Add config option to use own cacert.pem file (matomo-org#14113)

* fixes matomo-org#13742

* add explaining text

* minor tweak as in past we had sometimes trouble accessing Config::getInstance()->General['custom_cacert_pem'] directly on some systems

shouldn't be an issue anymore, but better be safe.

config/global.ini.php

@@ -694,6 +694,13 @@
 ; The number of days to wait before sending the JavaScript tracking code email reminder.
 num_days_before_tracking_code_reminder = 5
 
+; The path to a custom cacert.pem file Matomo should use.
+; By default Matomo uses a file extracted from the Firefox browser and provided here: https://curl.haxx.se/docs/caextract.html.
+; The file contains root CAs and is used to determine if the chain of a SSL certificate is valid and it is safe to connect.
+; Most users will not have to use a custom file here, but if you run your Matomo instance behind a proxy server/firewall that
+; breaks and reencrypts SSL connections you can set your custom file here. 
+custom_cacert_pem=
+
 [Tracker]
 
 ; Matomo uses "Privacy by default" model. When one of your users visit multiple of your websites tracked in this Matomo,

core/Http.php

@@ -802,7 +802,13 @@ public static function downloadChunk($url, $outputPath, $isContinuation)
      */
     public static function configCurlCertificate(&$ch)
     {
-        @curl_setopt($ch, CURLOPT_CAINFO, PIWIK_INCLUDE_PATH . '/core/DataFiles/cacert.pem');
+        $general = Config::getInstance()->General;
+        if (!empty($general['custom_cacert_pem'])) {
+            $cacertPath = $general['custom_cacert_pem'];
+        } else {
+            $cacertPath = PIWIK_INCLUDE_PATH . '/core/DataFiles/cacert.pem';
+        }
+        @curl_setopt($ch, CURLOPT_CAINFO, $cacertPath);
     }
 
     public static function getUserAgent()