Get the most out of your Centmin Mod LEMP stack
Become a Member

Xenforo Curl 35 error with Image Proxy on subdomain

Discussion in 'Forum software usage' started by Coop1979, Dec 13, 2023.

  1. Coop1979

    Coop1979 New Member

    15
    3
    3
    Jan 14, 2022
    Ratings:
    +3
    Local Time:
    5:29 PM
    1.25.3
    10.0.X
    Recent server migration to CMM, and one of the bugs I'm chasing down is an issue with the Image Proxy system where it shows images coming from my subdomain as broken images. I have my attachments in a subdomain from using the [BD] Attachment Store add-on. Both the domain and subdomain are under Cloudflare SSL.

    Here is the error that comes up with when I use the Test Image Proxy function in XF:

    Code:
    https://attachments.mysite.com/attachment-files/2021/10/213026_3A8F3E73-169F-46CA-8FC5-BE8A962C183F.jpeg could not be fetched or is not a valid image. The specific error message was: cURL error 35: Peer reports incompatible or unsupported protocol version. (see https://curl.haxx.se/libcurl/c/libcurl-errors.html)


     
  2. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    8:29 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    How was attachments.mysite.com subdomain Nginx vhost site created? Via centmin.sh menu option 2 or nv command line https://centminmod.com/nginx_domain_dns_setup.html ?

    Did you get a Letsencrypt SSL certificate for that subdomain as per https://centminmod.com/letsencrypt-freessl.html like you would for main mysite.com domain ?

    Are you using Cloudflare SSL in Full Strict, Full or Flexible mode?

    One possible reason for curl error is that you have Cloudflare SSL Full strict or Full mode on mysite.com domain zone settings in Cloudflare but for attachments.mysite.com you created with Nginx vhost that is not Nginx HTTPS based to trigger CF Full mode error or self-signed SSL based on Nginx subdomain triggering CF Full strict error. So Cloudflare Full strict is looking for a valid Letsencrypt SSL certificate on backend Centmin Mod Nginx and not finding it. Or CF Full non-strict isn't finding a valid Centmin Mod Nginx HTTPS vhost even with self-signed SSL cert.
     
  3. Coop1979

    Coop1979 New Member

    15
    3
    3
    Jan 14, 2022
    Ratings:
    +3
    Local Time:
    5:29 PM
    1.25.3
    10.0.X
    It was created using centmin.sh menu option 2.
    I did not. I set it up without any SSL certs because that's how the main domain was setup. I was thinking I would set it up later in order to not create an additional bug to track down (perhaps I did the opposite of this!).

    It's in Flexible, which is how I had it set up when the domain was on the old server.

    Here is the .conf file in case that matters:

    Code (Text):
    # Centmin Mod Getting Started Guide
    # must read https://centminmod.com/getstarted.html
    
    # redirect from non-www to www 
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    #server {
    #            listen   80;
    #           
    #            server_name attachments.mysite.com;
    #            return 301 $scheme://www.attachments.mysite.com$request_uri;
    #       }
    
    server {
      listen   80;
     
      server_name attachments.mysite.com;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      #add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()";
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/attachments.mysite.com/log/access.log combined buffer=256k flush=5m;
      #access_log /home/nginx/domains/attachments.mysite.com/log/access.json main_json buffer=256k flush=5m;
      error_log /home/nginx/domains/attachments.mysite.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/attachments.mysite.com/autoprotect-attachments.mysite.com.conf;
      root /home/nginx/domains/mysite.com/public/data;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Wordpress Permalinks example
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      }
    
      include /usr/local/nginx/conf/php.conf;
     
     
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    8:29 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    What version of Xenforo, PHP are you using? OS ? CentOS 7 or AlmaLinux 8?

    If on CentOS 7, try doing a yum update could be related to curl/nss package needing update and PHP needing restart
    Code (Text):
    yum -y update
    fpmrestart
    
     
  5. Coop1979

    Coop1979 New Member

    15
    3
    3
    Jan 14, 2022
    Ratings:
    +3
    Local Time:
    5:29 PM
    1.25.3
    10.0.X
    Thank you for continuing to help me troubleshoot this, George.

    Xenforo 1.5.24 (and test site on 2.2.13)
    PHP 7.4.33
    CentOS Linux 7

    Yum update output:

    Code (Text):
    # yum -y update
    
    Loaded plugins: fastestmirror, priorities, versionlock
    
    Determining fastest mirrors
    
    epel/x86_64/metalink                                                                                                                                       |  27 kB  00:00:00    
    
     * base: atl.mirrors.clouvider.net
    
     * centos-sclo-rh: www.gtlib.gatech.edu
    
     * centos-sclo-sclo: nc-centos-mirror.iwebfusion.net
    
     * epel: reflector.westga.edu
    
     * extras: mirror.ette.biz
    
     * updates: mirror.cogentco.com
    
    base                                                                                                                                                       | 3.6 kB  00:00:00    
    
    centos-sclo-rh                                                                                                                                             | 3.0 kB  00:00:00    
    
    centos-sclo-sclo                                                                                                                                           | 3.0 kB  00:00:00    
    
    extras                                                                                                                                                     | 2.9 kB  00:00:00    
    
    ius                                                                                                                                                        | 1.3 kB  00:00:00    
    
    mariadb                                                                                                                                                    | 3.4 kB  00:00:00    
    
    nodesource                                                                                                                                                 | 2.5 kB  00:00:00    
    
    percona-release-x86_64                                                                                                                                     | 2.9 kB  00:00:00    
    
    prel-release-noarch                                                                                                                                        | 1.5 kB  00:00:00    
    
    updates                                                                                                                                                    | 2.9 kB  00:00:00    
    
    percona-release-x86_64/7/primary_db                                                                                                                        | 1.4 MB  00:00:00    
    
    276 packages excluded due to repository priority protections
    
    No packages marked for update


    In case this helps:

    Code (Text):
    cURL version
    7.29.0
    cURL SSL version
    NSS/3.53.1
    OpenSSL version
    OpenSSL 1.0.2k 26 Jan 2017
     
    Last edited: Dec 14, 2023
  6. Coop1979

    Coop1979 New Member

    15
    3
    3
    Jan 14, 2022
    Ratings:
    +3
    Local Time:
    5:29 PM
    1.25.3
    10.0.X
    OK, I've narrowed it down to a TLS issue. One thing I did change in CF was Minimum TLS version from 1.0 to 1.3. Changed it back to 1.0 and now it's fetching the images properly.

    What's my long-term solution for this?
     
  7. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    8:29 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    That was your problem. TLSv1.3 is too high a security requirement for CentOS 7 native OpenSSL 1.0.2. You will also block some visitors whose computers and operating system do not support TLSv1.3 if you set that to minimum. You should set to TLSv1.2 minimum instead