sslmatomorhel8

Matomo 4.7.1 core:archive ssl certificate problem


I have Matomo 4.7.1 installed on RHEL8 and am getting an error message when running the core archive.

/opt/matomo/matomo-4.7.1/plugins/GeoIp2/GeoIP2AutoUpdater.php(175): GeoIP2AutoUpdater: failed to download 'https://download.db-ip.com/free/dbip-city-lite-2022-03.mmdb.gz' to '/opt/matomo/matomo-4.7.1/tmp/latest/DBIP-City.mmdb.gz.download': curl_exec: SSL certificate problem: unable to get local issuer certificate. Hostname requested was: download.db-ip.com [Query: , CLI mode: 1]

Our company uses a self signed cert and it is installed on this server and Apache and PHP both work as expected. I can use command line curl to download the file given in the error message with no problems, but running the core archive always shows the error. I also added the option to accept invalid ssl certificates and that didn't help.

php /opt/matomo/matomo/console core:archive --url=https://myserver.com/matomo/ --accept-invalid-ssl-certificate

I also updated the php.ini file with the path to the pem file and that didn't work.

curl.cainfo = "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"

Is there anything else I am missing or can check?


Solution

  • Turns out there is config item for Matomo where you can set it to use your custom pem file instead of the one included with Matomo.

    https://forum.matomo.org/t/certificate-issues-during-update/30238/8https://matomo.org/faq/troubleshooting/faq_34226/

    To solve this issue, you are able to provide your own cacert file that trusts your proxies certificate. To use your own file, follow these steps:
    
    1. Upload your cacert.pem file in a folder on your server such as /path/to/your/cacert.pem
    2. Add custom_cacert_pem = "/path/to/your/cacert.pem" to the [General] section of your config file config/config.ini.php.
    3. Make sure the certification is readable by your webserver.