Learn about Centmin Mod LEMP Stack today
Register Now

cURL error 77 on XenForo v2.2.13

Discussion in 'Forum software usage' started by MaximilianKohler, Oct 22, 2023.

  1. MaximilianKohler

    MaximilianKohler Member

    196
    5
    18
    Jun 23, 2023
    Ratings:
    +28
    Local Time:
    5:29 AM
    I'm on the beta version of Centmin Mod, and I just got a few of these errors today. The first two happened when someone was registering:
    Code:
    hCaptcha connection error: cURL error 77: (see https://curl.haxx.se/libcurl/c/libcurl-errors.html)
        Today at 6:04 AM src/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php:201 
    Code:
    cURL error 77: (see https://curl.haxx.se/libcurl/c/libcurl-errors.html)
        Today at 6:04 AM src/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php:201
    
    And the other during a Cloudflare addon job?
    Code:
    Job DigitalPoint\Cloudflare\Job\PurgeCache: cURL error 77: (see https://curl.haxx.se/libcurl/c/libcurl-errors.html)
        Today at 10:18 AM src/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php:201
    
    According to the help link they give https://curl.se/libcurl/c/libcurl-errors.html the problem is:
    Code:
    CURLE_SSL_CACERT_BADFILE (77)
    Problem with reading the SSL CA cert (path? access rights?) 
    This is the only other discussion I found about it: https://community.centminmod.com/threads/123-09beta01-install-issues.10138/#post-43667


    Here's my output for the requested info:
    Code:
    yum -y update ca-certificates
    Loaded plugins: fastestmirror, priorities, versionlock
    Loading mirror speeds from cached hostfile
     * base: centos.mirror.constant.com
     * centos-sclo-rh: mirror.wdc2.us.leaseweb.net
     * centos-sclo-sclo: coresite.mm.fcix.net
     * epel: forksystems.mm.fcix.net
     * extras: mirror.wdc2.us.leaseweb.net
     * updates: mirror.ash.fastserv.com
    206 packages excluded due to repository priority protections
    No packages marked for update
    
    
    yum list ca-certificates -q
    Installed Packages
    ca-certificates.noarch                                                   2023.2.60_v7.0.306-72.el7_9                                                    @updates
    
    
    yum info ca-certificates -q
    Installed Packages
    Name        : ca-certificates
    Arch        : noarch
    Version     : 2023.2.60_v7.0.306
    Release     : 72.el7_9
    Size        : 2.2 M
    Repo        : installed
    From repo   : updates
    Summary     : The Mozilla CA root certificate bundle
    URL         : http://www.mozilla.org/
    License     : Public Domain
    Description : This package contains the set of CA certificates chosen by the
                : Mozilla Foundation for use with the Internet PKI.
    
     rpm -ql ca-certificates
    /etc/pki/ca-trust
    /etc/pki/ca-trust/README
    /etc/pki/ca-trust/ca-legacy.conf
    /etc/pki/ca-trust/extracted
    /etc/pki/ca-trust/extracted/README
    /etc/pki/ca-trust/extracted/java
    /etc/pki/ca-trust/extracted/java/README
    /etc/pki/ca-trust/extracted/java/cacerts
    /etc/pki/ca-trust/extracted/openssl
    /etc/pki/ca-trust/extracted/openssl/README
    /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
    /etc/pki/ca-trust/extracted/pem
    /etc/pki/ca-trust/extracted/pem/README
    /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
    /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
    /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
    /etc/pki/ca-trust/source
    /etc/pki/ca-trust/source/README
    /etc/pki/ca-trust/source/anchors
    /etc/pki/ca-trust/source/blacklist
    /etc/pki/ca-trust/source/ca-bundle.legacy.crt
    /etc/pki/java
    /etc/pki/java/cacerts
    /etc/pki/tls
    /etc/pki/tls/cert.pem
    /etc/pki/tls/certs
    /etc/pki/tls/certs/ca-bundle.crt
    /etc/pki/tls/certs/ca-bundle.trust.crt
    /etc/ssl
    /etc/ssl/certs
    /usr/bin/ca-legacy
    /usr/bin/update-ca-trust
    /usr/share/doc/ca-certificates-2023.2.60_v7.0.306/README
    /usr/share/man/man8/ca-legacy.8.gz
    /usr/share/man/man8/update-ca-trust.8.gz
    /usr/share/pki
    /usr/share/pki/ca-trust-legacy
    /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt
    /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt
    /usr/share/pki/ca-trust-source
    /usr/share/pki/ca-trust-source/README
    /usr/share/pki/ca-trust-source/anchors
    /usr/share/pki/ca-trust-source/blacklist
    /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit
    
    
    curl -V
    curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.53.1 zlib/1.2.7 libidn/1.28 libssh2/1.8.0
    Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
    Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets
    
    ldd $(which curl)
            linux-vdso.so.1 =>  (0x00007fff9d3d2000)
            libcurl.so.4 => /lib64/libcurl.so.4 (0x00007fedd959a000)
            libssl3.so => /lib64/libssl3.so (0x00007fedd9335000)
            libsmime3.so => /lib64/libsmime3.so (0x00007fedd910d000)
            libnss3.so => /lib64/libnss3.so (0x00007fedd8dd3000)
            libnssutil3.so => /lib64/libnssutil3.so (0x00007fedd8ba2000)
            libplds4.so => /lib64/libplds4.so (0x00007fedd899e000)
            libplc4.so => /lib64/libplc4.so (0x00007fedd8799000)
            libnspr4.so => /lib64/libnspr4.so (0x00007fedd855a000)
            libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fedd833e000)
            libdl.so.2 => /lib64/libdl.so.2 (0x00007fedd813a000)
            libz.so.1 => /lib64/libz.so.1 (0x00007fedd7f24000)
            libc.so.6 => /lib64/libc.so.6 (0x00007fedd7b56000)
            libidn.so.11 => /lib64/libidn.so.11 (0x00007fedd7923000)
            libssh2.so.1 => /lib64/libssh2.so.1 (0x00007fedd76f6000)
            libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007fedd74a9000)
            libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007fedd71c0000)
            libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007fedd6f8d000)
            libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007fedd6d89000)
            liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x00007fedd6b7a000)
            libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x00007fedd6925000)
            librt.so.1 => /lib64/librt.so.1 (0x00007fedd671d000)
            /lib64/ld-linux-x86-64.so.2 (0x00007fedd9804000)
            libssl.so.10 => /lib64/libssl.so.10 (0x00007fedd64ab000)
            libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007fedd6048000)
            libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007fedd5e38000)
            libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007fedd5c34000)
            libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fedd5a1a000)
            libsasl2.so.3 => /lib64/libsasl2.so.3 (0x00007fedd57fd000)
            libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fedd55d6000)
            libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007fedd539f000)
            libpcre.so.1 => /usr/local/lib/libpcre.so.1 (0x00007fedd5130000)
            libfreebl3.so => /lib64/libfreebl3.so (0x00007fedd4f2d000)
    
    
    ls -lah /etc/pki/tls/certs
    total 240K
    drwxr-xr-x. 2 root root 4.0K Oct 21 05:18 .
    drwxr-xr-x. 5 root root 4.0K Oct 21 05:18 ..
    lrwxrwxrwx  1 root root   49 Oct 21 05:18 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
    lrwxrwxrwx  1 root root   55 Oct 21 05:18 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
    -rw-r--r--. 1 root root 217K Aug 22 03:12 cacert.pem
    -rwxr-xr-x. 1 root root  610 Mar 20  2023 make-dummy-cert
    -rw-r--r--. 1 root root 2.5K Mar 20  2023 Makefile
    -rwxr-xr-x. 1 root root  829 Mar 20  2023 renew-dummy-cert
     
  2. brijendrasial

    brijendrasial Active Member

    207
    154
    43
    Mar 21, 2018
    Ratings:
    +236
    Local Time:
    6:59 PM
    1.13.9
    10.0.22-MariaDB
    did you try reinstalling ca certs

    yum -y reinstall ca-certificates
     
  3. MaximilianKohler

    MaximilianKohler Member

    196
    5
    18
    Jun 23, 2023
    Ratings:
    +28
    Local Time:
    5:29 AM
    Thanks, I'll try that. I had the server open in Putty and it disconnected on its own. Maybe that suggests my server host (Hetzner) is having some problems?
     
  4. brijendrasial

    brijendrasial Active Member

    207
    154
    43
    Mar 21, 2018
    Ratings:
    +236
    Local Time:
    6:59 PM
    1.13.9
    10.0.22-MariaDB
    nop it has to do with the client or server sshd settings.
     
  5. eva2000

    eva2000 Administrator Staff Member

    54,087
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    11:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    What version of PHP? And what is output for this command
    Code (Text):
    php -i | grep curl.cainfo
    

    and
    Code (Text):
    ls -lAh /etc/ssl/certs/cacert.pem

    i.e.
    Code (Text):
    php -i | grep curl.cainfo
    curl.cainfo => /etc/ssl/certs/cacert.pem => /etc/ssl/certs/cacert.pem
    

    Code (Text):
    ls -lAh /etc/ssl/certs/cacert.pem
    -rw-r--r-- 1 root root 217K Aug 21 22:12 /etc/ssl/certs/cacert.pem
    

    If /etc/ssl/certs/cacert.pem is missing, run centmin.sh once and exit so it can redownload it

    If /etc/ssl/certs/cacert.pem is 0 bytes size, remove the /etc/ssl/certs/cacert.pem file and run centmin.sh once and exit so it can redownload it

    FYI, Centmin Mod PHP-FPM uses CA cert bundle from https://curl.se/docs/caextract.html
     
  6. MaximilianKohler

    MaximilianKohler Member

    196
    5
    18
    Jun 23, 2023
    Ratings:
    +28
    Local Time:
    5:29 AM
    Code:
    php -v
    PHP 8.1.22 (cli) (built: Aug 19 2023 07:32:03) PGO (NTS)
    Copyright (c) The PHP Group
    Zend Engine v4.1.22, Copyright (c) Zend Technologies
        with Zend OPcache v8.1.22, Copyright (c), by Zend Technologies
    
    
    php -i | grep curl.cainfo
    curl.cainfo => /etc/ssl/certs/cacert.pem => /etc/ssl/certs/cacert.pem
    
    
    ls -lAh /etc/ssl/certs/cacert.pem
    -rw-r--r--. 1 root root 217K Aug 22 03:12 /etc/ssl/certs/cacert.pem
    
    And FYI that info is without having run the "yum -y reinstall ca-certificates" command yet.
     
  7. eva2000

    eva2000 Administrator Staff Member

    54,087
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    11:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Do you have something like @Xon's Password Tool addon for Xenforo installed ?

    Try creating a phpcurlcheck.php file with contents to curl cloudflare domain - you can change domain name to domains that Xenforo is reporting issues with via remote connections in PHP's curl usage.
    PHP:
    <?php
    $ch 
    curl_init('https://www.cloudflare.com');
    curl_setopt($chCURLOPT_VERBOSEtrue);
    curl_setopt($chCURLOPT_STDERRfopen('curl_verbose_output.txt''w'));
    curl_exec($ch);
    if (
    curl_errno($ch)) {
        echo 
    'Error: ' curl_error($ch);
    }
    curl_close($ch);
    ?>
    Run the script from command line
    Code (Text):
    php phpcurlcheck.php >/dev/null
    

    Then check it's output in curl_verbose_output.txt
    Code (Text):
    cat curl_verbose_output.txt

    Top part of output will show the verbose curl output including which CAfile to verify CA certs with = /etc/ssl/certs/cacert.pem
    Code (Text):
    * Rebuilt URL to: https://www.cloudflare.com/
    *   Trying 104.16.123.96...
    * TCP_NODELAY set
    * Connected to www.cloudflare.com (104.16.123.96) port 443 (#0)
    * ALPN, offering http/1.1
    * successfully set certificate verify locations:
    *   CAfile: /etc/ssl/certs/cacert.pem
      CApath: none
    * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
    * ALPN, server accepted to use http/1.1
    * Server certificate:
    *  subject: CN=www.cloudflare.com
    *  start date: Sep 19 14:51:10 2023 GMT
    *  expire date: Dec 18 14:51:09 2023 GMT
    *  subjectAltName: host "www.cloudflare.com" matched cert's "www.cloudflare.com"
    *  issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1P5
    *  SSL certificate verify ok.
    > GET / HTTP/1.1
    Host: www.cloudflare.com
    Accept: */*
    
     
  8. MaximilianKohler

    MaximilianKohler Member

    196
    5
    18
    Jun 23, 2023
    Ratings:
    +28
    Local Time:
    5:29 AM
    I don't have Xon's PW tool addon. These are the addons I use: https://gist.github.com/MaximilianKohler/3bdedd0185283ac30c1f1422f9626947#addons-1

    Here's my output:
    Code:
    cat curl_verbose_output.txt
    * About to connect() to www.cloudflare.com port 443 (#0)
    *   Trying 2606:4700::6810:7b60...
    * Connected to www.cloudflare.com (2606:4700::6810:7b60) port 443 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    *   CAfile: /etc/ssl/certs/cacert.pem
      CApath: none
    * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    * Server certificate:
    *       subject: CN=www.cloudflare.com
    *       start date: Sep 19 14:51:10 2023 GMT
    *       expire date: Dec 18 14:51:09 2023 GMT
    *       common name: www.cloudflare.com
    *       issuer: CN=GTS CA 1P5,O=Google Trust Services LLC,C=US
    > GET / HTTP/1.1
    Host: www.cloudflare.com
    Accept: */*
    
    < HTTP/1.1 200 OK
    < Date: Sat, 21 Oct 2023 21:49:35 GMT
    < Content-Type: text/html; charset=utf-8
    < Transfer-Encoding: chunked
    < Connection: keep-alive
    < CF-Ray: 819cb618ccc9207e-IAD
    < CF-Cache-Status: HIT
    < Age: 9
    < Cache-Control: max-age=120
    < Expires: Sat, 21 Oct 2023 21:49:31 GMT
    < Last-Modified: Sat, 21 Oct 2023 21:13:07 GMT
    < Strict-Transport-Security: max-age=31536000; includeSubDomains
    < Vary: Accept-Encoding
    < X-Content-Type-Options: nosniff
    < X-Frame-Options: SAMEORIGIN
    < x-rm: RDWD
    < X-XSS-Protection: 1; mode=block
    < Set-Cookie: __cf_bm=J9eUoYfMm9wiyiPgybE6YEL4FER79WWe0G_V5wSez2E-1697924975-0-AeN1+zthJmJwjMLoqUoM2ZiC4Qj4ASFLarrQavuMX11ybjo+RfJV9qsjVfb1YLhgvLoNyjallm+1eClykjbX+rgZtkSFoMf7E30QN5ukFfV3; path=/; expires=Sat, 21-Oct-23 22:19:35 GMT; domain=.www.cloudflare.com; HttpOnly; Secure
    < Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=qDxD8IRdAafxy6ACKYqhi0g2D0L2wUalo5jbCYkPpdHJgnYQSsvPFNrG5ucxxYIVYWorMzaoM06dgcmarlzwKEb33kx7DWn54qqkUmPjwq4V6gkS%2Bxo1Fbotuqp6iIcuuYzhFJcpoGremvspaKBuoQ%3D%3D"}],"group":"cf-nel","max_age":604800}
    < NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    < Server: cloudflare
    < alt-svc: h3=":443"; ma=86400
    <
    * Connection #0 to host www.cloudflare.com left intact
    
    I'm not sure what you meant with this:
    Do you mean when I click on the server error in Xenforo and scroll down to "Request state"?
    Code:
    array(4) {
      ["url"] => string(18) "/register/register"
      ["referrer"] => string(44) "https://forum.mysite.com/register/"
      ["_GET"] => array(1) {
        ["/register/register"] => string(0) ""
      }
    
    array(4) {
      ["url"] => string(8) "/job.php"
      ["referrer"] => string(118) "https://forum.mysite.com/threads/bla-bla.175/"
      ["_GET"] => array(0) {
      }
      ["_POST"] => array(0) {
      }
    }
    
     
  9. eva2000

    eva2000 Administrator Staff Member

    54,087
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    11:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Run reinstall command and see first. Though PHP uses it's own CA bundle
     
  10. eva2000

    eva2000 Administrator Staff Member

    54,087
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    11:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    One more thing you can try is since CentOS 7 curl is tied to nss, try updating that YUM package too
    Code (Text):
    yum -y update nss
     
  11. Matt

    Matt Well-Known Member

    929
    415
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +671
    Local Time:
    1:29 PM
    1.5.15
    MariaDB 10.2
    I'm getting reports on this as well on CentOS7 servers. Started around Friday. Had the issue initially with Jetbackup.
     
  12. MaximilianKohler

    MaximilianKohler Member

    196
    5
    18
    Jun 23, 2023
    Ratings:
    +28
    Local Time:
    5:29 AM
    It seems to have been a temporary issue so far. I haven't run the recommended commands yet, and haven't had the error happen again.
    Code:
    yum -y reinstall ca-certificates
    yum -y update nss
    
     
  13. Jon Snow

    Jon Snow Active Member

    814
    163
    43
    Jun 30, 2017
    Ratings:
    +240
    Local Time:
    9:29 AM
    Nginx 1.13.9
    MariaDB 10.1.31
    I just started getting these errors too (today).
     
  14. eva2000

    eva2000 Administrator Staff Member

    54,087
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    11:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    on Centmin Mod or non-Centmin Mod server?
     
  15. eva2000

    eva2000 Administrator Staff Member

    54,087
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    11:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Looks like Plesk folks say it is indeed an nss update required via yum https://support.plesk.com/hc/en-us/...gins-do-not-work-under-CentOS-7-cURL-error-77

    from nss CentOS 7 changelog
     
  16. Jon Snow

    Jon Snow Active Member

    814
    163
    43
    Jun 30, 2017
    Ratings:
    +240
    Local Time:
    9:29 AM
    Nginx 1.13.9
    MariaDB 10.1.31
  17. Jon Snow

    Jon Snow Active Member

    814
    163
    43
    Jun 30, 2017
    Ratings:
    +240
    Local Time:
    9:29 AM
    Nginx 1.13.9
    MariaDB 10.1.31
    All good here. Had to restart php-fpm
     
  18. eva2000

    eva2000 Administrator Staff Member

    54,087
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    11:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    oh there's other nss packages that need updating

    Code (Text):
     nss                   x86_64  3.90.0-2.el7_9                updates         905 k
     nss-softokn           x86_64  3.90.0-6.el7_9                updates         383 k
     nss-softokn-freebl    x86_64  3.90.0-6.el7_9                updates         321 k
     nss-sysinit           x86_64  3.90.0-2.el7_9                updates          67 k
     nss-tools             x86_64  3.90.0-2.el7_9                updates         557 k
     nss-util              x86_64  3.90.0-1.el7_9                updates          80 k
    


    if you run centmin.sh menu and then exit with option 24, you should get a list of yum updates available and instructions for yum update command to update them
     
  19. eva2000

    eva2000 Administrator Staff Member

    54,087
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    11:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yeah that would help too
     
  20. eva2000

    eva2000 Administrator Staff Member

    54,087
    12,177
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,735
    Local Time:
    11:29 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    https://access.redhat.com/errata/RHBA-2023:5478