Hi, I installed Ubuntu 16.04 LTS according to the Perfect Server tutorial and use ISPConfig to host three domains (only one has real traffic). They all use Let's Encrypt SSL certificates which work perfect in various browsers. If I use file_get_contents() in PHP to fetch the contents of a page of one of those domains errors appear: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed If I try to fetch that URL with wget on the command line (with the web site user) then it works fine. In php.ini the cacert settings are empty, which means that the OS settings will be used. Since wget works fine I'd expect the OS defaults to work, yet they don't. Should it really be necessary to add extra .ini files to the PHP configuration? If yes, should the cacert path point to /etc/ssl/certs/? Thanks for your help!
Try to set in all global php.ini files: openssl.cafile=/etc/ssl/certs/ca-certificates.crt and then restart the web server and php-fpm. And in case the ca certificate from LE is missing in that file, add it.
Thanks for your answer. The problem seems to be somewhere else I guess. Now the error changed to: Code: PHP Warning: failed loading cafile stream: `/etc/ssl/certs/ca-certificates.crt' The file exists and is world readable: Code: 228K -rw-r--r-- 1 root root 228K Jan 17 2019 /etc/ssl/certs/ca-certificates.crt Hm... the user that runs the website has its own root at /var/www/clients/clientX/webY and in that directory is also a directory "etc" which of course does not contain the certs. The website user has no way to access the global /etc/ssl/certs/ directory. I don't think that cafile/capath should be set, but that ISPConfig needs configuration to let PHP OpenSSL access the OS certificate stores. What do you think?
The open_basedir adds a restriction; tried it and it didn't work. Could it be that jailkit prevents php from accessing the certificate store? If I su to user "web5" (which is the user for this domain) wget can't validate the certificate either. I also tried to wget URLs such as "https://www.google.com/" and these also failed. Oddly enough user web5 gets an older PHP version than the webserver reports. The more I look into the configuration the more I get confused :-(
The problem is, that the certificate can not be verified, because the root certificate needed for check is not found. This is usually installed and configured when installing php-curl. Could it be that this is missing for you? Try: "sudo apt install curl php-curl" Then restart apache Expand: Answers to your other questions, although I think they are not related If php is executed from a user which is jailed, then it is affected. However, it should not affect the web user. How do you execute the php script? From web, from command line, cron? If it is from command line as a jailed user, then have a look here: https://www.faqforge.com/linux/add-php-in-ssh-jail-ispconfig-3/ To access the certs, you should also add: directories = /etc/ssl/certs, /usr/share/ca-certificates Use "sudo -u web5" to execute things as the web user. To try your php script for example: "sudo -u web5 /usr/bin/php -f /var/www/clients/client1/web5/web/phpfile.php". The web server php version (php-fpm) is different than the command line version. You can use /usr/bin/php7.3 if you want a specific one instead of the system default. (Do not change the system default, will break ispconfig) Activating open_basedir adds a restriction. Only paths set in the "open_basedir" parameter can be accessed from php scripts. Therefore, the folders you want to access have to be added. I would suggest to place a phpinfo file at the position where the failing script is and open it the same way you test your script. Then have a look at the used PHP config file, open_basedir setting, openssl settings, etc .. https://www.php.net/manual/en/function.phpinfo.php
open_basedir is always on and restricts access to files inside the website, that's why you should extend it by this path. No, php-fpm is not jailed.
The certificates were already present on the server. If I use wget as root there is no problem with any HTTPS URL. I installed curl and php-curl and the same error. I'm not sure if PHP is run as a jailed user. Til just said that php-fpm isn't jailed. It just looked like this to me as PHP reported that it couldn't find the cacert file. This would be perfectly understandable because the global path doesn't lead to a file if you look at it from the jailed user's persepective. Just noticed that the webserver reported PHP v 7.0.33 (and some distro stuff) and the jailed user saw PHP v 7.0.8. Not a huge thing although you can run into some PHP bugs which are already fixed in later versions. It was just something I noticed. The PHP docs say: "Limit the files that can be accessed by PHP to the specified directory-tree, including the file itself. [...]The default is to allow all files to be opened." So, if it's left blank then all folders can be accessed, if it's filled than only those folders are accessible. It doesn't add any accessible folders, it can only make restrictions on what is accessible. The application I'm running is TYPO3 CMS and part of it is an install tool which includes php info output. open basedir can be restricted or empty, no difference in cert handling; openssl settings were originally empty (according to PHP manual it will use the OS certificate stores in that case). I changed it to the cacert file and then it complained that it couldn't find that file (although it's on the server and world readable). It's still a mystery to me what goes wrong.
Is it installed for the PHP version you are using? This command installs it for the distros standard version, it has to be the one you are using with your web. Do you see the extension in your php info file? What folder does "Configuration File (php.ini) Path" say? Different major releases (like php5.6, php7.3, php7.4 etc) can coexist on a server without problems. However, you somehow have php7.0.33 and php7.0.8 on your server. This is likely to cause problems. What is the output of "dkpg -l php*" (to find all (via apt) installed php versions. Have you ever compiled php by yourself and not used the ubuntu package?
Thanks for your reply. I'll use multiple replies to answer; the forum software complains about the length... Yes, Code: curl cURL support enabled cURL Information 7.47.0 Age 3 Features AsynchDNS Yes CharConv No Debug No GSS-Negotiate No IDN Yes IPv6 Yes krb4 No Largefile Yes libz Yes NTLM Yes NTLMWB Yes SPNEGO Yes SSL Yes SSPI No TLS-SRP Yes HTTP2 No GSSAPI Yes KERBEROS5 Yes UNIX_SOCKETS Yes PSL No Protocols dict, file, ftp, ftps, gopher, http, https, imap, imaps, ldap, ldaps, pop3, pop3s, rtmp, rtsp, smb, smbs, smtp, smtps, telnet, tftp Host x86_64-pc-linux-gnu SSL Version OpenSSL/1.0.2g ZLib Version 1.2.8 Code: Configuration File (php.ini) Path /etc/php/7.0/cgi Loaded Configuration File /var/www/conf/web5/php.ini Scan this dir for additional .ini files /etc/php/7.0/cgi/conf.d >>>
Code: dpkg -l php* Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-=============================-===================-===================-================================================================ un php <none> <none> (no description available) un php-amqp <none> <none> (no description available) ii php-apcu 5.1.3+4.0.10-1build amd64 APC User Cache for PHP un php-apcu-bc <none> <none> (no description available) un php-ast <none> <none> (no description available) ii php-auth 1.6.4-1build1 all Creating an authentication system un php-auth-radius <none> <none> (no description available) ii php-auth-sasl 1.0.6-2build1 all Abstraction of various SASL mechanism responses un php-calendar <none> <none> (no description available) un php-cgi <none> <none> (no description available) un php-cli <none> <none> (no description available) ii php-common 1:35ubuntu6.1 all Common files for PHP packages un php-console-getopt <none> <none> (no description available) ii php-crypt-chap 1.5.0-1build1 all Generating CHAP packets un php-crypt-gpg <none> <none> (no description available) un php-ctype <none> <none> (no description available) ii php-curl 1:7.0+35ubuntu6.1 all CURL module for PHP [default] ii php-db 1.7.14-3build1 all PHP PEAR Database Abstraction Layer un php-dom <none> <none> (no description available) un php-exif <none> <none> (no description available) un php-file-passwd <none> <none> (no description available) un php-file-smbpasswd <none> <none> (no description available) un php-fileinfo <none> <none> (no description available) un php-fpm <none> <none> (no description available) un php-ftp <none> <none> (no description available) un php-gd <none> <none> (no description available) un php-geoip <none> <none> (no description available) ii php-gettext 1.0.11-2build1 all read gettext MO files directly, without requiring anything other un php-gmagick <none> <none> (no description available) un php-gmp <none> <none> (no description available) un php-http-client <none> <none> (no description available) un php-iconv <none> <none> (no description available) un php-igbinary <none> <none> (no description available) ii php-imagick 3.4.0~rc6-1ubuntu3 amd64 Provides a wrapper to the ImageMagick library un php-imap <none> <none> (no description available) un php-intl <none> <none> (no description available) un php-json <none> <none> (no description available) un php-kadm5 <none> <none> (no description available) ii php-ldap 1:7.0+35ubuntu6.1 all LDAP module for PHP [default] un php-libsodium <none> <none> (no description available) ii php-log 1.12.9-1build1 all Logging Framework ii php-mail 1.3.0-1 all Class that provides multiple interfaces for sending emails ii php-mail-mime 1.10.0-2 all PHP PEAR module for creating MIME messages ii php-mail-mimedecode 1.5.5-3build1 all Provides a class to decode mime messages ii php-mbstring 1:7.0+35ubuntu6.1 all MBSTRING module for PHP [default] un php-mcrypt <none> <none> (no description available) un php-mdb <none> <none> (no description available) ii php-mdb2 2.5.0b5-1build1 all merge of the PEAR DB and Metabase php database abstraction layer ii php-memcache 3.0.9~20151130.fdbd amd64 memcache extension module for PHP5 un php-memcached <none> <none> (no description available) un php-mongodb <none> <none> (no description available) un php-msgpack <none> <none> (no description available) un php-mysql <none> <none> (no description available)
Code: un php-mysqli <none> <none> (no description available) un php-mysqlnd <none> <none> (no description available) ii php-net-ldap2 2.2.0-1ubuntu1 all Object oriented interface for searching and manipulating LDAP-en ii php-net-ldap3 1.0.3-1build1 all Object oriented interface for searching and manipulating LDAP en un php-net-pop3 <none> <none> (no description available) ii php-net-sieve 1.3.4-2build1 all Handles talking to a sieve server ii php-net-smtp 1.7.1-1build1 all PHP PEAR module implementing SMTP protocol ii php-net-socket 1.0.14-1build1 all PHP PEAR Network Socket Interface module un php-net-vpopmaild <none> <none> (no description available) un php-opcache <none> <none> (no description available) un php-pdo <none> <none> (no description available) un php-pdo-mysql <none> <none> (no description available) un php-pdo-sqlite <none> <none> (no description available) ii php-pear 1:1.10.1+submodules all PEAR Base System un php-pear-frontend-gtk <none> <none> (no description available) un php-pear-frontend-web <none> <none> (no description available) un php-phar <none> <none> (no description available) ii php-phpseclib 2.0.1-1build1 all implementations of an arbitrary-precision integer arithmetic lib un php-posix <none> <none> (no description available) un php-pspell <none> <none> (no description available) un php-radius <none> <none> (no description available) un php-readline <none> <none> (no description available) un php-recode <none> <none> (no description available) un php-redis <none> <none> (no description available) un php-rrd <none> <none> (no description available) un php-saprfc <none> <none> (no description available) un php-seclib <none> <none> (no description available) un php-shmop <none> <none> (no description available) un php-simplexml <none> <none> (no description available) un php-smbclient <none> <none> (no description available) ii php-soap 1:7.0+35ubuntu6.1 all SOAP module for PHP [default] un php-sockets <none> <none> (no description available) un php-sqlite <none> <none> (no description available) un php-sqlite3 <none> <none> (no description available) un php-ssh2 <none> <none> (no description available) un php-structures-graph <none> <none> (no description available) un php-sysvmsg <none> <none> (no description available) un php-sysvsem <none> <none> (no description available) un php-sysvshm <none> <none> (no description available) ii php-tcpdf 6.0.093+dfsg-1ubunt all PHP class for generating PDF files on-the-fly un php-tidy <none> <none> (no description available) un php-tokenizer <none> <none> (no description available) un php-uploadprogress <none> <none> (no description available) un php-user-cache <none> <none> (no description available) un php-uuid <none> <none> (no description available) un php-vpopmail <none> <none> (no description available) un php-wddx <none> <none> (no description available) un php-xcache <none> <none> (no description available) un php-xdebug <none> <none> (no description available) ii php-xml 1:7.0+35ubuntu6.1 all DOM, SimpleXML, WDDX, XML, and XSL module for PHP [default] un php-xml-util <none> <none> (no description available) un php-xmlreader <none> <none> (no description available) un php-xmlrpc <none> <none> (no description available) un php-xmlwriter <none> <none> (no description available) un php-xsl <none> <none> (no description available) un php-yac <none> <none> (no description available) un php-zip <none> <none> (no description available) un php-zmq <none> <none> (no description available) un php5 <none> <none> (no description available) un php5-cgi <none> <none> (no description available) un php5-cli <none> <none> (no description available) un php5-fpm <none> <none> (no description available) un php5.6-common <none> <none> (no description available) un php5.6-json <none> <none> (no description available) ii php7.0 7.0.33-0ubuntu0.16. all server-side, HTML-embedded scripting language (metapackage) un php7.0-calendar <none> <none> (no description available) ii php7.0-cgi 7.0.33-0ubuntu0.16. amd64 server-side, HTML-embedded scripting language (CGI binary) ii php7.0-cli 7.0.33-0ubuntu0.16. amd64 command-line interpreter for the PHP scripting language ii php7.0-common 7.0.33-0ubuntu0.16. amd64 documentation, examples and common module for PHP un php7.0-ctype <none> <none> (no description available) ii php7.0-curl 7.0.33-0ubuntu0.16. amd64 CURL module for PHP un php7.0-dom <none> <none> (no description available) un php7.0-exif <none> <none> (no description available) un php7.0-fileinfo <none> <none> (no description available) >>>>
Code: ii php7.0-fpm 7.0.33-0ubuntu0.16. amd64 server-side, HTML-embedded scripting language (FPM-CGI binary) un php7.0-ftp <none> <none> (no description available) ii php7.0-gd 7.0.33-0ubuntu0.16. amd64 GD module for PHP un php7.0-gettext <none> <none> (no description available) un php7.0-iconv <none> <none> (no description available) ii php7.0-imap 7.0.33-0ubuntu0.16. amd64 IMAP module for PHP ii php7.0-intl 7.0.33-0ubuntu0.16. amd64 Internationalisation module for PHP ii php7.0-json 7.0.33-0ubuntu0.16. amd64 JSON module for PHP ii php7.0-ldap 7.0.33-0ubuntu0.16. amd64 LDAP module for PHP ii php7.0-mbstring 7.0.33-0ubuntu0.16. amd64 MBSTRING module for PHP ii php7.0-mcrypt 7.0.33-0ubuntu0.16. amd64 libmcrypt module for PHP ii php7.0-mysql 7.0.33-0ubuntu0.16. amd64 MySQL module for PHP un php7.0-mysqli <none> <none> (no description available) un php7.0-mysqlnd <none> <none> (no description available) ii php7.0-opcache 7.0.33-0ubuntu0.16. amd64 Zend OpCache module for PHP un php7.0-pdo <none> <none> (no description available) un php7.0-pdo-mysql <none> <none> (no description available) un php7.0-pdo-sqlite <none> <none> (no description available) un php7.0-phar <none> <none> (no description available) un php7.0-posix <none> <none> (no description available) ii php7.0-pspell 7.0.33-0ubuntu0.16. amd64 pspell module for PHP ii php7.0-readline 7.0.33-0ubuntu0.16. amd64 readline module for PHP ii php7.0-recode 7.0.33-0ubuntu0.16. amd64 recode module for PHP un php7.0-shmop <none> <none> (no description available) un php7.0-simplexml <none> <none> (no description available) ii php7.0-soap 7.0.33-0ubuntu0.16. amd64 SOAP module for PHP un php7.0-sockets <none> <none> (no description available) ii php7.0-sqlite3 7.0.33-0ubuntu0.16. amd64 SQLite3 module for PHP un php7.0-sysvmsg <none> <none> (no description available) un php7.0-sysvsem <none> <none> (no description available) un php7.0-sysvshm <none> <none> (no description available) ii php7.0-tidy 7.0.33-0ubuntu0.16. amd64 tidy module for PHP un php7.0-tokenizer <none> <none> (no description available) un php7.0-wddx <none> <none> (no description available) ii php7.0-xml 7.0.33-0ubuntu0.16. amd64 DOM, SimpleXML, WDDX, XML, and XSL module for PHP un php7.0-xmlreader <none> <none> (no description available) ii php7.0-xmlrpc 7.0.33-0ubuntu0.16. amd64 XMLRPC-EPI module for PHP un php7.0-xmlwriter <none> <none> (no description available) ii php7.0-xsl 7.0.33-0ubuntu0.16. all XSL module for PHP (dummy) ii php7.0-zip 7.0.33-0ubuntu0.16. amd64 Zip module for PHP un phpapi-20151012 <none> <none> (no description available) ii phpmyadmin 4:4.5.4.1-2ubuntu2. all MySQL web administration tool No, not yet. I was looking for a way to have newer versions, but I first want to tackle the problems with fetching the fronted output for indexing. The lower version (7.0.8) is only present for the user of the "clients" (as configured by ISPConfig). Code: [email protected]:~# php -v PHP 7.0.33-0ubuntu0.16.04.9 (cli) ( NTS ) Copyright (c) 1997-2017 The PHP Group Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies with Zend OPcache v7.0.33-0ubuntu0.16.04.9, Copyright (c) 1999-2017, by Zend Technologies [email protected]:~# su web5 bash: dircolors: command not found [email protected]:~$ php -v PHP 7.0.8-0ubuntu0.16.04.2 (cli) ( NTS ) Copyright (c) 1997-2016 The PHP Group Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies with Zend OPcache v7.0.8-0ubuntu0.16.04.2, Copyright (c) 1999-2016, by Zend Technologies I've followed the tutorial for the Perfect Server with Ubuntu 16.04, Apache, and so on. After that I regularly run the usual apt-get update/upgrade/clean routines to keep all packages up to date. Maybe ISPConfig copied PHP CLI once from the system to the jailed client and it didn't get updated any more (because it is a copy)? <<<
Could be. Would explain the different version. Anyway, that jailed command line php is not used. All the others are consistent, looks good. Your are running php via cgi (?). I have no experience with that. Would recommend to go for php-fpm, is much faster. Did not have a look at that tutorial, but I am relatively sure, it goes for php-fpm (?) Use the packages from sury.org -> https://launchpad.net/~ondrej/+archive/ubuntu/php/ (https://www.howtoforge.com/tutorial...fig-3-from-debian-packages-on-debian-8-and-9/ should work similar for ubuntu). I think it is easier to first upgrade ubuntu. But has more risks
wget and PHP are different applications. So that wget knows the ca cert is no indication that PHP knows it and PHP needs the ca to be configured manually and in case you use curl via php, then thats an additional settings for the ca just for curl that needs to be set in php.ini file. add a php file with the phpinfo() function inside in the website, call it in the browser, there you see which exact php.ini is used by that php and there you set the CA file. openssl.cafile=/path/to/cafile.pem curl.cainfo=/path/to/cafile.pem
