Learn about Centmin Mod LEMP Stack today
Become a Member

Xenforo OpenSSL & XenForo 1.5 Issues

Discussion in 'Forum software usage' started by tdubs, Sep 8, 2016.

  1. tdubs

    tdubs Member

    83
    12
    8
    Apr 10, 2015
    Ratings:
    +15
    Local Time:
    12:02 PM
    1.7.12
    10.0.17
    Hello,

    I've recently been experiencing a lot of server error logs on my forum for the past 2 days now since I've upgraded to PHP 7.0.10. Before this problem, I was having a problem with the cURL ca-certificates which I managed to resolve after hows of research. Now, the problem I assume is to do with OpenSSL and PHP 5.6.25+ since every article I've found is indicating that.

    Error:
    Code:
    Zend_Http_Client_Adapter_Exception: ReCAPTCHA (No CAPTCHA) connection error: Unable to Connect to ssl://www.google.com:443. Error #0: - library/Zend/Http/Client/Adapter/Socket.php:235
    Stack Trace:
    Code:
    #0 /home/nginx/domains/domain.com/public/library/Zend/Http/Client.php(973): Zend_Http_Client_Adapter_Socket->connect('www.google.com', 443, true)
    #1 /home/nginx/domains/domain.com/public/library/XenForo/Captcha/NoCaptcha.php(76): Zend_Http_Client->request('POST')
    #2 /home/nginx/domains/domain.com/public/library/XenForo/Captcha/Abstract.php(129): XenForo_Captcha_NoCaptcha->isValid(Array)
    #3 /home/nginx/domains/domain.com/public/library/XenForo/ControllerPublic/Register.php(355): XenForo_Captcha_Abstract::validateDefault(Object(XenForo_Input))
    #4 /home/nginx/domains/domain.com/public/library/Siropu/UsernameChange/ControllerPublic/Register.php(32): XenForo_ControllerPublic_Register->actionRegister()
    #5 /home/nginx/domains/domain.com/public/library/XenForo/FrontController.php(351): Siropu_UsernameChange_ControllerPublic_Register->actionRegister()
    #6 /home/nginx/domains/domain.com/public/library/XenForo/FrontController.php(134): XenForo_FrontController->dispatch(Object(XenForo_RouteMatch))
    #7 /home/nginx/domains/domain.com/public/index.php(13): XenForo_FrontController->run()
    #8 {main}
    Request State:
    Code:
    array(3) {
      ["url"] => string(53) "http://www.domain.com/index.php?register/register"
      ["_GET"] => array(1) {
        ["register/register"] => string(0) ""
      }
      ["_POST"] => array(14) {
        ["username"] => string(0) ""
        ["7b5566200f702a0ee50ade25ad9e43d6"] => string(4) "fafa"
        ["6b6c85193b4486e38adf1b4adbd5ab17"] => string(20) "syafatikah@gmail.com"
        ["89f121ef4b812bf702b1fd871206291e"] => string(6) "female"
        ["dob_month"] => string(1) "3"
        ["dob_day"] => string(2) "12"
        ["dob_year"] => string(4) "2000"
        ["c5e48dfddc9a61d541d1c255f7c802d4"] => array(2) {
          ["awdu"] => string(0) ""
          ["ign"] => string(12) "syafatikboom"
        }
        ["custom_fields_shown"] => array(2) {
          [0] => string(4) "awdu"
          [1] => string(3) "ign"
        }
        ["4be4a8e4a8a890a08ba1372e06395596"] => string(14) "Asia/Hong_Kong"
        ["g-recaptcha-response"] => string(1230) "03AHJ_Vutyw1W9IG3fTxaJfpvpILejWxjlM_4tirXg7nGAJwFvHj6gMnXMxTrfB720nVAzY5kmAuRcoKzmw2BpBsT8r5lFJlzVZkGZOh2F88n_aTeRuC3Z5KITrfd_dOdqk5bN3z0wKiS4jGNKjxks_n1PjtI0dwAJBef9rUWiDMIJz2XHgVqRmXGxPdqM7nKrZ01zz5yTmH6pAcdrTOiHpPXyDHCwYr_pWSrNScRR3_Zuf_M5BcasGV7LR0eMFFF_WIcFqAdXjBTom6KsB7Aii2HarvjRF9usR_3W724FvG0lPym5uPR8PMvGfvy3lpEC7tli9QinyIDy-28r0q7_YIr_hkeUSR2q90uH1_r0nTQ2X_T_mgKBWVaVJFHVnm9atpJuq7FuCfNEknq_KZ5eAp50yeJg7aQ0avxiJ34FFG1bd2aItKDsOYygfA-hTP14FTSL340cnP4fINA5vNXcTTLVzZWtbVh3uF1QQ7FHqMVubEDlvMVF-WPHqp41yEWSHrUpmMBfWvbwgV1tR-JuHakXlMpafC8FSiDlmJBP9O9aMh9L-S3ak4Yk7G8kwOHJpbHnCel7Wke8llb1fcg0bAqaNLIs-Sq1mv4fmmEdw3uvPzMx29bwmrXCkC0ZVKmSziLDaIr-8VlXw6jGL06CuP091aqTMRAumStEKlFLXQZjF-teH5pSpnPUC4NApVI129d1-bDgGLsnCb6-_WpkwCVwBYZgFF8Zh3e0SVPJrb5JbajhEqXUz_RSnKY9LdX1hXMNSkhMUOxfEJe8FL1kysgB7C7zvBPP27oSOE8oBZQpiAwC9HUMUS02yjCtpWOgApEcgnOpnHkvkqIJPrwDM4q0a72ReJ1NqdTQrK-3WNdjGE--SykNaQrPTDE6FZ-IeSx_DHHjFCnTyjojKbyFtL8l05tSYss_MMjVBK6EYOJoVw-8t3tXKzOnohgPVCG6K774d5_A9XuEKAYtNRJQYGw570QDHJ0JILBfsZZl6AADUl-6wBB0D1LOYSzhmXt9pwjI447QJk6M-1I-MtwW72-cXcMHOLZsCgREcpA_6AvpyT6uBj99zbVeDFCxzqrndIUa-Cf6XhtmIYANWa1DWQ8V0SphEFJprhU566sYB9TrnzhES4j7WJtskDoW8SH8MEipg4xxoHj-UUxUmLvG7eoRTvDFgvqTCXTtS1ZL1W0R1012_dNMeXwSerwcWt8qQBdkcO9ELeIs"
        ["agree"] => string(1) "1"
        ["_xfToken"] => string(8) "********"
        ["reg_key"] => string(32) "a5ac52d52f1f3d65baab8a221d09a726"
      }
    }
    
    
    I do not use any sort of SSL certificates myself so I'm not sure what's going on.

    Any assistance would be awesome! :)
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,132
    6,778
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,128
    Local Time:
    12:02 PM
    Nginx 1.13.x
    MariaDB 5.5
    It's probably network connectivity issues with your server. See Xenforo - Server Config Issue Causing Problems With XenForo | Centmin Mod Community

    Centmin Mod LEMP stack's PHP-FPM setup already takes care of most PHP 5.6+ SSL related issues, you can verify if your setup has the setup correct via these commands

    check php version
    Code (Text):
    php -v

    check your php config scan .ini settings directory for /etc/centminmod/php.d/curlcainfo.ini file listing
    Code (Text):
    php --ini
    

    output
    Code (Text):
    php --ini
    Configuration File (php.ini) Path: /usr/local/lib
    Loaded Configuration File:         /usr/local/lib/php.ini
    Scan for additional .ini files in: /etc/centminmod/php.d
    Additional .ini files parsed:      /etc/centminmod/php.d/a_customphp.ini,
    /etc/centminmod/php.d/curlcainfo.ini,
    /etc/centminmod/php.d/geoip.ini,
    /etc/centminmod/php.d/igbinary.ini,
    /etc/centminmod/php.d/imagick.ini,
    /etc/centminmod/php.d/mailparse.ini,
    /etc/centminmod/php.d/memcache.ini,
    /etc/centminmod/php.d/memcached.ini,
    /etc/centminmod/php.d/redis.ini,
    /etc/centminmod/php.d/zendopcache.ini

    then check contents of that file using cat command
    Code (Text):
    cat /etc/centminmod/php.d/curlcainfo.ini
    curl.cainfo = '/etc/ssl/certs/cacert.pem'

    check the date of the cacert.pem - Centmin Mod usually auto updates cacert.pem with latest if it's older than 90 days when you run php upgrades or recompiles via centmin.sh menu option 5
    Code (Text):
    ls -lah /etc/ssl/certs/cacert.pem

    Actually i might have found a slight bug in centmin mod's auto cacert.pem update routine as it seems during curl.haxx.se downtime, i switched it to a local centminmod.com mirror for download but didn' switch back so been updating using an older April cacert.pem instead of the latest cacert.pem bundle from cURL - Extract CA Certs from Mozilla Not a bug as centminmod.com local download auto updates via cron :)

    However, cacert.pem only have one new revision for September and last version was in April so you wouldn't have had issues between April and September anyway. Reason is Mozilla cacert.pm is only updated every 90 days. Hence, why Centmin Mod only updates if older than 90 days. So probably unlikely that this is the cause of your problems unless you're missing the /etc/centminmod/php.d/curlcainfo.ini file entirely. In which case, below 4 commands to manually update will re-add the /etc/centminmod/php.d/curlcainfo.ini file setup.

    While i update Centmin Mod branches, you can manually update using commands at
    Code (Text):
    CURL_CACERTURL='https://curl.haxx.se/ca/cacert.pem'
    wget -q -O /etc/ssl/certs/cacert.pem $CURL_CACERTURL
    echo "curl.cainfo = '/etc/ssl/certs/cacert.pem'" > /etc/centminmod/php.d/curlcainfo.ini
    nprestart
    

    Still it could be network issues on your server related too.
     
    Last edited: Sep 9, 2016
    • Informative Informative x 2
    • Like Like x 1
  3. tdubs

    tdubs Member

    83
    12
    8
    Apr 10, 2015
    Ratings:
    +15
    Local Time:
    12:02 PM
    1.7.12
    10.0.17
    This is exactly why I enjoy this forum. Simply because I get awesome replies which are extremely informative and 98% of the time resolve my problem. I went ahead and ran the necessary updates and checks so I will see how it goes from there. I did run across a thread on XenForo (XF 1.4 - Trouble loading resources via SSL | XenForo Community) which indicated network issues with the server providers configuration. So if it continues after what you posted, I will contact my VPS provider.
     
    • Like Like x 2
  4. eva2000

    eva2000 Administrator Staff Member

    30,132
    6,778
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,128
    Local Time:
    12:02 PM
    Nginx 1.13.x
    MariaDB 5.5
    You're welcome, I believe @BigIron or @deltahf which was network related too.
     
  5. deltahf

    deltahf Active Member

    207
    101
    43
    Jun 8, 2014
    Ratings:
    +154
    Local Time:
    10:02 PM
    Yeah, that was my thread. My issue was related specifically to IPv6 connectivity, though, and was caused by buggy firmware updates to my hosting provider's Brocade routers which kept breaking IPv6 every time they updated them. Unfortunately, this has happened repeatedly - about six times now - since I first reported the problem to ReliableSite last year, and it doesn't inspire a lot of confidence.

    It didn't actually have anything to do with SSL, it just looked that way because most of the big providers (Google, Facebook, ReCAPTCHA, etc.) who were using SSL were also being reached (or were trying to be reached, anyway) via IPv6. Try running the mtr reports from my post that you linked to above to see if you get the same results.
     
    • Like Like x 1
  6. eva2000

    eva2000 Administrator Staff Member

    30,132
    6,778
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,128
    Local Time:
    12:02 PM
    Nginx 1.13.x
    MariaDB 5.5
    ouch not very inspiring.. probably better to just disable IPv6 from your server instead in such a case
     
  7. tdubs

    tdubs Member

    83
    12
    8
    Apr 10, 2015
    Ratings:
    +15
    Local Time:
    12:02 PM
    1.7.12
    10.0.17
    dumb question but if you do this and visitors are using IPv6 will they be effected.
     
  8. eva2000

    eva2000 Administrator Staff Member

    30,132
    6,778
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,128
    Local Time:
    12:02 PM
    Nginx 1.13.x
    MariaDB 5.5
    Yeah though 99% of my servers have IPv6 disabled, it's still pretty much an IPv4 world and don't know of any ISPs that are IPv6 only without IPv4 fallback ? Would be very bad if there was no fallback to IPv4 on ISP client side as from IPv6 server side rollout is ~20% so that would mean for such an ISP with IPv6 only, 4 out 5 sites / 80% of sites would be unavailable to an ISP IPv6 only customer :)
     
    Last edited: Sep 13, 2016
  9. deltahf

    deltahf Active Member

    207
    101
    43
    Jun 8, 2014
    Ratings:
    +154
    Local Time:
    10:02 PM
    Yeah, it's pretty bad. Makes me wonder what other things they might be overlooking... :unsure: I will probably disable IPv6 next time it happens.

    Their prices are great, though. I guess you get what you pay for!
     
  10. eva2000

    eva2000 Administrator Staff Member

    30,132
    6,778
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,128
    Local Time:
    12:02 PM
    Nginx 1.13.x
    MariaDB 5.5
    indeed :)