In PHP OpenSSL can't validate Let's Encrypt certs

Discussion in 'Installation/Configuration' started by Jigal van Hemert, Feb 9, 2020.

  1. Jigal van Hemert

    Jigal van Hemert New Member

    Hi,
    I installed Ubuntu 16.04 LTS according to the Perfect Server tutorial and use ISPConfig to host three domains (only one has real traffic). They all use Let's Encrypt SSL certificates which work perfect in various browsers.
    If I use file_get_contents() in PHP to fetch the contents of a page of one of those domains errors appear:
    file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    If I try to fetch that URL with wget on the command line (with the web site user) then it works fine.
    In php.ini the cacert settings are empty, which means that the OS settings will be used. Since wget works fine I'd expect the OS defaults to work, yet they don't.
    Should it really be necessary to add extra .ini files to the PHP configuration? If yes, should the cacert path point to /etc/ssl/certs/?
    Thanks for your help!
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Try to set in all global php.ini files:

    openssl.cafile=/etc/ssl/certs/ca-certificates.crt

    and then restart the web server and php-fpm. And in case the ca certificate from LE is missing in that file, add it.
     
  3. Jigal van Hemert

    Jigal van Hemert New Member

    Thanks for your answer. The problem seems to be somewhere else I guess. Now the error changed to:
    Code:
    PHP Warning: failed loading cafile stream: `/etc/ssl/certs/ca-certificates.crt'
    The file exists and is world readable:
    Code:
    228K -rw-r--r-- 1 root root 228K Jan 17  2019 /etc/ssl/certs/ca-certificates.crt
    Hm... the user that runs the website has its own root at /var/www/clients/clientX/webY and in that directory is also a directory "etc" which of course does not contain the certs. The website user has no way to access the global /etc/ssl/certs/ directory.
    I don't think that cafile/capath should be set, but that ISPConfig needs configuration to let PHP OpenSSL access the OS certificate stores. What do you think?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Try adding the path /etc/ssl/certs/ to the ipen_basedir setting of that website.
     
  5. Jigal van Hemert

    Jigal van Hemert New Member

    The open_basedir adds a restriction; tried it and it didn't work.
    Could it be that jailkit prevents php from accessing the certificate store?
    If I su to user "web5" (which is the user for this domain) wget can't validate the certificate either. I also tried to wget URLs such as "https://www.google.com/" and these also failed. Oddly enough user web5 gets an older PHP version than the webserver reports.
    The more I look into the configuration the more I get confused :-(
     
  6. Steini86

    Steini86 Active Member

    The problem is, that the certificate can not be verified, because the root certificate needed for check is not found.
    This is usually installed and configured when installing php-curl. Could it be that this is missing for you? Try: "sudo apt install curl php-curl"
    Then restart apache

    If php is executed from a user which is jailed, then it is affected. However, it should not affect the web user. How do you execute the php script? From web, from command line, cron?
    If it is from command line as a jailed user, then have a look here: https://www.faqforge.com/linux/add-php-in-ssh-jail-ispconfig-3/
    To access the certs, you should also add: directories = /etc/ssl/certs, /usr/share/ca-certificates
    Use "sudo -u web5" to execute things as the web user. To try your php script for example: "sudo -u web5 /usr/bin/php -f /var/www/clients/client1/web5/web/phpfile.php".
    The web server php version (php-fpm) is different than the command line version. You can use /usr/bin/php7.3 if you want a specific one instead of the system default. (Do not change the system default, will break ispconfig)
    Activating open_basedir adds a restriction. Only paths set in the "open_basedir" parameter can be accessed from php scripts. Therefore, the folders you want to access have to be added.

    I would suggest to place a phpinfo file at the position where the failing script is and open it the same way you test your script. Then have a look at the used PHP config file, open_basedir setting, openssl settings, etc ..
    https://www.php.net/manual/en/function.phpinfo.php
     
    Last edited: Feb 11, 2020
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    open_basedir is always on and restricts access to files inside the website, that's why you should extend it by this path.

    No, php-fpm is not jailed.
     
  8. Jigal van Hemert

    Jigal van Hemert New Member

    The certificates were already present on the server. If I use wget as root there is no problem with any HTTPS URL.
    I installed curl and php-curl and the same error.

    I'm not sure if PHP is run as a jailed user. Til just said that php-fpm isn't jailed. It just looked like this to me as PHP reported that it couldn't find the cacert file. This would be perfectly understandable because the global path doesn't lead to a file if you look at it from the jailed user's persepective.

    Just noticed that the webserver reported PHP v 7.0.33 (and some distro stuff) and the jailed user saw PHP v 7.0.8. Not a huge thing although you can run into some PHP bugs which are already fixed in later versions. It was just something I noticed.

    The PHP docs say:
    "Limit the files that can be accessed by PHP to the specified directory-tree, including the file itself. [...]The default is to allow all files to be opened."
    So, if it's left blank then all folders can be accessed, if it's filled than only those folders are accessible. It doesn't add any accessible folders, it can only make restrictions on what is accessible.

    The application I'm running is TYPO3 CMS and part of it is an install tool which includes php info output. open basedir can be restricted or empty, no difference in cert handling; openssl settings were originally empty (according to PHP manual it will use the OS certificate stores in that case). I changed it to the cacert file and then it complained that it couldn't find that file (although it's on the server and world readable).

    It's still a mystery to me what goes wrong.
     
  9. Steini86

    Steini86 Active Member

    Is it installed for the PHP version you are using? This command installs it for the distros standard version, it has to be the one you are using with your web. Do you see the extension in your php info file?
    What folder does "Configuration File (php.ini) Path" say?

    Different major releases (like php5.6, php7.3, php7.4 etc) can coexist on a server without problems. However, you somehow have php7.0.33 and php7.0.8 on your server. This is likely to cause problems.
    What is the output of "dkpg -l php*" (to find all (via apt) installed php versions.
    Have you ever compiled php by yourself and not used the ubuntu package?
     
    Last edited: Feb 15, 2020 at 5:50 PM
  10. Jigal van Hemert

    Jigal van Hemert New Member

    Thanks for your reply.
    I'll use multiple replies to answer; the forum software complains about the length...
    Yes,
    Code:
    curl
    cURL support     enabled
    cURL Information     7.47.0
    Age     3
    Features
    AsynchDNS     Yes
    CharConv     No
    Debug     No
    GSS-Negotiate     No
    IDN     Yes
    IPv6     Yes
    krb4     No
    Largefile     Yes
    libz     Yes
    NTLM     Yes
    NTLMWB     Yes
    SPNEGO     Yes
    SSL     Yes
    SSPI     No
    TLS-SRP     Yes
    HTTP2     No
    GSSAPI     Yes
    KERBEROS5     Yes
    UNIX_SOCKETS     Yes
    PSL     No
    Protocols     dict, file, ftp, ftps, gopher, http, https, imap, imaps, ldap, ldaps, pop3, pop3s, rtmp, rtsp, smb, smbs, smtp, smtps, telnet, tftp
    Host     x86_64-pc-linux-gnu
    SSL Version     OpenSSL/1.0.2g
    ZLib Version     1.2.8 
    Code:
    Configuration File (php.ini) Path     /etc/php/7.0/cgi
    Loaded Configuration File     /var/www/conf/web5/php.ini
    Scan this dir for additional .ini files     /etc/php/7.0/cgi/conf.d 
    >>>
     
  11. Jigal van Hemert

    Jigal van Hemert New Member

    Code:
     dpkg -l php*
    Desired=Unknown/Install/Remove/Purge/Hold
    | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
    |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
    ||/ Name                          Version             Architecture        Description
    +++-=============================-===================-===================-================================================================
    un  php                           <none>              <none>              (no description available)
    un  php-amqp                      <none>              <none>              (no description available)
    ii  php-apcu                      5.1.3+4.0.10-1build amd64               APC User Cache for PHP
    un  php-apcu-bc                   <none>              <none>              (no description available)
    un  php-ast                       <none>              <none>              (no description available)
    ii  php-auth                      1.6.4-1build1       all                 Creating an authentication system
    un  php-auth-radius               <none>              <none>              (no description available)
    ii  php-auth-sasl                 1.0.6-2build1       all                 Abstraction of various SASL mechanism responses
    un  php-calendar                  <none>              <none>              (no description available)
    un  php-cgi                       <none>              <none>              (no description available)
    un  php-cli                       <none>              <none>              (no description available)
    ii  php-common                    1:35ubuntu6.1       all                 Common files for PHP packages
    un  php-console-getopt            <none>              <none>              (no description available)
    ii  php-crypt-chap                1.5.0-1build1       all                 Generating CHAP packets
    un  php-crypt-gpg                 <none>              <none>              (no description available)
    un  php-ctype                     <none>              <none>              (no description available)
    ii  php-curl                      1:7.0+35ubuntu6.1   all                 CURL module for PHP [default]
    ii  php-db                        1.7.14-3build1      all                 PHP PEAR Database Abstraction Layer
    un  php-dom                       <none>              <none>              (no description available)
    un  php-exif                      <none>              <none>              (no description available)
    un  php-file-passwd               <none>              <none>              (no description available)
    un  php-file-smbpasswd            <none>              <none>              (no description available)
    un  php-fileinfo                  <none>              <none>              (no description available)
    un  php-fpm                       <none>              <none>              (no description available)
    un  php-ftp                       <none>              <none>              (no description available)
    un  php-gd                        <none>              <none>              (no description available)
    un  php-geoip                     <none>              <none>              (no description available)
    ii  php-gettext                   1.0.11-2build1      all                 read gettext MO files directly, without requiring anything other
    un  php-gmagick                   <none>              <none>              (no description available)
    un  php-gmp                       <none>              <none>              (no description available)
    un  php-http-client               <none>              <none>              (no description available)
    un  php-iconv                     <none>              <none>              (no description available)
    un  php-igbinary                  <none>              <none>              (no description available)
    ii  php-imagick                   3.4.0~rc6-1ubuntu3  amd64               Provides a wrapper to the ImageMagick library
    un  php-imap                      <none>              <none>              (no description available)
    un  php-intl                      <none>              <none>              (no description available)
    un  php-json                      <none>              <none>              (no description available)
    un  php-kadm5                     <none>              <none>              (no description available)
    ii  php-ldap                      1:7.0+35ubuntu6.1   all                 LDAP module for PHP [default]
    un  php-libsodium                 <none>              <none>              (no description available)
    ii  php-log                       1.12.9-1build1      all                 Logging Framework
    ii  php-mail                      1.3.0-1             all                 Class that provides multiple interfaces for sending emails
    ii  php-mail-mime                 1.10.0-2            all                 PHP PEAR module for creating MIME messages
    ii  php-mail-mimedecode           1.5.5-3build1       all                 Provides a class to decode mime messages
    ii  php-mbstring                  1:7.0+35ubuntu6.1   all                 MBSTRING module for PHP [default]
    un  php-mcrypt                    <none>              <none>              (no description available)
    un  php-mdb                       <none>              <none>              (no description available)
    ii  php-mdb2                      2.5.0b5-1build1     all                 merge of the PEAR DB and Metabase php database abstraction layer
    ii  php-memcache                  3.0.9~20151130.fdbd amd64               memcache extension module for PHP5
    un  php-memcached                 <none>              <none>              (no description available)
    un  php-mongodb                   <none>              <none>              (no description available)
    un  php-msgpack                   <none>              <none>              (no description available)
    un  php-mysql                     <none>              <none>              (no description available)
    
     
  12. Jigal van Hemert

    Jigal van Hemert New Member

    Code:
    un  php-mysqli                    <none>              <none>              (no description available)
    un  php-mysqlnd                   <none>              <none>              (no description available)
    ii  php-net-ldap2                 2.2.0-1ubuntu1      all                 Object oriented interface for searching and manipulating LDAP-en
    ii  php-net-ldap3                 1.0.3-1build1       all                 Object oriented interface for searching and manipulating LDAP en
    un  php-net-pop3                  <none>              <none>              (no description available)
    ii  php-net-sieve                 1.3.4-2build1       all                 Handles talking to a sieve server
    ii  php-net-smtp                  1.7.1-1build1       all                 PHP PEAR module implementing SMTP protocol
    ii  php-net-socket                1.0.14-1build1      all                 PHP PEAR Network Socket Interface module
    un  php-net-vpopmaild             <none>              <none>              (no description available)
    un  php-opcache                   <none>              <none>              (no description available)
    un  php-pdo                       <none>              <none>              (no description available)
    un  php-pdo-mysql                 <none>              <none>              (no description available)
    un  php-pdo-sqlite                <none>              <none>              (no description available)
    ii  php-pear                      1:1.10.1+submodules all                 PEAR Base System
    un  php-pear-frontend-gtk         <none>              <none>              (no description available)
    un  php-pear-frontend-web         <none>              <none>              (no description available)
    un  php-phar                      <none>              <none>              (no description available)
    ii  php-phpseclib                 2.0.1-1build1       all                 implementations of an arbitrary-precision integer arithmetic lib
    un  php-posix                     <none>              <none>              (no description available)
    un  php-pspell                    <none>              <none>              (no description available)
    un  php-radius                    <none>              <none>              (no description available)
    un  php-readline                  <none>              <none>              (no description available)
    un  php-recode                    <none>              <none>              (no description available)
    un  php-redis                     <none>              <none>              (no description available)
    un  php-rrd                       <none>              <none>              (no description available)
    un  php-saprfc                    <none>              <none>              (no description available)
    un  php-seclib                    <none>              <none>              (no description available)
    un  php-shmop                     <none>              <none>              (no description available)
    un  php-simplexml                 <none>              <none>              (no description available)
    un  php-smbclient                 <none>              <none>              (no description available)
    ii  php-soap                      1:7.0+35ubuntu6.1   all                 SOAP module for PHP [default]
    un  php-sockets                   <none>              <none>              (no description available)
    un  php-sqlite                    <none>              <none>              (no description available)
    un  php-sqlite3                   <none>              <none>              (no description available)
    un  php-ssh2                      <none>              <none>              (no description available)
    un  php-structures-graph          <none>              <none>              (no description available)
    un  php-sysvmsg                   <none>              <none>              (no description available)
    un  php-sysvsem                   <none>              <none>              (no description available)
    un  php-sysvshm                   <none>              <none>              (no description available)
    ii  php-tcpdf                     6.0.093+dfsg-1ubunt all                 PHP class for generating PDF files on-the-fly
    un  php-tidy                      <none>              <none>              (no description available)
    un  php-tokenizer                 <none>              <none>              (no description available)
    un  php-uploadprogress            <none>              <none>              (no description available)
    un  php-user-cache                <none>              <none>              (no description available)
    un  php-uuid                      <none>              <none>              (no description available)
    un  php-vpopmail                  <none>              <none>              (no description available)
    un  php-wddx                      <none>              <none>              (no description available)
    un  php-xcache                    <none>              <none>              (no description available)
    un  php-xdebug                    <none>              <none>              (no description available)
    ii  php-xml                       1:7.0+35ubuntu6.1   all                 DOM, SimpleXML, WDDX, XML, and XSL module for PHP [default]
    un  php-xml-util                  <none>              <none>              (no description available)
    un  php-xmlreader                 <none>              <none>              (no description available)
    un  php-xmlrpc                    <none>              <none>              (no description available)
    un  php-xmlwriter                 <none>              <none>              (no description available)
    un  php-xsl                       <none>              <none>              (no description available)
    un  php-yac                       <none>              <none>              (no description available)
    un  php-zip                       <none>              <none>              (no description available)
    un  php-zmq                       <none>              <none>              (no description available)
    un  php5                          <none>              <none>              (no description available)
    un  php5-cgi                      <none>              <none>              (no description available)
    un  php5-cli                      <none>              <none>              (no description available)
    un  php5-fpm                      <none>              <none>              (no description available)
    un  php5.6-common                 <none>              <none>              (no description available)
    un  php5.6-json                   <none>              <none>              (no description available)
    ii  php7.0                        7.0.33-0ubuntu0.16. all                 server-side, HTML-embedded scripting language (metapackage)
    un  php7.0-calendar               <none>              <none>              (no description available)
    ii  php7.0-cgi                    7.0.33-0ubuntu0.16. amd64               server-side, HTML-embedded scripting language (CGI binary)
    ii  php7.0-cli                    7.0.33-0ubuntu0.16. amd64               command-line interpreter for the PHP scripting language
    ii  php7.0-common                 7.0.33-0ubuntu0.16. amd64               documentation, examples and common module for PHP
    un  php7.0-ctype                  <none>              <none>              (no description available)
    ii  php7.0-curl                   7.0.33-0ubuntu0.16. amd64               CURL module for PHP
    un  php7.0-dom                    <none>              <none>              (no description available)
    un  php7.0-exif                   <none>              <none>              (no description available)
    un  php7.0-fileinfo               <none>              <none>              (no description available)
    
    >>>>
     
  13. Jigal van Hemert

    Jigal van Hemert New Member

    Code:
    ii  php7.0-fpm                    7.0.33-0ubuntu0.16. amd64               server-side, HTML-embedded scripting language (FPM-CGI binary)
    un  php7.0-ftp                    <none>              <none>              (no description available)
    ii  php7.0-gd                     7.0.33-0ubuntu0.16. amd64               GD module for PHP
    un  php7.0-gettext                <none>              <none>              (no description available)
    un  php7.0-iconv                  <none>              <none>              (no description available)
    ii  php7.0-imap                   7.0.33-0ubuntu0.16. amd64               IMAP module for PHP
    ii  php7.0-intl                   7.0.33-0ubuntu0.16. amd64               Internationalisation module for PHP
    ii  php7.0-json                   7.0.33-0ubuntu0.16. amd64               JSON module for PHP
    ii  php7.0-ldap                   7.0.33-0ubuntu0.16. amd64               LDAP module for PHP
    ii  php7.0-mbstring               7.0.33-0ubuntu0.16. amd64               MBSTRING module for PHP
    ii  php7.0-mcrypt                 7.0.33-0ubuntu0.16. amd64               libmcrypt module for PHP
    ii  php7.0-mysql                  7.0.33-0ubuntu0.16. amd64               MySQL module for PHP
    un  php7.0-mysqli                 <none>              <none>              (no description available)
    un  php7.0-mysqlnd                <none>              <none>              (no description available)
    ii  php7.0-opcache                7.0.33-0ubuntu0.16. amd64               Zend OpCache module for PHP
    un  php7.0-pdo                    <none>              <none>              (no description available)
    un  php7.0-pdo-mysql              <none>              <none>              (no description available)
    un  php7.0-pdo-sqlite             <none>              <none>              (no description available)
    un  php7.0-phar                   <none>              <none>              (no description available)
    un  php7.0-posix                  <none>              <none>              (no description available)
    ii  php7.0-pspell                 7.0.33-0ubuntu0.16. amd64               pspell module for PHP
    ii  php7.0-readline               7.0.33-0ubuntu0.16. amd64               readline module for PHP
    ii  php7.0-recode                 7.0.33-0ubuntu0.16. amd64               recode module for PHP
    un  php7.0-shmop                  <none>              <none>              (no description available)
    un  php7.0-simplexml              <none>              <none>              (no description available)
    ii  php7.0-soap                   7.0.33-0ubuntu0.16. amd64               SOAP module for PHP
    un  php7.0-sockets                <none>              <none>              (no description available)
    ii  php7.0-sqlite3                7.0.33-0ubuntu0.16. amd64               SQLite3 module for PHP
    un  php7.0-sysvmsg                <none>              <none>              (no description available)
    un  php7.0-sysvsem                <none>              <none>              (no description available)
    un  php7.0-sysvshm                <none>              <none>              (no description available)
    ii  php7.0-tidy                   7.0.33-0ubuntu0.16. amd64               tidy module for PHP
    un  php7.0-tokenizer              <none>              <none>              (no description available)
    un  php7.0-wddx                   <none>              <none>              (no description available)
    ii  php7.0-xml                    7.0.33-0ubuntu0.16. amd64               DOM, SimpleXML, WDDX, XML, and XSL module for PHP
    un  php7.0-xmlreader              <none>              <none>              (no description available)
    ii  php7.0-xmlrpc                 7.0.33-0ubuntu0.16. amd64               XMLRPC-EPI module for PHP
    un  php7.0-xmlwriter              <none>              <none>              (no description available)
    ii  php7.0-xsl                    7.0.33-0ubuntu0.16. all                 XSL module for PHP (dummy)
    ii  php7.0-zip                    7.0.33-0ubuntu0.16. amd64               Zip module for PHP
    un  phpapi-20151012               <none>              <none>              (no description available)
    ii  phpmyadmin                    4:4.5.4.1-2ubuntu2. all                 MySQL web administration tool
    
    No, not yet. I was looking for a way to have newer versions, but I first want to tackle the problems with fetching the fronted output for indexing.

    The lower version (7.0.8) is only present for the user of the "clients" (as configured by ISPConfig).
    Code:
    [email protected]:~# php -v
    PHP 7.0.33-0ubuntu0.16.04.9 (cli) ( NTS )
    Copyright (c) 1997-2017 The PHP Group
    Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies
        with Zend OPcache v7.0.33-0ubuntu0.16.04.9, Copyright (c) 1999-2017, by Zend Technologies
    [email protected]:~# su web5
    bash: dircolors: command not found
    [email protected]:~$ php -v
    PHP 7.0.8-0ubuntu0.16.04.2 (cli) ( NTS )
    Copyright (c) 1997-2016 The PHP Group
    Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies
        with Zend OPcache v7.0.8-0ubuntu0.16.04.2, Copyright (c) 1999-2016, by Zend Technologies
    
    I've followed the tutorial for the Perfect Server with Ubuntu 16.04, Apache, and so on. After that I regularly run the usual apt-get update/upgrade/clean routines to keep all packages up to date. Maybe ISPConfig copied PHP CLI once from the system to the jailed client and it didn't get updated any more (because it is a copy)?
    <<<
     
  14. Steini86

    Steini86 Active Member

    Could be. Would explain the different version. Anyway, that jailed command line php is not used. All the others are consistent, looks good.
    Your are running php via cgi (?). I have no experience with that. Would recommend to go for php-fpm, is much faster.
    Did not have a look at that tutorial, but I am relatively sure, it goes for php-fpm (?)
    Use the packages from sury.org -> https://launchpad.net/~ondrej/+archive/ubuntu/php/
    (https://www.howtoforge.com/tutorial...fig-3-from-debian-packages-on-debian-8-and-9/ should work similar for ubuntu). I think it is easier to first upgrade ubuntu. But has more risks ;)
     
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    wget and PHP are different applications. So that wget knows the ca cert is no indication that PHP knows it and PHP needs the ca to be configured manually and in case you use curl via php, then thats an additional settings for the ca just for curl that needs to be set in php.ini file.

    add a php file with the phpinfo() function inside in the website, call it in the browser, there you see which exact php.ini is used by that php and there you set the CA file.


    openssl.cafile=/path/to/cafile.pem
    curl.cainfo=/path/to/cafile.pem
     

Share This Page