1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.5 Unable to Connect to ssl://accounts.google.com:443

Discussion in 'Troubleshooting and Problems' started by DroidOne, Oct 13, 2016.

  1. DroidOne

    DroidOne Well-Known Member

    We started receiving error reports out of the blue a few days ago saying: "Unable to Connect to ssl://accounts.google.com:443. Error #0:"

    It seems that our Google integration isn't working anymore. When a user tries to login via Google it simply says "An error occurred on the server". When I click the "Login with Google" button, the usual window pops up, but after authorizing access, the error message shows up and an error report is created.

    ReCAPTCA generates the same error report, but still seems to be working. Users can reset password/create accounts, but an entry in the error log is created every time.

    I've double checked the API keys, and everything seems to be in order. Any ideas, or anyone else experiencing the same problem?

    Running XF 1.5.10. Both Twitter and Facebook sign on is working great.

    Google integration:
    Code:
    Error Info
    Zend_Http_Client_Adapter_Exception: Unable to Connect to ssl://accounts.google.com:443. Error #0: - library/Zend/Http/Client/Adapter/Socket.php:235
    Generated By: Unknown Account, 4 minutes ago
    
    Stack Trace
    #0 /home/nginx/domains/domain.se/public/forum/library/Zend/Http/Client.php(973): Zend_Http_Client_Adapter_Socket->connect('ssl://accounts....', 443, true)
    #1 /home/nginx/domains/domain.se/public/forum/library/XenForo/ControllerPublic/Register.php(1044): Zend_Http_Client->request('POST')
    #2 /home/nginx/domains/domain.se/public/forum/library/XenForo/FrontController.php(351): XenForo_ControllerPublic_Register->actionGoogle()
    #3 /home/nginx/domains/domain.se/public/forum/library/XenForo/FrontController.php(134): XenForo_FrontController->dispatch(Object(XenForo_RouteMatch))
    #4 /home/nginx/domains/domain.se/public/forum/index.php(13): XenForo_FrontController->run()
    #5 {main}
    
    Request State
    array(3) {
      ["url"] => string(117) "http://www.domain.se/forum/register/google?code=4/Ca-N5nCJ34DKBl35QM0r42Q5Kc8frGmwzVSfLe52Ojs&csrf=gxnwECj3R9ixAcFc"
      ["_GET"] => array(3) {
        ["/forum/register/google"] => string(0) ""
        ["code"] => string(45) "4/Ca-N5nCJ34DKBl35QM0r42Q5Kc8frGmwzVSfLe52Ojs"
        ["csrf"] => string(16) "gxnwECj3R9ixAcFc"
      }
      ["_POST"] => array(0) {
      }
    }
    Google Recaptcha;
    Code:
    Error Info
    Zend_Http_Client_Adapter_Exception: ReCAPTCHA (No CAPTCHA) connection error: Unable to Connect to ssl://www.google.com:443. Error #0: - library/Zend/Http/Client/Adapter/Socket.php:235
    Generated By: Unknown Account, 33 minutes ago
    
    Stack Trace
    #0 /home/nginx/domains/domain.se/public/forum/library/Zend/Http/Client.php(973): Zend_Http_Client_Adapter_Socket->connect('ssl://www.googl...', 443, true)
    #1 /home/nginx/domains/domain.se/public/forum/library/XenForo/Captcha/NoCaptcha.php(76): Zend_Http_Client->request('POST')
    #2 /home/nginx/domains/domain.se/public/forum/library/XenForo/Captcha/Abstract.php(129): XenForo_Captcha_NoCaptcha->isValid(Array)
    #3 /home/nginx/domains/domain.se/public/forum/library/XenForo/ControllerPublic/LostPassword.php(56): XenForo_Captcha_Abstract::validateDefault(Array)
    #4 /home/nginx/domains/domain.se/public/forum/library/XenForo/FrontController.php(351): XenForo_ControllerPublic_LostPassword->actionLost()
    #5 /home/nginx/domains/domain.se/public/forum/library/XenForo/FrontController.php(134): XenForo_FrontController->dispatch(Object(XenForo_RouteMatch))
    #6 /home/nginx/domains/domain.se/public/forum/index.php(13): XenForo_FrontController->run()
    #7 {main}
    
    Request State
    array(3) {
      ["url"] => string(47) "http://www.domain.se/forum/lost-password/lost"
      ["_GET"] => array(1) {
        ["/forum/lost-password/lost"] => string(0) ""
      }
      ["_POST"] => array(3) {
        ["username_email"] => string(19) "user@gmail.com"
        ["g-recaptcha-response"] => string(932) "03AHJ_Vusb5m2VJxh1hrLQCAHEZwQC5eP3s7Q2ThaUwozFcvj5Z_G7dk0Xp6uiRpd8xSY3-2jOgxwGXXAnq-y5lVXwvZtQMavrksvxaWjIf_hrKCk-aslr4QT10E0X4p9MraWZQQl0uC5t6_QlCerS6DNwvSgeTZBxwRWxSqwl332h01qAfEvBdllP1G5HSlpQt1Sw5LqMbAOjQtzXZV2NfR3XWTo1_JM3JW7bwEBHADhzfWzjk0k5Ugm2DTC5oXjvaW3WFYWJpHSNEFyYrgeRSqdWWHGjZk6PEJO2kXRWPOyjCUGE3XpuuKy-JsPFy93GxExJ84NlTC0PSaD16kYRgZRwQnRZIiFdk9oK9GXbxUyQfBrwJXz7rysbnkhnbukjWAnou_yqzM0pJMiCMnTLWUhEoDICwks1cvjkEgQDzN1UZB4uuBk_YhLGnzBmYnGGJ2OqY71NNzY7q9_TR6HuGbJnRjr269FAKVL-zjx3ihi8rN8mgLGdTuZA4YgMJq7tSODtKxId9i54MQvYLPP4ePOtgSu5Dyzs5tGmb4f_J-OJNqkQeqAMlLG_sbDsHFO0Kt5eFd3P1x8nPgi5qdCdHS4Cbv4tukExdW4LNTDPOb2uFqjjy-BO4gDZOzhz9LaYLsL_ZYkdY4xbz6tPKtNUATkeq5dUM4itOpLb_Y84yYHrtY1g6wvGpO8oczP8ChJ-BHPuzHGSlkQFMMipaSQMCtJDQshogU80OmAeWS55NdGaDwDj9rzXH8b3Kqv-8DTnZeit-xBIncExR6nn6JnFbsDFgUdpUwiOMpO7CpQ4BYuuxoV9kc8sAmTyMRQXFwOLr23tRApbADZlKRVUG_GSTN__em48XuTJv0USPDc_tDupk8X-ubISQgdxm4xlGJhOu8LQQij6yxvasqu7rbcf1eM481DN27WMsA"
        ["_xfToken"] => string(8) "********"
      }
    }
     
  2. MattW

    MattW Well-Known Member

    and the server can connect to the Google domains

    Code:
    # curl -vvv https://www.google.com
    * About to connect() to www.google.com port 443 (#0)
    *   Trying 216.58.212.100...
    * Connected to www.google.com (216.58.212.100) port 443 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
      CApath: none
    * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    * Server certificate:
    *       subject: CN=www.google.com,O=Google Inc,L=Mountain View,ST=California,C=US
    *       start date: Oct 06 13:02:45 2016 GMT
    *       expire date: Dec 29 12:28:00 2016 GMT
    *       common name: www.google.com
    *       issuer: CN=Google Internet Authority G2,O=Google Inc,C=US
    > GET / HTTP/1.1
    > User-Agent: curl/7.29.0
    > Host: www.google.com
    > Accept: */*
    > 
    < HTTP/1.1 302 Found
    < Cache-Control: private
    < Content-Type: text/html; charset=UTF-8
    < Location: https://www.google.se/?gfe_rd=cr&ei=Hpb_V62WDrCn8wfty56ABA
    < Content-Length: 259
    < Date: Thu, 13 Oct 2016 14:11:42 GMT
    < Alt-Svc: quic=":443"; ma=2592000; v="36,35,34,33,32"
    < 
    <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
    <TITLE>302 Moved</TITLE></HEAD><BODY>
    <H1>302 Moved</H1>
    The document has moved
    <A HREF="https://www.google.se/?gfe_rd=cr&amp;ei=Hpb_V62WDrCn8wfty56ABA">here</A>.
    </BODY></HTML>
    * Connection #0 to host www.google.com left intact
    
     
    DroidOne likes this.
  3. MattW

    MattW Well-Known Member

    Code:
    # curl -vvv https://accounts.google.com/
    * About to connect() to accounts.google.com port 443 (#0)
    *   Trying 216.58.211.109...
    * Connected to accounts.google.com (216.58.211.109) port 443 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
      CApath: none
    * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    * Server certificate:
    *       subject: CN=accounts.google.com,O=Google Inc,L=Mountain View,ST=California,C=US
    *       start date: Oct 06 12:59:57 2016 GMT
    *       expire date: Dec 29 12:28:00 2016 GMT
    *       common name: accounts.google.com
    *       issuer: CN=Google Internet Authority G2,O=Google Inc,C=US
    > GET / HTTP/1.1
    > User-Agent: curl/7.29.0
    > Host: accounts.google.com
    > Accept: */*
    > 
    < HTTP/1.1 302 Moved Temporarily
    < Content-Type: text/html; charset=UTF-8
    < Strict-Transport-Security: max-age=10893354; includeSubDomains
    < X-Frame-Options: DENY
    < Location: https://accounts.google.com/ManageAccount
    < Content-Length: 223
    < Date: Thu, 13 Oct 2016 14:15:18 GMT
    < Expires: Thu, 13 Oct 2016 14:15:18 GMT
    < Cache-Control: private, max-age=0
    < X-Content-Type-Options: nosniff
    < X-XSS-Protection: 1; mode=block
    < Server: GSE
    < Alt-Svc: quic=":443"; ma=2592000; v="36,35,34,33,32"
    < 
    <HTML>
    <HEAD>
    <TITLE>Moved Temporarily</TITLE>
    </HEAD>
    <BODY BGCOLOR="#FFFFFF" TEXT="#000000">
    <H1>Moved Temporarily</H1>
    The document has moved <A HREF="https://accounts.google.com/ManageAccount">here</A>.
    </BODY>
    </HTML>
    * Connection #0 to host accounts.google.com left intact
    
     
  4. DroidOne

    DroidOne Well-Known Member

    Can I try and create a new "Google Project" via the API console? Or will that mean that all accounts associated with Google prior to the new project won't work anymore/have to be re-associated?
     
  5. MattW

    MattW Well-Known Member

    Getting somewhere
    upload_2016-10-13_16-28-3.png
     
    DroidOne likes this.
  6. Mike

    Mike XenForo Developer Staff Member

    I see "Unknown CA", so I'd look at the CA bundle that PHP is using. It may need to be updated.
     
    DroidOne likes this.
  7. MattW

    MattW Well-Known Member

    OK, this is fixed now.

    I've managed to track it down to the ini_cafile setting in php.ini

    Code:
    # /usr/local/bin/php -r "print_r(openssl_get_cert_locations());"
    Array
    (
        [default_cert_file] => /etc/pki/tls/cert.pem
        [default_cert_file_env] => SSL_CERT_FILE
        [default_cert_dir] => /etc/pki/tls/certs
        [default_cert_dir_env] => SSL_CERT_DIR
        [default_private_dir] => /etc/pki/tls/private
        [default_default_cert_area] => /etc/pki/tls
        [ini_cafile] => /etc/ssl/certs/cacert.pem
        [ini_capath] => 
    )
    
    This server is different to all the other ones I've set up (mine own for example)
    Code:
    # /usr/local/bin/php -r "print_r(openssl_get_cert_locations());"
    Array
    (
        [default_cert_file] => /opt/libressl/etc/ssl/cert.pem
        [default_cert_file_env] => SSL_CERT_FILE
        [default_cert_dir] => /opt/libressl/etc/ssl/certs
        [default_cert_dir_env] => SSL_CERT_DIR
        [default_private_dir] => /opt/libressl/etc/ssl/private
        [default_default_cert_area] => /opt/libressl/etc/ssl
        [ini_cafile] => 
        [ini_capath] => 
    )
    
    Quick grep in the centminmod build files
    Code:
    # grep -iR cafile *
    inc/phpsededit.inc:            echo "openssl.cafile = '/etc/ssl/certs/cacert.pem'" >> ${CONFIGSCANDIR}/curlcainfo.ini
    inc/phpsededit.inc:            sed -i '/openssl.cafile/d' ${CONFIGSCANDIR}/curlcainfo.ini
    inc/phpsededit.inc:            echo "openssl.cafile = '/etc/ssl/certs/cacert.pem'" >> ${CONFIGSCANDIR}/curlcainfo.ini
    inc/phpsededit.inc:            sed -i '/openssl.cafile/d' ${CONFIGSCANDIR}/curlcainfo.ini
    inc/postfix.inc:postconf -d smtp_tls_CAfile smtp_tls_security_level smtp_tls_loglevel smtp_tls_session_cache_database
    inc/postfix.inc:postconf -e 'smtp_tls_CAfile=/etc/pki/tls/certs/ca-bundle.crt'
    inc/postfix.inc:postconf -n smtp_tls_CAfile smtp_tls_security_level smtp_tls_loglevel smtp_tls_session_cache_database
    
    Hey presto:
    Code:
    vim /etc/centminmod/php.d/curlcainfo.ini
    curl.cainfo = '/etc/ssl/certs/cacert.pem'
    openssl.cafile = '/etc/ssl/certs/cacert.pem'
    
    Removed openssl.cafile = '/etc/ssl/certs/cacert.pem' and restarted php-fpm

    Not sure how it's in this file on this server, but none of the others?

    @eva2000 ??
     
    eva2000, Sunka, Mike and 1 other person like this.
  8. DroidOne

    DroidOne Well-Known Member

    Thanks again @MattW for taking care of our problems :)
     
    MattW likes this.
  9. MattW

    MattW Well-Known Member

    Got to love tcpdump and wireshark :)
     
    eva2000 and DroidOne like this.
  10. MattW

    MattW Well-Known Member

    I've upgraded back to PHP 7.0.11, and it's added the setting back in, so it the centminmod update causing the issue.
     
    Sunka and DroidOne like this.
  11. eva2000

    eva2000 Well-Known Member

Share This Page