Matomo 4.7.1 core:archive ssl certificate problem - ssl

I have Matomo 4.7.1 installed on RHEL8 and am getting an error message when running the core archive.
/opt/matomo/matomo-4.7.1/plugins/GeoIp2/GeoIP2AutoUpdater.php(175): GeoIP2AutoUpdater: failed to download 'https://download.db-ip.com/free/dbip-city-lite-2022-03.mmdb.gz' to '/opt/matomo/matomo-4.7.1/tmp/latest/DBIP-City.mmdb.gz.download': curl_exec: SSL certificate problem: unable to get local issuer certificate. Hostname requested was: download.db-ip.com [Query: , CLI mode: 1]
Our company uses a self signed cert and it is installed on this server and Apache and PHP both work as expected. I can use command line curl to download the file given in the error message with no problems, but running the core archive always shows the error. I also added the option to accept invalid ssl certificates and that didn't help.
php /opt/matomo/matomo/console core:archive --url=https://myserver.com/matomo/ --accept-invalid-ssl-certificate
I also updated the php.ini file with the path to the pem file and that didn't work.
curl.cainfo = "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
Is there anything else I am missing or can check?

Turns out there is config item for Matomo where you can set it to use your custom pem file instead of the one included with Matomo.
https://forum.matomo.org/t/certificate-issues-during-update/30238/8https://matomo.org/faq/troubleshooting/faq_34226/
To solve this issue, you are able to provide your own cacert file that trusts your proxies certificate. To use your own file, follow these steps:
1. Upload your cacert.pem file in a folder on your server such as /path/to/your/cacert.pem
2. Add custom_cacert_pem = "/path/to/your/cacert.pem" to the [General] section of your config file config/config.ini.php.
3. Make sure the certification is readable by your webserver.

Related

Installing Zscaler Certificate to Anaconda3

After the obligatory installation of Zscaler through out the Company my Anaconda started giving me the SSL verification Error while installing modules and using requests to get the urls
Error(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)'))': /simple/'some_module'/
SSLError: HTTPSConnectionPool(host='www.amazon.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])")))
With Zscaler being turned off it all works great, but the company policy does not allow that.....
I found some bypasses like setting verify to False but it is not what I want.
I would like to install the Zscaler certificate (which was provided to me by our IT department) to Anaconda
Now the problem seems to be that it uses conda’s generic certificates.
import ssl
print(ssl.get_default_verify_paths())
Output :
DefaultVerifyPaths(cafile=None, capath=None, openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='C:\ci\openssl_1581353098519\_h_env\Library/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='C:\ci\openssl_1581353098519\_h_env\Library/certs')
Any idea what could I possibly do to point conda to the Zscaler certificate that I have??
system inf: Windows 10, Anaconda3 -2020.02, Python 3.7
Thanks a lot in advance
What you can do is :
Open a browser and go to www.google.com
Next to the reload page button, you will see a lock (see picture below). click on it
Click on : Certificat
Click on the tab: Certification Path
Select Zsclaer Root CA5 and the click on View Certificat button
Click on the tab: Details and then click on Copy to file button
Export the certificat choosing the base-64 encoded X.509 (.CER)
Choose a path where to save the file
Open Anaconda Prompt
conda config -set ssl_verify path_of_the_file_that_you_just_saved
background
I had this same issue, but ran into a similar with my work laptop except where Zscaler blocked my curl, git, and anaconda traffic. The temporary fix was to disable ssl verification, but this introduces a number of security vulnerabilities such as man-in-the-middle attacks.
From what I could gather and my limited research, WSL2 doesn't have a automatic way of importing ssl certificates from the system.
https://github.com/microsoft/WSL/issues/5134
Solution
The long term solution is to get the Zscaler certificate and add it to your shell file. Run the following commands in WSL after getting the certificate and navigating to the directory.
echo "export SSL_CERT_FILE=<Path to Certificate>/ZscalerRootCA.pem" >> $HOME/.bashrc
which I got from
https://help.zscaler.com/zia/adding-custom-certificate-application-specific-trusted-store#curl-SSL_CERT_FILE
They have more commands for other applications
If you use any other shells, make sure to change .bashrc to the directory of the configuration of that file. In my case I use fish, so I replaced $HOME/.bashrc with $HOME/.config/fish/config.fish
echo "export SSL_CERT_FILE=<Path to Certificate>/ZscalerRootCA.pem" >> $HOME/.config/fish/config.fish
After adding the certificate, make sure to reload the shell. In my case, I ran using instructions from jeffmcneil
source ~/.config/fish/config.fish
for bash, you would want to run
source ~/.bashrc
or
. ~/.bashrc
from
https://stackoverflow.com/a/2518150/16150356
Solution for Windows OS
After your Zscaler root cert is installed in the Windows trust root store, just install pip-system-certs the successor to python-certifi-win32 which is no longer maintained. Both packages are available from either pypi or conda-forge, so use either pip, conda, or mamba to install pip-system-certs into every Python environment in which you use the Requests package. The pip-system-certs package patches certifi at runtime to use the Windows trusted root store. This solves the issue for the requests package without resorting to setting $REQUESTS_CA_BUNDLE and/or editing your cacert.pem files.
Solution for Ubuntu
Copy the Zscaler root certificate file, it must have .crt ending and be in PEM format, to /usr/local/share/ca-certificates and use sudo update-ca-certificates to update your /etc/ssl/certs/ca-certificates.crt file. However, even then, pip-system-certs doesn't quite seem to work, so add export $REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt to your .profile and restart your shell.
For more information read the following:
Requests uses the certifi CA Certificate bundle
Certifi, a "carefully curated" bundle of CA certs
install CA certificate in Ubuntu trusted root store
Zscaler help, adding custom certificate root stores
installing custom root stores
WARNING: I do not recommend editing any Python cacert.pem files. Note that they are all linked so editing one edits all, and your mamba/conda solver may complain that your package cache is invalid because the file size changed due to your edits. Look in each environments ssl/ folder including base env, and in the base env's pkgs/ca-certificates-<date> files. On Windows OS, cacert.pem is in Library\ssl instead of ssl/. Finally the cacert.pem file will be overwritten if/when you install or update the Python certifi package, so editing it is really not the ideal solution. A better alternative would be to put your Zscaler root cert in a new ssl/ folder in your home directory and set $REQUESTS_CA_BUNDLE to that location. If your company is using Zscaler, then I think it's the only root cert you need.

SSL : Testing Server Side certificates using Jmeter

I am working on setting up ssl to secure my end points. I got a test certificate created from my org
I have recieved a .pfx file
I converted it into .pem -----> .der -------> .jks format
We have basic infrastructure to put this .jks file in a folder called ssl and it gets picked up just by using a confg file.
Next I set up Jmeter to test this. Steps Followed
set up a test recorder --> set up an http get request that takes no parameters
2.changed protocol to https ---> given port no ---> set up host and path. This is correct as I have tested it with http and it returns fine.
Now when I try to test it I get an error Certificate_Unknown error.
I have tried searching the internet and StackFlow articles about testing SSL. I also stumbled upon an article which says I need to add the certificate to my java_home cacerts. I havenot been able to successfully test it. Any pointers to what I might be doing wrong or if I could test it in some other way would be very helpful.
I am comparatively new to SSL concepts and just learnt about formats, ssl etc.
Thanks in advance. :)
You don't need to convert .pfx file into .jks as .pfx files are basically PKCS 12 certificates and JMeter supports them out of the box
I fail to see where you "tell" JMeter to use the certificate. If your " basic infrastructure to put this .jks file in a folder called ssl and it gets picked up just by using a confg file" stanza is related to JMeter - you should address this question to the "infrastructure" providers. Otherwise you need to explicitly configure JMeter to use the certificate. Just add the next lines to system.properties file:
javax.net.ssl.keyStoreType=pkcs12
javax.net.ssl.keyStore=/path/to/certificate.pfx
javax.net.ssl.keyStorePassword=your certificate password
JMeter restart will be required to pick the properties up.

SSL cert works in SOAPUI but not in Jmeter2.13

I am testing client-server over secured connection.
I loaded keystore cert into SOAPUI and was able to connect to my server's component. However, when I configure the same keystore cert in JMeter v2.13, I am getting this error:
Response code: Non HTTP response code: javax.net.ssl.SSLHandshakeException
Response message: Non HTTP response message: >java.security.cert.CertificateException: Certificates does not conform to >algorithm constraints
I've referred to many suggestion found and have
configured the path to my keystore and password in Jmeter's system.properties and added the 'Keystore Configuration'
Can anyone shed light on this?
After searching for answer I found that the answer here. Potentially there's few installation in my local machine.
My issue was because I have java.security at the following directories:
C:\Program Files (x86)\Java\jre1.8.0_73\lib\security
C:\Program Files\Java\jdk1.8.0_101
C:\Program Files\Java\jre1.8.0_101\lib\security
So, I've editted the value in java.security of C:\Program Files\Java\jre1.8.0_101\lib\security and I was able to send SOAP over https.
Having solved the problem, I do hope someone is able to explain to me why my client looks for settings in JRE but not JDK.

How to use the Comodo certificate in Web2py?

When using web2py, it asks a single ssl certificate file.
But what I got from Comodo are two files, one .crt file and one .ca-bundle file.
I tried with using only provide the .crt file when setting up web2py, in the beginning it works. But when I go to my website another day, it shows "This certificate cannot be verified up to a trusted certification authority."
My suspicion is that this is related to the case of not using the .ca-bundle file. So anyone knows how to use both files in web2py settings?
Finally got it working!
It turns out to be the Web2py 'One step production deployment' script is not complete. It leaves out the 'SSLCertificateChainFile' option when it configures the Apache server.
So by adding this line:
SSLCertificateChainFile = path_to_your_ca-bundle_file
Below the line 'SSLCertificateKeyFile /etc/apache2/ssl/self_signed.key' will do the work.

curl certificate Error_ssl.c334: No root certificate specified for verification of other side certificate

"""You also need CA certificates bundle file for SSL support. Download cacert.pem from the cURL site, rename it to curl-ca-bundle.crt, and place in the directory where you make installer, or in any directory listed in PATH environment variable."""
I did the same and stored it in "c:\python27"
but it gives me the following error.
value "C:\Python27\caret.pem" is not valid for "ssl.ca_certs"
No valid trusted SSL CA file set . See 'bzr help ssl.ca_certs" for more information on setting trusted certificates.
I got past this error by skipping the rename step.
I downloaded cacert.pem to "C:\Python27\" (no name change) and these errors went away.