Upgrade Error 2.12.0 - 2.12.1


#1

On my Plesk box, I got this error when trying to upgrade from 2.12.0 - 2.12.1

curl_exec: Unknown SSL protocol error in connection to builds.piwik.org:443 . Hostname requested was: builds.piwik.org

Thanks!


(Matthieu Aubry) #2

Hi there,

Did you then see an option to auto-update over non secure HTTP, and did this work for you?


#3

Nope just the same 2 buttons as always. Update Automatically and Download 2.12.1 and then the Back to Piwik link.


(bolero) #4

Got the same error, it’s not related to Plesk (we don’t use Plesk). No option for http given. 301 Moved Permanently shows a solution. Apparently, the updates were done over http in the past and now it went to https and curl isn’t set up to use it, e.g. it has no rot certiifcates pre-installed. http://curl.haxx.se/ca/cacert.pem seems to be a bundle of root certificates that come preinstalled with Firefox.
Shouldn’t there already be a bundle for curl or other command line tools and shouldn’t this work without explicitely specifying in php.ini? e.g. according to ssl certificate - Default CA Cert Bundle Location - Server Fault the path on our system is /etc/pki/tls/certs/ca-bundle.pem. After looking the file name is different and it’s actually /etc/pki/tls/certs/ca-bundle.crt. Shoudln’t curl via php be using this location? I’ll try to add this path to php.ini, but the correct solution in my eyes would be to make curl use the default location as the cert is already there (and getting automatically updated!). Or is it a PHP bug? (I think we use 5.5.22).

Ok, one hour later, I had some time to test the php.ini solution. It doesn’t work for me.
I added
curl.cainfo="/etc/pki/tls/certs/cacert.crt" (original, dated Jan. 2015)
curl.cainfo="/etc/pki/tls/certs/cacert.pem" (downloaded from haxx.se, dated Feb. 2015)
I tried with [curl] and without before the entry.
Of course, I restarted httpd.
Accidentally, I mistyped the path once and got another error (it wasn’t able to find the path), so I think curl.cainfo does work and I actually think the default location without any cainfo does work, too. Work = it is using the CA info either way. But either the CA bundle (both of them!) doesn’t contain the necessary root CA or there is something else throwing this error.


(bolero) #5

OK, it’s not a certificate issue and I wonder why it worked for the guy in the other thread (addition: ok, his screenshot was so small that, first, I couldn’t actually read the error, now it’s clear, he got another error). I tried directly with curl and I get the same error. If it’s a certificate error curl tells you and you can overcome it with -k.


curl -o piwik.latest.tar.gz https://builds.piwik.org/piwik-latest.tar.gz -k
curl: (35) Unknown SSL protocol error in connection to builds.piwik.org:443

It’s also not an issue that SSL 2 is not enabled on the server (curl says it tries with SSL2). I’ve shut 2 and 3 off on my own servers as well, but curl can download from there. I think there’s something else in the server setup that makes it fail.

This is the normal handshake:

  • SSLv2, Client hello (1):
    SSLv3, TLS handshake, Server hello (2):
    SSLv3, TLS handshake, CERT (11):

with builds.piwik.org I get only the first line and then the protocol error.
The client is


curl/7.15.5 (i386-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5

That’s the standard, patched curl/OpenSSL on Centos 5.latest.


#6

I’m also running the latest CentOS. My other box has Ubuntu on it and the upgrade was fine.


(bolero) #7

You mean 5.latest or latest (=7.latest) ?


#8

My bad! CentOS 5.11 (Final)


(bolero) #9

Then I would suggest that there’s something set on the server that our OpenSSL doesn’t like. According to Qualys SSLLabs test it’s actually weaker set up than my own servers. Piwik staff: please investigate.


#10

Same issue here.


#11

Same here. Unable to update.


#12

Same here


(Matthieu Aubry) #13

Hi guys,

All of you who have the issue, are you using Centos as well? I created an issue in: Auto update over HTTPS can fail · Issue #7576 · matomo-org/piwik · GitHub
feel free to report there any more information you may have


#14

I’m on CentOS 5.11


#15

I am on Windows 2012R2 x64


#16

I am on CentOS 5.11 (Final) and can’t update


(bolero) #17

Net4u, are you sure you are not getting the certificate error that was solved in the thread I referenced earlier? That error was also on the Windows platform. Apparently, certain curl packages on it get installed without a cert bundle.


#18

I tried but seems to have no effect.


(bolero) #19

net4u, it depends on the error. Do you get the “Unknown SSL protocol error” or something else? I just want to make sure, whether this affects other platforms than CentOS 5 or not.


#20

After doing the Curl stuff as suggested I have:
curl_exec: error setting certificate verify locations: CAfile: D:\Crypto\cacert.pem CApath: none. Hostname requested was: builds.piwik.org