XF 1.4 Trouble loading resources via SSL

DeltaHF

Best Weekly GIF Winner
Since applying the 1.4.10 patch (I think - I have since completed the full upgrade to 1.4.10), my XenForo install has had intermittent difficulty connecting to external sites and services running SSL. The problem manifests in a few ways:

1.) My Server Error Logs are full of these messages. Note that the Sitemap can't be submitted to Google, either. (I'm not sure about those TCP errors from Blogspot. It appears they were generated by a user attempting to load images into the XFMG from a Blogspot URL.)
Screen Shot 2015-08-03 at 6.18.54 PM.webp

2.) The image proxy seemingly randomly fails to load images served from SSL origin servers. Certain images hosted by Wikimedia, Flickr, Pinterest, and other major CDNs all report the same "Error #110: Connection timed out" error message when I input their URLs to the Image Proxy test in the AdminCP.

3.) The XF Media Gallery cannot pull thumbnails or metadata from YouTube when submitting new media. It generates roughly the same message in the Server Error Logs:

Code:
Zend_Http_Client_Adapter_Exception: Unable to Connect to ssl://www.youtube.com:443. Error #110: Connection timed out - library/Zend/Http/Client/Adapter/Socket.php:235
Generated By: username, 23 minutes ago

I'm at a bit of a loss on how to troubleshoot this further. Any help would be appreciated.
 
We haven't made any changes here, and these are typically connectivity issues. For persistent connectivity issues, these won't be caused by changes in the code so the first port of call would be looking into any changes that may have been made on the server/network side.
 
I have been getting these as well. I haven't found anything that would suggest it is a XenForo issue, unfortunately, as it would be easier to track down.
 
Interesting that you're also seeing this, @Dan. What is your server configuration like? I'm on a dedicated server, CentOS 6.6, configured with Centminmod (Nginx/PHP-FPM/MariaDB/CSF Firewall).

Since posting this thread, I've tried using wget to download two of the images that were failing, bypassing PHP:
Code:
$ wget https://s-media-cache-ak0.pinimg.com/736x/86/ea/2b/86ea2bb8fc6e82c1db13e1b3cbf09742.jpg

--2015-08-03 18:47:59--  https://s-media-cache-ak0.pinimg.com/736x/86/ea/2b/86ea2bb8fc6e82c1db13e1b3cbf09742.jpg
Resolving s-media-cache-ak0.pinimg.com... 2600:1408:17:3a2::2781, 2600:1408:17:39e::2781, 2600:1408:17:3a0::2781, ...
Connecting to s-media-cache-ak0.pinimg.com|2600:1408:17:3a2::2781|:443... failed: Connection timed out.
Connecting to s-media-cache-ak0.pinimg.com|2600:1408:17:39e::2781|:443... failed: Connection timed out.
Connecting to s-media-cache-ak0.pinimg.com|2600:1408:17:3a0::2781|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 71070 (69K) [image/jpeg]
Saving to: “86ea2bb8fc6e82c1db13e1b3cbf09742.jpg”

100%[=========================================================================================================================>] 71,070      --.-K/s   in 0.03s

2015-08-03 18:48:30 (2.31 MB/s) - “86ea2bb8fc6e82c1db13e1b3cbf09742.jpg” saved [71070/71070]
Code:
$ wget https://upload.wikimedia.org/wikipedia/commons/c/ce/Alfa_Romeo_GTV_facelift_front.JPG

--2015-08-03 18:51:29--  https://upload.wikimedia.org/wikipedia/commons/c/ce/Alfa_Romeo_GTV_facelift_front.JPG
Resolving upload.wikimedia.org... 2620:0:861:ed1a::2:b, 208.80.154.240
Connecting to upload.wikimedia.org|2620:0:861:ed1a::2:b|:443... failed: Connection timed out.
Connecting to upload.wikimedia.org|208.80.154.240|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 442188 (432K) [image/jpeg]
Saving to: “Alfa_Romeo_GTV_facelift_front.JPG”

100%[=========================================================================================================================>] 442,188     2.35M/s   in 0.2s  

2015-08-03 18:51:44 (2.35 MB/s) - “Alfa_Romeo_GTV_facelift_front.JPG” saved [442188/442188]
Curiously, both of these hosts seem to be using IPv6 in addition to SSL, and I'm sure Google supports IPv6 for their account authorization servers, too...
 
What is your server configuration like? I'm on a dedicated server, CentOS 6.6, configured with Centminmod (Nginx/PHP-FPM/MariaDB/CSF Firewall).
Centos 6.6 VPS with standard lamp with CSF Firewall

The above samples work for me though they are not trying IPv6 :
Code:
root@host [~]# wget https://upload.wikimedia.org/wikipedia/commons/c/ce/Alfa_Romeo_GTV_facelift_front.JPG
--2015-08-03 18:45:33--  https://upload.wikimedia.org/wikipedia/commons/c/ce/Alfa_Romeo_GTV_facelift_front.JPG
Resolving upload.wikimedia.org... 208.80.154.240, 2620:0:861:ed1a::2:b
Connecting to upload.wikimedia.org|208.80.154.240|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 442188 (432K) [image/jpeg]
Saving to: “Alfa_Romeo_GTV_facelift_front.JPG”

100%[======================================>] 442,188     2.00M/s   in 0.2s   

2015-08-03 18:45:34 (2.00 MB/s) - “Alfa_Romeo_GTV_facelift_front.JPG” saved [442188/442188]
 
I found the problem: a misconfigured router on my hosting company's network was delaying IPv6 traffic.

@BamaStangGuy @Dan @bloop Are you guys also hosting with ReliableSite.net?

I was able to identify the problematic router by running some mtr trace routes out of my server to IPv6 compatible hosts. As you can see, it was always failing at the fourth hop if I let it default to IPv6. When forcing it to IPv4 (with the -4 flag), it completed the trace quickly.
Code:
$ mtr --report --report-cycles=20 google.com
HOST: server.mydomain.net        Loss%   Snt   Last   Avg  Best  Wrst StDev
  1. 2605:9880:0:65::1             0.0%    20    0.3   0.6   0.2   4.2   1.0
  2. ethernetethernet15-c5-14-a2-  0.0%    20    0.2   0.3   0.2   0.4   0.0
  3. vl210-br2.pnj1.choopa.net    0.0%    20    4.0   4.0   0.2  12.5   4.5
  4. ???                          100.0    20    0.0   0.0   0.0   0.0   0.0

$ mtr --report -4 google.com
HOST: server.mydomain.net        Loss%   Snt   Last   Avg  Best  Wrst StDev
  1. hosted-by.reliablesite.net   0.0%    10    0.8   0.8   0.7   0.8   0.0
  2. ethernetethernet15-c5-14-a2-  0.0%    10    0.1   0.2   0.1   0.3   0.0
  3. vl210-br2.pnj1.choopa.net    0.0%    10    0.2   0.2   0.2   0.3   0.1
  4. 108.61.244.41                 0.0%    10  100.9  12.2   0.2 100.9  31.4
  5. core1-0-2-0.lga.net.google.c  0.0%    10    1.1   1.2   1.0   1.3   0.1
  6. 216.239.50.108                0.0%    10    1.9   1.8   1.6   2.0   0.1
  7. 209.85.253.111                0.0%    10    1.8   1.8   1.7   1.9   0.1
  8. lga25s40-in-f14.1e100.net    0.0%    10    1.8   1.8   1.7   2.1   0.1

$ mtr --report google.com
HOST: server.mydomain.net        Loss%   Snt   Last   Avg  Best  Wrst StDev
  1. 2605:9880:0:65::1             0.0%    10    0.3   0.3   0.2   0.4   0.0
  2. ethernetethernet15-c5-14-a2-  0.0%    10    0.2   0.3   0.2   0.3   0.0
  3. vl210-br2.pnj1.choopa.net    0.0%    10    1.8   1.0   0.2   3.8   1.2
  4. ???                          100.0    10    0.0   0.0   0.0   0.0   0.0

$ mtr --report -4 upload.wikimedia.org
HOST: server.mydomain.net        Loss%   Snt   Last   Avg  Best  Wrst StDev
  1. hosted-by.reliablesite.net   0.0%    10    0.8   0.8   0.6   0.9   0.1
  2. ethernetethernet15-c5-14-a2-  0.0%    10    0.2   0.2   0.2   0.2   0.0
  3. vl210-br2.pnj1.choopa.net    0.0%    10    0.3   2.1   0.2   9.6   3.7
  4. 108.61.244.41                 0.0%    10    2.3   4.7   0.2  11.9   4.0
  5. nyc1-core.gigabiteth4-0.swip  0.0%    10    1.1   1.1   1.0   1.3   0.1
  6. ash1-peer-1.xe-0-2-1-unit0.t  0.0%    10    6.9   6.8   6.7   6.9   0.1
  7. 130.244.6.243                 0.0%    10    7.0   6.8   6.7   7.0   0.1
  8. upload-lb.eqiad.wikimedia.or  0.0%    10    6.5   6.3   6.2   6.6   0.2

$ mtr --report upload.wikimedia.org
HOST: server.mydomain.net        Loss%   Snt   Last   Avg  Best  Wrst StDev
  1. 2605:9880:0:65::1             0.0%    10    0.3   0.3   0.2   0.6   0.1
  2. ethernetethernet15-c5-14-a2-  0.0%    10    0.2   0.3   0.2   0.4   0.0
  3. vl210-br2.pnj1.choopa.net    0.0%    10    0.2   0.8   0.2   4.1   1.2
  4. ???                          100.0    10    0.0   0.0   0.0   0.0   0.0

$ mtr --report -4 facebook.com
HOST: server.mydomain.net        Loss%   Snt   Last   Avg  Best  Wrst StDev
  1. hosted-by.reliablesite.net   0.0%    10    0.7   0.7   0.6   0.8   0.0
  2. ethernetethernet15-c5-14-a2-  0.0%    10    0.2   0.2   0.1   0.2   0.0
  3. vl210-br2.pnj1.choopa.net    0.0%    10    0.3   3.4   0.2   9.8   3.7
  4. ae-33.r05.nycmny01.us.bb.gin  0.0%    10    1.6   1.5   1.4   1.6   0.1
  5. ae-1.r23.nycmny01.us.bb.gin. 90.0%    10    8.8   8.8   8.8   8.8   0.0
  6. ae-9.r22.asbnva02.us.bb.gin.  0.0%    10    7.2   7.6   7.1  10.2   0.9
  7. ae-44.r06.asbnva02.us.bb.gin  0.0%    10    7.4   7.6   7.4   7.9   0.2
  8. ae-2.facebook.asbnva02.us.bb 0.0%    10    7.9   9.7   6.9  30.0   7.2
  9. be12.bb01.iad3.tfbnw.net     0.0%    10   25.8  25.7  25.6  25.9   0.1
10. ae28.bb04.frc3.tfbnw.net     0.0%    10   22.7  24.0  22.6  31.7   2.8
11. ae4.dr05.frc1.tfbnw.net      0.0%    10   22.8  22.5  22.3  22.8   0.2
12. ???                          100.0    10    0.0   0.0   0.0   0.0   0.0
13. ???                          100.0    10    0.0   0.0   0.0   0.0   0.0
14. ???                          100.0    10    0.0   0.0   0.0   0.0   0.0
15. ???                          100.0    10    0.0   0.0   0.0   0.0   0.0
16. edge-star-shv-12-frc3.facebo  0.0%    10   25.3  25.2  25.1  25.3   0.1

$ mtr --report facebook.com
HOST: server.mydomain.net        Loss%   Snt   Last   Avg  Best  Wrst StDev
  1. 2605:9880:0:65::1             0.0%    10    0.3   0.3   0.2   0.5   0.1
  2. ethernetethernet15-c5-14-a2-  0.0%    10    0.2   0.3   0.2   0.4   0.1
  3. vl210-br2.pnj1.choopa.net    0.0%    10    0.2   2.3   0.2   8.3   3.0
  4. ???                          100.0    10    0.0   0.0   0.0   0.0   0.0
I sent these mtr results to RelaibleSite and they had it fixed in a few hours. Since then, no problems running trace routes, no problems connecting to accounts.google.com, and no more image proxy issues. If you are hosting with another provider, I would recommend running these tests from your server to confirm.

Thanks to @eva2000 for helping me troubleshoot this!
 
Ah! The problem may already be fixed for you, assuming all our servers' traffic is running through that same router.

Note that the broken images in XenForo's Image Proxy won't immediately fix themselves until they expire or are requested again.
 
I know...they kind of set themselves up with that name, didn't they? :ROFLMAO:

To their credit, though, they were very responsive and fixed the problem quickly, and I've been very happy with their service, otherwise.
 
I sent these mtr results to RelaibleSite and they had it fixed in a few hours. Since then, no problems running trace routes, no problems connecting to accounts.google.com, and no more image proxy issues. If you are hosting with another provider, I would recommend running these tests from your server to confirm.

Thanks to @eva2000 for helping me troubleshoot this!
Nice seems to have a few folks on reliablesite hosting hit with this :)

Glad I was able to steer you in right direction :)
 
I know...they kind of set themselves up with that name, didn't they? :ROFLMAO:

To their credit, though, they were very responsive and fixed the problem quickly, and I've been very happy with their service, otherwise.
Their recent ipv6 issue caused my site to be down for over 24 hours.
Twice.
They only have email support and it took several hours to get a reply "we are assigning this to a technician who will look into this" while my paying customers post on our FB account about what's going on.
To say I"m not happy is an understatement. I seriously considered moving to another host.
Maybe I still move after this.
 
Their recent ipv6 issue caused my site to be down for over 24 hours.
Twice.
They only have email support and it took several hours to get a reply "we are assigning this to a technician who will look into this" while my paying customers post on our FB account about what's going on.
To say I"m not happy is an understatement. I seriously considered moving to another host.
Maybe I still move after this.
Yikes, yeah, that's not good. Best of luck in whatever you decide to do.

@DeltaHF Thanks for this. I am with KnownHost but I will check into this. On a side note, haven't received another of these errors in some time.
I actually think KnownHost operates out of the same datacenter in Piscataway, New Jersey. It's a huge facility.
 
  • Like
Reactions: Dan
Hello,

Thank you for the details. We have notified the networking team and will keep you updated until the issue has been resolved.

Thank you,
ReliableSite.Net LLC
 
@BamaStangGuy @Dan @bloop @DeltaHF
Not sure if you guys get these errors last few days

Code:
Zend_Http_Client_Adapter_Exception: Read timed out after 10 seconds - library/Zend/Http/Client/Adapter/Socket.php:512
Generated By: Unknown Account, Today at 3:13 PM
Stack Trace
#0 /home/nginx/domains/public/library/Zend/Http/Client/Adapter/Socket.php(330): Zend_Http_Client_Adapter_Socket->_checkSocketReadTimeout()
#1 /home/nginx/domains/public/library/Zend/Http/Client.php(989): Zend_Http_Client_Adapter_Socket->read()
#2 /home/nginx/domains/public/library/DigitalPointBetterAnalytics/Helper/Reporting.php(491): Zend_Http_Client->request('GET')
#3 /home/nginx/domains/public/library/DigitalPointBetterAnalytics/Helper/Reporting.php(395): DigitalPointBetterAnalytics_Helper_Reporting->_execHandler('analytics_realt...')
#4 /home/nginx/domains/public/library/DigitalPointBetterAnalytics/Model/Analytics.php(205): DigitalPointBetterAnalytics_Helper_Reporting->getRealtime('rt:activeUsers', 'rt:pagePath', '-rt:activeUsers', 'rt:pagePath=~/i...')
#5 /home/nginx/domains/public/library/DigitalPointBetterAnalytics/CronEntry/Cron.php(15): DigitalPointBetterAnalytics_Model_Analytics->getRealtimeUsage()
#6 [internal function]: DigitalPointBetterAnalytics_CronEntry_Cron::runVeryOften(Array)
#7 /home/nginx/domains/public/library/XenForo/Model/Cron.php(357): call_user_func(Array, Array)
#8 /home/nginx/domains/public/library/WhoHasReadAThread/Model/Cron.php(30): XenForo_Model_Cron->runEntry(Array)
#9 /home/nginx/domains/public/library/XenForo/Deferred/Cron.php(24): WhoHasReadAThread_Model_Cron->runEntry(Array)
#10 /home/nginx/domains/public/library/XenForo/Model/Deferred.php(294): XenForo_Deferred_Cron->execute(Array, Array, 7.9999971389771, '')
#11 /home/nginx/domains/public/library/XenForo/Model/Deferred.php(428): XenForo_Model_Deferred->runDeferred(Array, 7.9999971389771, '', false)
#12 /home/nginx/domains/public/library/XenForo/Model/Deferred.php(373): XenForo_Model_Deferred->_runInternal(Array, NULL, '', false)
#13 /home/nginx/domains/public/deferred.php(23): XenForo_Model_Deferred->run(false)
#14 {main}

Not sure if this is a Google server issue, my host issue or something with @digitalpoint Better Analytics addon.
 
Top Bottom