To setup SSL connection MySQL in Matomo, you can follow the steps below:

  1. First, you need to install Matomo over standard insecure non-SSL connections. If your MySQL server requires SSL connections, then you can’t install Matomo through the UI, so you will need to disable SSL temporarily while you install Matomo, and then re-enable SSL in MySQL after you installed Matomo.
  2. Then once Matomo is working, obtain SSL keys and certificate files generated using the same version of openssl as MySQL
  3. in your config/config.ini.php’s [database] section, set the ssl_cert, ssl_key, ssl_ca to absolute paths to the required files (and make sure PHP can read those files or you’ll get strange MySQL errors)
  4. Optionally set ssl_cipher to your desired cipher
  5. If you’re using a self signed certificate (& your PHP version has a PDO/MySQLi that supports skipping the verification check), set the ssl_no_verify option to 1.
  6. Verify in the Matomo (Piwik) system check that you are using an SSL connection to the database. You may also want to change your database password.

For example when using AWS RDS, here is an example configuration (where rds-combined-ca-bundle.pem is downloaded from here):

; Database SSL Options START
; Turn on or off SSL connection to database, possible values for enable_ssl: 1 or 0
enable_ssl = 1
; Direct path to server CA file, CA bundle supported (required for ssl connection)
ssl_ca = "/etc/mysql-certs/rds-combined-ca-bundle.pem"
; Direct path to client cert file (optional)
ssl_cert =
; Direct path to client key file (optional)
ssl_key =
; Direct path to CA cert files directory (optional)
ssl_ca_path =
; List of one or more ciphers for SSL encryption, in OpenSSL format (optional)
ssl_cipher =
; Database SSL Options END
Previous FAQ: How do I check if my MySQL user has all required grants