Upgrade Error 2.12.0 - 2.12.1

Average_Joe · March 27, 2015, 4:29pm

On my Plesk box, I got this error when trying to upgrade from 2.12.0 - 2.12.1

curl_exec: Unknown SSL protocol error in connection to builds.piwik.org:443 . Hostname requested was: builds.piwik.org

Thanks!

matthieu · March 27, 2015, 9:26pm

Hi there,

Did you then see an option to auto-update over non secure HTTP, and did this work for you?

Average_Joe · March 27, 2015, 10:50pm

Nope just the same 2 buttons as always. Update Automatically and Download 2.12.1 and then the Back to Piwik link.

bolero · March 28, 2015, 2:30pm

Got the same error, it’s not related to Plesk (we don’t use Plesk). No option for http given. 301 Moved Permanently shows a solution. Apparently, the updates were done over http in the past and now it went to https and curl isn’t set up to use it, e.g. it has no rot certiifcates pre-installed. http://curl.haxx.se/ca/cacert.pem seems to be a bundle of root certificates that come preinstalled with Firefox.
Shouldn’t there already be a bundle for curl or other command line tools and shouldn’t this work without explicitely specifying in php.ini? e.g. according to ssl certificate - Default CA Cert Bundle Location - Server Fault the path on our system is /etc/pki/tls/certs/ca-bundle.pem. After looking the file name is different and it’s actually /etc/pki/tls/certs/ca-bundle.crt. Shoudln’t curl via php be using this location? I’ll try to add this path to php.ini, but the correct solution in my eyes would be to make curl use the default location as the cert is already there (and getting automatically updated!). Or is it a PHP bug? (I think we use 5.5.22).

Ok, one hour later, I had some time to test the php.ini solution. It doesn’t work for me.
I added
curl.cainfo="/etc/pki/tls/certs/cacert.crt" (original, dated Jan. 2015)
curl.cainfo="/etc/pki/tls/certs/cacert.pem" (downloaded from haxx.se, dated Feb. 2015)
I tried with [curl] and without before the entry.
Of course, I restarted httpd.
Accidentally, I mistyped the path once and got another error (it wasn’t able to find the path), so I think curl.cainfo does work and I actually think the default location without any cainfo does work, too. Work = it is using the CA info either way. But either the CA bundle (both of them!) doesn’t contain the necessary root CA or there is something else throwing this error.

bolero · March 28, 2015, 4:05pm

OK, it’s not a certificate issue and I wonder why it worked for the guy in the other thread (addition: ok, his screenshot was so small that, first, I couldn’t actually read the error, now it’s clear, he got another error). I tried directly with curl and I get the same error. If it’s a certificate error curl tells you and you can overcome it with -k.


curl -o piwik.latest.tar.gz https://builds.piwik.org/piwik-latest.tar.gz -k
curl: (35) Unknown SSL protocol error in connection to builds.piwik.org:443

It’s also not an issue that SSL 2 is not enabled on the server (curl says it tries with SSL2). I’ve shut 2 and 3 off on my own servers as well, but curl can download from there. I think there’s something else in the server setup that makes it fail.

This is the normal handshake:

SSLv2, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):

with builds.piwik.org I get only the first line and then the protocol error.
The client is


curl/7.15.5 (i386-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5

That’s the standard, patched curl/OpenSSL on Centos 5.latest.

Average_Joe · March 28, 2015, 4:09pm

I’m also running the latest CentOS. My other box has Ubuntu on it and the upgrade was fine.

bolero · March 28, 2015, 4:11pm

You mean 5.latest or latest (=7.latest) ?

Average_Joe · March 28, 2015, 4:21pm

My bad! CentOS 5.11 (Final)

bolero · March 28, 2015, 4:52pm

Then I would suggest that there’s something set on the server that our OpenSSL doesn’t like. According to Qualys SSLLabs test it’s actually weaker set up than my own servers. Piwik staff: please investigate.

net4u · March 29, 2015, 4:06pm

Same issue here.

Tom_Doe · March 29, 2015, 5:49pm

Same here. Unable to update.

SubJunk · March 29, 2015, 8:55pm

Same here

matthieu · March 30, 2015, 1:35am

Hi guys,

All of you who have the issue, are you using Centos as well? I created an issue in: Auto update over HTTPS can fail · Issue #7576 · matomo-org/piwik · GitHub
feel free to report there any more information you may have

SubJunk · March 30, 2015, 4:24am

I’m on CentOS 5.11

net4u · March 30, 2015, 5:47am

I am on Windows 2012R2 x64

Merchenman · March 30, 2015, 9:45am

I am on CentOS 5.11 (Final) and can’t update

bolero · March 30, 2015, 9:54am

Net4u, are you sure you are not getting the certificate error that was solved in the thread I referenced earlier? That error was also on the Windows platform. Apparently, certain curl packages on it get installed without a cert bundle.

net4u · March 30, 2015, 10:12am

I tried but seems to have no effect.

bolero · March 30, 2015, 10:29am

net4u, it depends on the error. Do you get the “Unknown SSL protocol error” or something else? I just want to make sure, whether this affects other platforms than CentOS 5 or not.

net4u · March 30, 2015, 10:46am

After doing the Curl stuff as suggested I have:
curl_exec: error setting certificate verify locations: CAfile: D:\Crypto\cacert.pem CApath: none. Hostname requested was: builds.piwik.org