XF 1.5 Unable to Connect to ssl://accounts.google.com:443

[DroidOne]

We started receiving error reports out of the blue a few days ago saying: "Unable to Connect to ssl://accounts.google.com:443. Error #0:"

It seems that our Google integration isn't working anymore. When a user tries to login via Google it simply says "An error occurred on the server". When I click the "Login with Google" button, the usual window pops up, but after authorizing access, the error message shows up and an error report is created.

ReCAPTCA generates the same error report, but still seems to be working. Users can reset password/create accounts, but an entry in the error log is created every time.

I've double checked the API keys, and everything seems to be in order. Any ideas, or anyone else experiencing the same problem?

Running XF 1.5.10. Both Twitter and Facebook sign on is working great.

Google integration:

Error Info
Zend_Http_Client_Adapter_Exception: Unable to Connect to ssl://accounts.google.com:443. Error #0: - library/Zend/Http/Client/Adapter/Socket.php:235
Generated By: Unknown Account, 4 minutes ago

Stack Trace
#0 /home/nginx/domains/domain.se/public/forum/library/Zend/Http/Client.php(973): Zend_Http_Client_Adapter_Socket->connect('ssl://accounts....', 443, true)
#1 /home/nginx/domains/domain.se/public/forum/library/XenForo/ControllerPublic/Register.php(1044): Zend_Http_Client->request('POST')
#2 /home/nginx/domains/domain.se/public/forum/library/XenForo/FrontController.php(351): XenForo_ControllerPublic_Register->actionGoogle()
#3 /home/nginx/domains/domain.se/public/forum/library/XenForo/FrontController.php(134): XenForo_FrontController->dispatch(Object(XenForo_RouteMatch))
#4 /home/nginx/domains/domain.se/public/forum/index.php(13): XenForo_FrontController->run()
#5 {main}

Request State
array(3) {
  ["url"] => string(117) "http://www.domain.se/forum/register/google?code=4/Ca-N5nCJ34DKBl35QM0r42Q5Kc8frGmwzVSfLe52Ojs&csrf=gxnwECj3R9ixAcFc"
  ["_GET"] => array(3) {
    ["/forum/register/google"] => string(0) ""
    ["code"] => string(45) "4/Ca-N5nCJ34DKBl35QM0r42Q5Kc8frGmwzVSfLe52Ojs"
    ["csrf"] => string(16) "gxnwECj3R9ixAcFc"
  }
  ["_POST"] => array(0) {
  }
}

Google Recaptcha;

Error Info
Zend_Http_Client_Adapter_Exception: ReCAPTCHA (No CAPTCHA) connection error: Unable to Connect to ssl://www.google.com:443. Error #0: - library/Zend/Http/Client/Adapter/Socket.php:235
Generated By: Unknown Account, 33 minutes ago

Stack Trace
#0 /home/nginx/domains/domain.se/public/forum/library/Zend/Http/Client.php(973): Zend_Http_Client_Adapter_Socket->connect('ssl://www.googl...', 443, true)
#1 /home/nginx/domains/domain.se/public/forum/library/XenForo/Captcha/NoCaptcha.php(76): Zend_Http_Client->request('POST')
#2 /home/nginx/domains/domain.se/public/forum/library/XenForo/Captcha/Abstract.php(129): XenForo_Captcha_NoCaptcha->isValid(Array)
#3 /home/nginx/domains/domain.se/public/forum/library/XenForo/ControllerPublic/LostPassword.php(56): XenForo_Captcha_Abstract::validateDefault(Array)
#4 /home/nginx/domains/domain.se/public/forum/library/XenForo/FrontController.php(351): XenForo_ControllerPublic_LostPassword->actionLost()
#5 /home/nginx/domains/domain.se/public/forum/library/XenForo/FrontController.php(134): XenForo_FrontController->dispatch(Object(XenForo_RouteMatch))
#6 /home/nginx/domains/domain.se/public/forum/index.php(13): XenForo_FrontController->run()
#7 {main}

Request State
array(3) {
  ["url"] => string(47) "http://www.domain.se/forum/lost-password/lost"
  ["_GET"] => array(1) {
    ["/forum/lost-password/lost"] => string(0) ""
  }
  ["_POST"] => array(3) {
    ["username_email"] => string(19) "user@gmail.com"
    ["g-recaptcha-response"] => string(932) "03AHJ_Vusb5m2VJxh1hrLQCAHEZwQC5eP3s7Q2ThaUwozFcvj5Z_G7dk0Xp6uiRpd8xSY3-2jOgxwGXXAnq-y5lVXwvZtQMavrksvxaWjIf_hrKCk-aslr4QT10E0X4p9MraWZQQl0uC5t6_QlCerS6DNwvSgeTZBxwRWxSqwl332h01qAfEvBdllP1G5HSlpQt1Sw5LqMbAOjQtzXZV2NfR3XWTo1_JM3JW7bwEBHADhzfWzjk0k5Ugm2DTC5oXjvaW3WFYWJpHSNEFyYrgeRSqdWWHGjZk6PEJO2kXRWPOyjCUGE3XpuuKy-JsPFy93GxExJ84NlTC0PSaD16kYRgZRwQnRZIiFdk9oK9GXbxUyQfBrwJXz7rysbnkhnbukjWAnou_yqzM0pJMiCMnTLWUhEoDICwks1cvjkEgQDzN1UZB4uuBk_YhLGnzBmYnGGJ2OqY71NNzY7q9_TR6HuGbJnRjr269FAKVL-zjx3ihi8rN8mgLGdTuZA4YgMJq7tSODtKxId9i54MQvYLPP4ePOtgSu5Dyzs5tGmb4f_J-OJNqkQeqAMlLG_sbDsHFO0Kt5eFd3P1x8nPgi5qdCdHS4Cbv4tukExdW4LNTDPOb2uFqjjy-BO4gDZOzhz9LaYLsL_ZYkdY4xbz6tPKtNUATkeq5dUM4itOpLb_Y84yYHrtY1g6wvGpO8oczP8ChJ-BHPuzHGSlkQFMMipaSQMCtJDQshogU80OmAeWS55NdGaDwDj9rzXH8b3Kqv-8DTnZeit-xBIncExR6nn6JnFbsDFgUdpUwiOMpO7CpQ4BYuuxoV9kc8sAmTyMRQXFwOLr23tRApbADZlKRVUG_GSTN__em48XuTJv0USPDc_tDupk8X-ubISQgdxm4xlGJhOu8LQQij6yxvasqu7rbcf1eM481DN27WMsA"
    ["_xfToken"] => string(8) "********"
  }
}

 

[MattW]

and the server can connect to the Google domains

# curl -vvv https://www.google.com
* About to connect() to www.google.com port 443 (#0)
*   Trying 216.58.212.100...
* Connected to www.google.com (216.58.212.100) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=www.google.com,O=Google Inc,L=Mountain View,ST=California,C=US
*       start date: Oct 06 13:02:45 2016 GMT
*       expire date: Dec 29 12:28:00 2016 GMT
*       common name: www.google.com
*       issuer: CN=Google Internet Authority G2,O=Google Inc,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: www.google.com
> Accept: */*
> 
< HTTP/1.1 302 Found
< Cache-Control: private
< Content-Type: text/html; charset=UTF-8
< Location: https://www.google.se/?gfe_rd=cr&ei=Hpb_V62WDrCn8wfty56ABA
< Content-Length: 259
< Date: Thu, 13 Oct 2016 14:11:42 GMT
< Alt-Svc: quic=":443"; ma=2592000; v="36,35,34,33,32"
< 
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="https://www.google.se/?gfe_rd=cr&amp;ei=Hpb_V62WDrCn8wfty56ABA">here</A>.
</BODY></HTML>
* Connection #0 to host www.google.com left intact

 

[MattW]

# curl -vvv https://accounts.google.com/
* About to connect() to accounts.google.com port 443 (#0)
*   Trying 216.58.211.109...
* Connected to accounts.google.com (216.58.211.109) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=accounts.google.com,O=Google Inc,L=Mountain View,ST=California,C=US
*       start date: Oct 06 12:59:57 2016 GMT
*       expire date: Dec 29 12:28:00 2016 GMT
*       common name: accounts.google.com
*       issuer: CN=Google Internet Authority G2,O=Google Inc,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: accounts.google.com
> Accept: */*
> 
< HTTP/1.1 302 Moved Temporarily
< Content-Type: text/html; charset=UTF-8
< Strict-Transport-Security: max-age=10893354; includeSubDomains
< X-Frame-Options: DENY
< Location: https://accounts.google.com/ManageAccount
< Content-Length: 223
< Date: Thu, 13 Oct 2016 14:15:18 GMT
< Expires: Thu, 13 Oct 2016 14:15:18 GMT
< Cache-Control: private, max-age=0
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Server: GSE
< Alt-Svc: quic=":443"; ma=2592000; v="36,35,34,33,32"
< 
<HTML>
<HEAD>
<TITLE>Moved Temporarily</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
<H1>Moved Temporarily</H1>
The document has moved <A HREF="https://accounts.google.com/ManageAccount">here</A>.
</BODY>
</HTML>
* Connection #0 to host accounts.google.com left intact

 

[DroidOne]

Can I try and create a new "Google Project" via the API console? Or will that mean that all accounts associated with Google prior to the new project won't work anymore/have to be re-associated?

 

[MattW]

Getting somewhere

 

[Mike]

I see "Unknown CA", so I'd look at the CA bundle that PHP is using. It may need to be updated.

 

[MattW]

OK, this is fixed now.

I've managed to track it down to the ini_cafile setting in php.ini

# /usr/local/bin/php -r "print_r(openssl_get_cert_locations());"
Array
(
    [default_cert_file] => /etc/pki/tls/cert.pem
    [default_cert_file_env] => SSL_CERT_FILE
    [default_cert_dir] => /etc/pki/tls/certs
    [default_cert_dir_env] => SSL_CERT_DIR
    [default_private_dir] => /etc/pki/tls/private
    [default_default_cert_area] => /etc/pki/tls
    [ini_cafile] => /etc/ssl/certs/cacert.pem
    [ini_capath] => 
)

This server is different to all the other ones I've set up (mine own for example)

# /usr/local/bin/php -r "print_r(openssl_get_cert_locations());"
Array
(
    [default_cert_file] => /opt/libressl/etc/ssl/cert.pem
    [default_cert_file_env] => SSL_CERT_FILE
    [default_cert_dir] => /opt/libressl/etc/ssl/certs
    [default_cert_dir_env] => SSL_CERT_DIR
    [default_private_dir] => /opt/libressl/etc/ssl/private
    [default_default_cert_area] => /opt/libressl/etc/ssl
    [ini_cafile] => 
    [ini_capath] => 
)

Quick grep in the centminmod build files

# grep -iR cafile *
inc/phpsededit.inc:            echo "openssl.cafile = '/etc/ssl/certs/cacert.pem'" >> ${CONFIGSCANDIR}/curlcainfo.ini
inc/phpsededit.inc:            sed -i '/openssl.cafile/d' ${CONFIGSCANDIR}/curlcainfo.ini
inc/phpsededit.inc:            echo "openssl.cafile = '/etc/ssl/certs/cacert.pem'" >> ${CONFIGSCANDIR}/curlcainfo.ini
inc/phpsededit.inc:            sed -i '/openssl.cafile/d' ${CONFIGSCANDIR}/curlcainfo.ini
inc/postfix.inc:postconf -d smtp_tls_CAfile smtp_tls_security_level smtp_tls_loglevel smtp_tls_session_cache_database
inc/postfix.inc:postconf -e 'smtp_tls_CAfile=/etc/pki/tls/certs/ca-bundle.crt'
inc/postfix.inc:postconf -n smtp_tls_CAfile smtp_tls_security_level smtp_tls_loglevel smtp_tls_session_cache_database

Hey presto:

vim /etc/centminmod/php.d/curlcainfo.ini
curl.cainfo = '/etc/ssl/certs/cacert.pem'
openssl.cafile = '/etc/ssl/certs/cacert.pem'

Removed openssl.cafile = '/etc/ssl/certs/cacert.pem' and restarted php-fpm

Not sure how it's in this file on this server, but none of the others?

@eva2000 ??

 

[DroidOne]

Thanks again @MattW for taking care of our problems

 

[MattW]

Got to love tcpdump and wireshark

 

[MattW]

I've upgraded back to PHP 7.0.11, and it's added the setting back in, so it the centminmod update causing the issue.

 

[eva2000]

@MattW excellent work. Fixed https://community.centminmod.com/posts/38122/