Curl_exec: SSL: invalid CA certificate #1 (offset 0) in bundle

Travers_Utt · January 10, 2017, 6:16pm

I am seeing the following error several times on the Admin page:

curl_exec: SSL: invalid CA certificate #1 (offset 0) in bundle. Hostname requested was: plugins.piwik.org

I understand this is an SSL error but with the plugins domain?

I am also getting this error when I attempt to upgrade. The upgrade reports “failed” but proceeds anyway (and seems to work fine).

Any ideas?

scirocco · January 30, 2017, 10:46am

I got the same error

I’m on MacOsx 10.12.2

Anyone can help me?

gfive · February 16, 2017, 2:45pm

I get the same problem, also running Mac OS X 10.11

sbnoble · February 21, 2017, 3:38pm

Same under 10.11.6 Server.

FWIW, running “curl https://plugins.piwik.org/” on the command line works without error, so perhaps this has something to do with the PHP curl_exec function.

gfive · February 28, 2017, 9:44am

@sbnoble, same here…

Marketplace = curl_exec: SSL: invalid CA certificate #1 (offset 0) in bundle. Hostname requested was: plugins.piwik.org
Plugin install = curl_exec: SSL: invalid CA certificate #1 (offset 0) in bundle. Hostname requested was: plugins.piwik.org
main screen administration = curl_exec: SSL: invalid CA certificate #1 (offset 0) in bundle. Hostname requested was: plugins.piwik.org

Checked with: SSL Server Test (Powered by Qualys SSL Labs) and got an A. chain and all are ok. So maybe it’s not us but Piwik.

Checked curl -v https://plugins.piwik.org and curl -v https://mydomain Both are ok. So I starting to think that curl in my php is not right or broken… will try a php upgrade

Piwik version: 3.0.1
MySQL version: 5.5.5
PHP version: 5.6.24 (tried newer version 5.6.30 and php7)

gfive · February 28, 2017, 4:04pm

Yes!!! Found the solution.

$ php -i | grep “SSL Version”

I suspect you’ll see this:

SSL Version => SecureTransport

And that’s the problem. OS X is using SecureTransport and NOT OpenSSL.
Simple solution: http://stackoverflow.com/questions/26461966/osx-10-10-curl-post-to-https-url-gives-sslread-error

So or you have to follow those steps (not complicated If you do a bit more with your osx) or Piwik has to add SecureTransport.

scirocco · March 6, 2017, 4:57pm

Many thanks gfive for this solution.
I don’t know if this is also the problem that affects https tracking. My Piwik is able to track only http pages. Can you give me feedback on this?
Thanks

Travers_Utt · March 9, 2017, 8:43pm

I’m also on Mac OS X, 10.11

sean · May 23, 2017, 3:06pm

I saw the same updating from 2 to 3, but dismissed it as a quirk of a major upgrade.

I’m seeing it again now trying to update from 3.0.3 to 3.0.4. I’m also on Mac OS X 10.11.6 using Server.app and their built-in PHP, cURL, etc.

curl -v https://builds.piwik.org

reports no cert problems.

Both: php -i | grep “SSL Version” and curl -V report using SecureTransport.

Is this a piwik bug or OS bug or…?

Thanks.

sean · May 24, 2017, 2:27pm

I’ve just found there is bug report open for this issue: