.pem.orig) and symlink the bundle files to your system cacert store (eg
/etc/pki/tls/cert.pem on redhat-type systems,
You could also append the necessary certs to those bundle files directly (probably your corporate root cert and an intermediate cert).
Hope that helps you!