Problems archiving with self-signed SSL


#1

I was trying to run the archive scripts. First I tried the archive.sh script, but noticed that whilst it didn’t complain about anything, it didn’t really seem to do anything either… Inspecting it a little closer, I noticed it wasn’t able to pick up values correctly, for example:


CMD_TOKEN_AUTH="$PHP_BIN -q $PIWIK_PATH -- module=API&method=UsersManager.getTokenAuth&userLogin=$PIWIK_SUPERUSER&md5Password=$PIWIK_SUPERUSER_MD5_PASSWORD&format=php&serialize=0"
TOKEN_AUTH=`$CMD_TOKEN_AUTH`
echo $TOKEN_AUTH  # this outputs nothing, even though all parameters (e.g. md5 are correct)

#TOKEN_AUTH was empty…

I then tried to run the archive php on my browser using:

https://piwik.my-site.com/misc/cron/archive.php?token_auth=xxxxxx

But then I noticed that the script complains with several errors like this:

ERROR: Got invalid response from API request: https://piwik.my-site.com/index.php?module=API&method=VisitsSummary.getVisits&idSite=1&period=day&date=last52&format=php&token_auth=xxxxx&trigger=archivephp. Response was ‘curl_exec: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed’

I am using a self-signed certificate for piwik, and have set my browser to always trust it. This way, I still get SSL protection without having to pay for the certificate. My browser is quite happy with this, and I can also instruct CURL to ignore any certificates with the -k switch, but the archive.php script seems to fail…

Any suggestions on how to resolve this (without having to buy an official certifcate)? Is there a way to tell piwik to trust my certificate, or ignore certificate errors? Or some different way to run the php script from the command line?

Thanks in advance!


(Matthieu Aubry) #2

The solution is to call the archive.php script in the command line with cron, and set the parameter: --accept-invalid-ssl-certificate

but we recommend buying a ssl certificate if you want to ensure ssl security


#3

Thanks Matt,

I have tried running both the archive.sh with this parameter, and the archive.php, but neither seem to work for me. The php returns nothing (very quickly), and the archive.sh returns this (also very quickly):


Starting Piwik reports archiving...

Reports archiving finished.
---------------------------
Starting Scheduled tasks...


Finished Scheduled tasks.

I don’t see a reason why I would need to buy a certificate. Only two people use piwik currently to view the reports, and both have the certificate installed on their browser. That’s just as secure as using a publicly-signed certificate. Other than that, all updates via the javascript go via http anyway and don’t require SSL.

Can you give me the exact command I should run?? Perhaps I’m not running it correctly.


(Matthieu Aubry) #4

what command are you running?


#5

I was trying:


archive.sh --accept-invalid-ssl-certificate

and also


php archive.php --accept-invalid-ssl-certificate -- url=https://piwik.my-domain.com/

and also various combinations where the accept-invalid-ssl-certificate comes after the url, with or without -- etc… All seems to just return with no errors or any positive or negative indication…

I’d love to know what’s the correct command to run if possible. Thanks again Matt!


(Matthieu Aubry) #6

please paste full output of the script in pastebin.com or similar


#7

I don’t understand. I’m using the script provided by piwik. I didn’t write it…


(Matthieu Aubry) #8

I mean paste the output of the execution of the script (the full tet written out) in here


#9

Ah, as I said before, the output of the archive.sh is this:


Starting Piwik reports archiving...

Reports archiving finished.
---------------------------
Starting Scheduled tasks...


Finished Scheduled tasks.

There’s no output from running the php script.


(Matthieu Aubry) #10

No output ? that’s surprising.

Can you check your error logs?
Also try chmod 777 path/to/piwik/tmp/ on the tmp folder which might help?


#11

Thanks Matt,

I executed the chmod to the tmp folder as you asked, but I’m not sure which error log to look for? It still returns nothing back.

I couldn’t find anything on my web server logs, but it’s hard without knowing which log file or which pattern to search for.


#12

I ended up monkey-patching the code and adding:


@curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

in core/Http.php


                else if($method == 'curl')
                {
                        $ch = @curl_init();
                        @curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

and also in a couple of places in archive.php - and now I can at least run this from the browser.

Perhaps there should be a config option to disable SSL verification, and then this statement can be conditional in those (and maybe other) contexts where curl is used?


(Matthieu Aubry) #13

There is an option already: --accept-invalid-ssl-certificate

but it should have reported the error message instead of none, strange!


#14

Thanks for not giving up Matt !

I think my archive.php wasn’t upgraded properly. I reinstall piwik 1.7.1 and now things are running ok with this switch :slight_smile:

In case this helps anybody, you can run it with this command:


php /path/to/your/piwik/misc/cron/archive.php --accept-invalid-ssl-certificate -- url=https://piwik.your-site.com/

Thanks again!!