• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XF 1.5 Unable to Connect to ssl://accounts.google.com:443

DroidOne

Well-known member
#1
We started receiving error reports out of the blue a few days ago saying: "Unable to Connect to ssl://accounts.google.com:443. Error #0:"

It seems that our Google integration isn't working anymore. When a user tries to login via Google it simply says "An error occurred on the server". When I click the "Login with Google" button, the usual window pops up, but after authorizing access, the error message shows up and an error report is created.

ReCAPTCA generates the same error report, but still seems to be working. Users can reset password/create accounts, but an entry in the error log is created every time.

I've double checked the API keys, and everything seems to be in order. Any ideas, or anyone else experiencing the same problem?

Running XF 1.5.10. Both Twitter and Facebook sign on is working great.

Google integration:
Code:
Error Info
Zend_Http_Client_Adapter_Exception: Unable to Connect to ssl://accounts.google.com:443. Error #0: - library/Zend/Http/Client/Adapter/Socket.php:235
Generated By: Unknown Account, 4 minutes ago

Stack Trace
#0 /home/nginx/domains/domain.se/public/forum/library/Zend/Http/Client.php(973): Zend_Http_Client_Adapter_Socket->connect('ssl://accounts....', 443, true)
#1 /home/nginx/domains/domain.se/public/forum/library/XenForo/ControllerPublic/Register.php(1044): Zend_Http_Client->request('POST')
#2 /home/nginx/domains/domain.se/public/forum/library/XenForo/FrontController.php(351): XenForo_ControllerPublic_Register->actionGoogle()
#3 /home/nginx/domains/domain.se/public/forum/library/XenForo/FrontController.php(134): XenForo_FrontController->dispatch(Object(XenForo_RouteMatch))
#4 /home/nginx/domains/domain.se/public/forum/index.php(13): XenForo_FrontController->run()
#5 {main}

Request State
array(3) {
  ["url"] => string(117) "http://www.domain.se/forum/register/google?code=4/Ca-N5nCJ34DKBl35QM0r42Q5Kc8frGmwzVSfLe52Ojs&csrf=gxnwECj3R9ixAcFc"
  ["_GET"] => array(3) {
    ["/forum/register/google"] => string(0) ""
    ["code"] => string(45) "4/Ca-N5nCJ34DKBl35QM0r42Q5Kc8frGmwzVSfLe52Ojs"
    ["csrf"] => string(16) "gxnwECj3R9ixAcFc"
  }
  ["_POST"] => array(0) {
  }
}
Google Recaptcha;
Code:
Error Info
Zend_Http_Client_Adapter_Exception: ReCAPTCHA (No CAPTCHA) connection error: Unable to Connect to ssl://www.google.com:443. Error #0: - library/Zend/Http/Client/Adapter/Socket.php:235
Generated By: Unknown Account, 33 minutes ago

Stack Trace
#0 /home/nginx/domains/domain.se/public/forum/library/Zend/Http/Client.php(973): Zend_Http_Client_Adapter_Socket->connect('ssl://www.googl...', 443, true)
#1 /home/nginx/domains/domain.se/public/forum/library/XenForo/Captcha/NoCaptcha.php(76): Zend_Http_Client->request('POST')
#2 /home/nginx/domains/domain.se/public/forum/library/XenForo/Captcha/Abstract.php(129): XenForo_Captcha_NoCaptcha->isValid(Array)
#3 /home/nginx/domains/domain.se/public/forum/library/XenForo/ControllerPublic/LostPassword.php(56): XenForo_Captcha_Abstract::validateDefault(Array)
#4 /home/nginx/domains/domain.se/public/forum/library/XenForo/FrontController.php(351): XenForo_ControllerPublic_LostPassword->actionLost()
#5 /home/nginx/domains/domain.se/public/forum/library/XenForo/FrontController.php(134): XenForo_FrontController->dispatch(Object(XenForo_RouteMatch))
#6 /home/nginx/domains/domain.se/public/forum/index.php(13): XenForo_FrontController->run()
#7 {main}

Request State
array(3) {
  ["url"] => string(47) "http://www.domain.se/forum/lost-password/lost"
  ["_GET"] => array(1) {
    ["/forum/lost-password/lost"] => string(0) ""
  }
  ["_POST"] => array(3) {
    ["username_email"] => string(19) "user@gmail.com"
    ["g-recaptcha-response"] => string(932) "03AHJ_Vusb5m2VJxh1hrLQCAHEZwQC5eP3s7Q2ThaUwozFcvj5Z_G7dk0Xp6uiRpd8xSY3-2jOgxwGXXAnq-y5lVXwvZtQMavrksvxaWjIf_hrKCk-aslr4QT10E0X4p9MraWZQQl0uC5t6_QlCerS6DNwvSgeTZBxwRWxSqwl332h01qAfEvBdllP1G5HSlpQt1Sw5LqMbAOjQtzXZV2NfR3XWTo1_JM3JW7bwEBHADhzfWzjk0k5Ugm2DTC5oXjvaW3WFYWJpHSNEFyYrgeRSqdWWHGjZk6PEJO2kXRWPOyjCUGE3XpuuKy-JsPFy93GxExJ84NlTC0PSaD16kYRgZRwQnRZIiFdk9oK9GXbxUyQfBrwJXz7rysbnkhnbukjWAnou_yqzM0pJMiCMnTLWUhEoDICwks1cvjkEgQDzN1UZB4uuBk_YhLGnzBmYnGGJ2OqY71NNzY7q9_TR6HuGbJnRjr269FAKVL-zjx3ihi8rN8mgLGdTuZA4YgMJq7tSODtKxId9i54MQvYLPP4ePOtgSu5Dyzs5tGmb4f_J-OJNqkQeqAMlLG_sbDsHFO0Kt5eFd3P1x8nPgi5qdCdHS4Cbv4tukExdW4LNTDPOb2uFqjjy-BO4gDZOzhz9LaYLsL_ZYkdY4xbz6tPKtNUATkeq5dUM4itOpLb_Y84yYHrtY1g6wvGpO8oczP8ChJ-BHPuzHGSlkQFMMipaSQMCtJDQshogU80OmAeWS55NdGaDwDj9rzXH8b3Kqv-8DTnZeit-xBIncExR6nn6JnFbsDFgUdpUwiOMpO7CpQ4BYuuxoV9kc8sAmTyMRQXFwOLr23tRApbADZlKRVUG_GSTN__em48XuTJv0USPDc_tDupk8X-ubISQgdxm4xlGJhOu8LQQij6yxvasqu7rbcf1eM481DN27WMsA"
    ["_xfToken"] => string(8) "********"
  }
}
 

MattW

Well-known member
#2
and the server can connect to the Google domains

Code:
# curl -vvv https://www.google.com
* About to connect() to www.google.com port 443 (#0)
*   Trying 216.58.212.100...
* Connected to www.google.com (216.58.212.100) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=www.google.com,O=Google Inc,L=Mountain View,ST=California,C=US
*       start date: Oct 06 13:02:45 2016 GMT
*       expire date: Dec 29 12:28:00 2016 GMT
*       common name: www.google.com
*       issuer: CN=Google Internet Authority G2,O=Google Inc,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: www.google.com
> Accept: */*
> 
< HTTP/1.1 302 Found
< Cache-Control: private
< Content-Type: text/html; charset=UTF-8
< Location: https://www.google.se/?gfe_rd=cr&ei=Hpb_V62WDrCn8wfty56ABA
< Content-Length: 259
< Date: Thu, 13 Oct 2016 14:11:42 GMT
< Alt-Svc: quic=":443"; ma=2592000; v="36,35,34,33,32"
< 
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="https://www.google.se/?gfe_rd=cr&amp;ei=Hpb_V62WDrCn8wfty56ABA">here</A>.
</BODY></HTML>
* Connection #0 to host www.google.com left intact
 

MattW

Well-known member
#3
Code:
# curl -vvv https://accounts.google.com/
* About to connect() to accounts.google.com port 443 (#0)
*   Trying 216.58.211.109...
* Connected to accounts.google.com (216.58.211.109) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=accounts.google.com,O=Google Inc,L=Mountain View,ST=California,C=US
*       start date: Oct 06 12:59:57 2016 GMT
*       expire date: Dec 29 12:28:00 2016 GMT
*       common name: accounts.google.com
*       issuer: CN=Google Internet Authority G2,O=Google Inc,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: accounts.google.com
> Accept: */*
> 
< HTTP/1.1 302 Moved Temporarily
< Content-Type: text/html; charset=UTF-8
< Strict-Transport-Security: max-age=10893354; includeSubDomains
< X-Frame-Options: DENY
< Location: https://accounts.google.com/ManageAccount
< Content-Length: 223
< Date: Thu, 13 Oct 2016 14:15:18 GMT
< Expires: Thu, 13 Oct 2016 14:15:18 GMT
< Cache-Control: private, max-age=0
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Server: GSE
< Alt-Svc: quic=":443"; ma=2592000; v="36,35,34,33,32"
< 
<HTML>
<HEAD>
<TITLE>Moved Temporarily</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
<H1>Moved Temporarily</H1>
The document has moved <A HREF="https://accounts.google.com/ManageAccount">here</A>.
</BODY>
</HTML>
* Connection #0 to host accounts.google.com left intact
 

DroidOne

Well-known member
#4
Can I try and create a new "Google Project" via the API console? Or will that mean that all accounts associated with Google prior to the new project won't work anymore/have to be re-associated?
 

MattW

Well-known member
#7
OK, this is fixed now.

I've managed to track it down to the ini_cafile setting in php.ini

Code:
# /usr/local/bin/php -r "print_r(openssl_get_cert_locations());"
Array
(
    [default_cert_file] => /etc/pki/tls/cert.pem
    [default_cert_file_env] => SSL_CERT_FILE
    [default_cert_dir] => /etc/pki/tls/certs
    [default_cert_dir_env] => SSL_CERT_DIR
    [default_private_dir] => /etc/pki/tls/private
    [default_default_cert_area] => /etc/pki/tls
    [ini_cafile] => /etc/ssl/certs/cacert.pem
    [ini_capath] => 
)
This server is different to all the other ones I've set up (mine own for example)
Code:
# /usr/local/bin/php -r "print_r(openssl_get_cert_locations());"
Array
(
    [default_cert_file] => /opt/libressl/etc/ssl/cert.pem
    [default_cert_file_env] => SSL_CERT_FILE
    [default_cert_dir] => /opt/libressl/etc/ssl/certs
    [default_cert_dir_env] => SSL_CERT_DIR
    [default_private_dir] => /opt/libressl/etc/ssl/private
    [default_default_cert_area] => /opt/libressl/etc/ssl
    [ini_cafile] => 
    [ini_capath] => 
)
Quick grep in the centminmod build files
Code:
# grep -iR cafile *
inc/phpsededit.inc:            echo "openssl.cafile = '/etc/ssl/certs/cacert.pem'" >> ${CONFIGSCANDIR}/curlcainfo.ini
inc/phpsededit.inc:            sed -i '/openssl.cafile/d' ${CONFIGSCANDIR}/curlcainfo.ini
inc/phpsededit.inc:            echo "openssl.cafile = '/etc/ssl/certs/cacert.pem'" >> ${CONFIGSCANDIR}/curlcainfo.ini
inc/phpsededit.inc:            sed -i '/openssl.cafile/d' ${CONFIGSCANDIR}/curlcainfo.ini
inc/postfix.inc:postconf -d smtp_tls_CAfile smtp_tls_security_level smtp_tls_loglevel smtp_tls_session_cache_database
inc/postfix.inc:postconf -e 'smtp_tls_CAfile=/etc/pki/tls/certs/ca-bundle.crt'
inc/postfix.inc:postconf -n smtp_tls_CAfile smtp_tls_security_level smtp_tls_loglevel smtp_tls_session_cache_database
Hey presto:
Code:
vim /etc/centminmod/php.d/curlcainfo.ini
curl.cainfo = '/etc/ssl/certs/cacert.pem'
openssl.cafile = '/etc/ssl/certs/cacert.pem'
Removed openssl.cafile = '/etc/ssl/certs/cacert.pem' and restarted php-fpm

Not sure how it's in this file on this server, but none of the others?

@eva2000 ??