Document the use of a matomo specific cacert.pem and allow to disable this behaviour · Issue #13742 · matomo-org/matomo · GitHub
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document the use of a matomo specific cacert.pem and allow to disable this behaviour #13742

Closed
fdellwing opened this issue Nov 21, 2018 · 7 comments · Fixed by #14113
Closed

Comments

@fdellwing
Copy link
Contributor

Follow up from https://forum.matomo.org/t/certificate-issues-during-update/30238/7

  1. Please document this behaviour somewhere. I was not aware of this fact until @mattab pointed it out.
  2. Add on option to disable this behaviour, it does not need to be accessible via UI but should be doable via config.php.
@brettp
Copy link

brettp commented Feb 13, 2019

This just took hours of time to debug. The thread linked above doesn't have a resolution because the OP and Matomo dev switched to email.

Is this considered a bug? Is it being worked on? Will a PR help?

From a user perspective, it's unexpected for Matomo to disregard globally installed system certs. This is not a good practice, and actually masks the real problem in the situation it's meant to address ("an endless number of people who can’t use Matomo because they are using an outdated os and don’t have the Let’s Encrypt certificate") .

@fdellwing
Copy link
Contributor Author

fdellwing commented Feb 13, 2019

This is not considered a bug and there are no plans to change the behaviour. But there definitely has to be an blog article describing the problem and what to do and an advanced option to disable this feature.

The solution for you is to add your trusted cert to core/DataFiles/cacert.pem.

The new option could definitely be added via a PR.

@brettp
Copy link

brettp commented Feb 13, 2019

I'd argue this needs to be addressed not in a generic blog post, but when the problem presents itself: the error messages. It's common and easily Google-able knowledge to update the global certs and php.ini for that curl error, but Matomo's unorthodox config is almost completely undiscoverable by searching.

If it is a blog post, it'd do well to be pinned to the top of every page in large, flashing, red text...

@tsteur
Copy link
Member

tsteur commented Feb 13, 2019

Instead of allowing to disable it (or additionally), would it be helpful to retry if the request fails without the cacert?

@brettp
Copy link

brettp commented Feb 13, 2019

If it retries using the system ca, yes! But it'd also be useful to be able to set a config value to a cert path, and to alert the user to do so if a retry is successful

@fdellwing
Copy link
Contributor Author

@tsteur That would be a good addition to the config option :)

fdellwing pushed a commit to fdellwing/matomo that referenced this issue Feb 18, 2019
fdellwing pushed a commit to fdellwing/matomo that referenced this issue Feb 18, 2019
fdellwing pushed a commit to fdellwing/matomo that referenced this issue Feb 18, 2019
tsteur pushed a commit that referenced this issue May 5, 2019
* fixes #13742

* add explaining text

* minor tweak as in past we had sometimes trouble accessing Config::getInstance()->General['custom_cacert_pem'] directly on some systems

shouldn't be an issue anymore, but better be safe.
@mattab
Copy link
Member

mattab commented Jun 29, 2019

see FAQ documenting new INI setting: https://matomo.org/faq/troubleshooting/faq_34226/ (will be available in 3.10.0)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants