Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Fix SSL issue in archive.php #2943

Closed
anonymous-piwik-user opened this Issue · 11 comments

4 participants

@anonymous-piwik-user

Occurs using a SSL secured PIWIK installation.

  • Windows Server 2008 R2, x64
  • IIS7, PHP 5.3

The archive.php script fails displaying an error:
curl:SSL3_GET_SERVER_CERTIFICATE SSL certificate problem, verify that the CA cert is OK.

The following hack solves this issue:
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);

Please fix this issue or explain a more secure workaround in the docs. Thanks.

@mattab
Owner

Was your SSL certificate valid?

Should we accept non valid SSL certificate by default? Or should we have a new parameter --accept-invalid-certificate ?

@ziegenberg

Can be reproduced on Linux as well with Apache 2.2.15 and PHP 5.3.2.

The archive.php script fails with the following error:

Got invalid response from API request: https://[...] .
Response was 'curl_exec: SSL: certificate subject name 'domain1.example.com' does not match target host name 'domain2.example.com''

As everything happens within our Firewall we are absolutely OK with accepting the non-valid SSL cert.

+1 for --accept-invalid-certificate

@anonymous-piwik-user

+1 for --accept-invalid-certificate or a other config option.

@robocoder
Collaborator

Please fix this issue or explain a more secure workaround in the docs

"more secure"? Wouldn't disabing the SSL verification be a contradiction?

I'm marking this as a duplicate of #1867.

@robocoder
Collaborator

sorry, #1867 has more scope.

@mattab
Owner

I think it's worth fixing. The problem lies with the new feature force_ssl=1 - that currently breaks the archive.php - broken features is not good, so we need this option..

@robocoder
Collaborator

I disagree.

I would prefer that sites that use a self-signed cert make the necessary server config changes to trust their cert as in this how-to:

http://turboflash.wordpress.com/2009/06/23/curl-adding-installing-trusting-new-self-signed-certificate/

@anonymous-piwik-user

The following hack solves this issue:

  curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0); 
  curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0); 

Unfortunately, this is not sufficient. In https://github.com/piwik/piwik/blob/master/misc/cron/archive.php#L234 there is a call to request(url) and this in turn calls Piwik_Http::sendHttpRequestBy And I actually do not like to fiddle around with https://github.com/piwik/piwik/blob/master/core/Http.php#L89 as I guess this could have have side effects.

For now I disabled the cron archiving.

I would prefer that sites that use a self-signed cert make the necessary server config changes to trust their cert as in this how-to:

http://turboflash.wordpress.com/2009/06/23/curl-adding-installing-trusting-new-self-signed-certificate/

I have not superuser access to my piwik site (which also runs on FreeBSD). If you can outline / document how to set this up for just the user who runs archive.php I am happy to do this. But this looks pretty complicated to me, via $HOME/.ssl or something.

+1 for --accept-invalid-certificate as an option for archive.php

@anonymous-piwik-user

Hi all

We have a VALID SSL certificate!
The issuer is Equifax (trusded by all of my brosers, i.e. FF, Chrome, Opera & IE).
That's why I've opened a Ticket.

I agree that a self-signed certificate shouldn't be trusted by default.

Regards

@robocoder
Collaborator

FellmerLloyd: in your case, php's curl+openssl doesn't know how to validate the certificate chain. You just need to drop a copy of cacert.pem into your piwik/core/DataFiles/ directory. You can get the latest version from:

That said, I believe Matt is considering a more general fix (e.g., checking to see if run from php-cli) that would avoid adding yet another config option.

@mattab
Owner

(In [5884]) Fixes #2943

  • adding --accept-invalid-ssl-certificate
  • I decided to commit this, to work around the broken feature. It is not a good practise to use invalid certificate.
  • Instead, you should drop a copy of cacert.pem into your piwik/core/DataFiles/ directory. You can get the latest version from: http://curl.haxx.se/ca/cacert.pem

I decided to fix this because I believe that using an invalid SSL certificate is still better than not using SSL.
Assuming users are happy to add this argument, piwik should be able to work without breaking.
However, it is clearly not recommmended as is highlighted in the --help output...

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.