SOLVED cURL Error(7)

[eVdaimon]

Hi,

When using cURL at a PHP script, it produces error (7) at times.

I notice this on PayPal IPN script and Facebook login scripts which both use cURL.

Here is a sample error message:
PHP Fatal error: Uncaught exception 'Exception' with message 'cURL error: [7] Failed to connect to ipnpb.paypal.com port 443: Connection refused'

When I try using fsockopen for PayPal IPN, the error goes away. So, I already have a workaround. I am interested though to solve the cURL problem.

When the error hits, the only way I have to fix it, is to UPDATE WHM. When I update WHM, it is fixed. I suspect that during WHM update, something is restarted perhaps. What could this be?

Is perhaps cURL failing at some way? Perhaps tailwatchd could be helpful at such?

The frequency is random and I do not know what causes it. It can be once per day or once per week. There is no standard. I do update WHM daily anyway, to auto fix this, just in case.

However, when I read the update log, I see no reported issues. Everything seem fine.

This is not a firewall issue. I have already checked this. In general, I have checked a lot of things over... the years for this issue. I have found ways to work around it but it would be great if I could fix it at the first place.

Thank you

 

[cPanelLauren]

Hi @eVdaimon


This is most commonly an issue with TLSv 1.2 it's discussed on their site here: PAY request returns SSL connect error · Issue #64 · paypal/adaptivepayments-sdk-php

 

[eVdaimon]

Thank you for your response.

I have came across one of the links. Following the other one, I found different versions for openssl on the machine:

[root ~]# php --ri openssl

openssl

OpenSSL support => enabled
OpenSSL Library Version => OpenSSL 1.0.2q  20 Nov 2018
OpenSSL Header Version => OpenSSL 1.0.2q  20 Nov 2018
Openssl default config => /opt/cpanel/ea-openssl/etc/pki/tls/openssl.cnf

[root ~]# openssl
OpenSSL> version
OpenSSL 1.0.1e-fips 11 Feb 2013

 ~]# yum info openssl
Installed Packages
Name        : openssl
Arch        : x86_64
Version     : 1.0.1e
Release     : 57.el6
Size        : 4.1 M
Repo        : installed
From repo   : base
Summary     : A general purpose cryptography library with TLS implementation
URL         : http://www.openssl.org/
License     : OpenSSL

I also found this similar forums topic that has no final solution for the same issue: Issue with openssl version after update

 

[cPanelLauren]

Hi @eVdaimon


Can you run the following on your server and let me know the output?

rpm -qa |grep openssl

Thanks!

 

[eVdaimon]

Here it is:

[root]# rpm -qa |grep openssl
ea-openssl-1.0.2q-1.1.1.cpanel.x86_64
openssl-devel-1.0.1e-57.el6.x86_64
openssl-1.0.1e-57.el6.x86_64
[root]#

 

[cPanelLauren]

Hi @eVdaimon

If you run

yum check-update openssl

is there an update available? If not do you have anything excluding OpenSSL updates in /etc/yum.conf?

grep "exclude" /etc/yum.conf

Also if you go to WHM>>Service Configuration>>Apache Configuration -> Global Configuration ->SSL/TLS Protocols can you tell me what protocols are enabled?

Thanks!

 

[eVdaimon]

I do not see an update:

# yum check-update openssl
Loaded plugins: fastestmirror, security, universal-hooks
Loading mirror speeds from cached hostfile
 * EA4: 208.74.123.62
 * cpanel-addons-production-feed: 208.74.123.62
 * base: repos.dfw.quadranet.com
 * epel: d2lzkl7pfhq30w.cloudfront.net
 * extras: repos.dfw.quadranet.com
 * updates: repos.dfw.quadranet.com

Here are the exclude options:

]# grep "exclude" /etc/yum.conf
exclude=bind-chroot courier* dovecot* exim* filesystem httpd* mod_ssl* mydns* nsd* p0f php* proftpd* pure-ftpd* spamassassin* squirrelmail*

The Ssl/Tls protocols there are:
All -SSLv2 -SSLv3

The default option is TLSv1.2 though but is not checked.

In a production site, I used this to check what is used:

echo CURL_SSLVERSION_TLSv1_2;
echo '<br>';
$curl_info = curl_version();
echo $curl_info['ssl_version'];

I get:
6
OpenSSL/1.0.2q


Thank you

 

[cPanelLauren]

Hi @eVdaimon


Can you please open a ticket using the link in my signature? I believe we can help you resolve this if we're able to look into the issue more in-depth Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!

 

[eVdaimon]

Thank you. I have created a ticket.

Your Support Request ID is: 11210247

 

[cPanelLauren]

Great, I'm watching that ticket and I'll add an update here with the analyst's findings as soon as available.

 

[cPanelLauren]

Hello,


Based on the ticket it looks like the analysts were no longer able to replicate a connection issue. Can you confirm you're now able to connect to paypal successfully?

 

[eVdaimon]

The analysts were not able to replicate it, indeed. It is because the server works fine most of the time and when it does, the issue does not happen. At some point it breaks and it is not only connection to PayPal that suffers but in general, any connection to a tls host.

We will wait for a time when the problem appears again, so the analysts can check it that time.

 

[eVdaimon]

Hello,

I posted to contribute the final verdict as found by cPanel support tickets.

It seems that nscd was responsible for these errors. A possible corruption of the "hosts" cache files has been indicated as the possible source of the trouble.

This was the commands chosen to fix it.

21:44:32] [11210247] [~]$ nscd --invalidate=hosts

[21:45:20] [11210247] [~]$ /scripts/restartsrv_nscd --status
nscd (/usr/sbin/nscd) is running as nscd with PID 45264 (pidfile+/proc check method).

There is no certainty that the problem will not re-appear but still the issue needs to be flagged as solved as the source was identified and the fix above worked.

Thank you