backdrop / backdrop-issues

Issue tracker for Backdrop core.
144 stars 40 forks source link

Error opening socket ssl://updates.backdropcms.org:443 #5518

Open echozone opened 2 years ago

echozone commented 2 years ago

Checking available updates results in: "Failed to get available update data"

Logs report: HTTP request to https://updates.backdropcms.org/release-history/[LISTS_MODULE_OR_CORE]failed with error: Error opening socket ssl://updates.backdropcms.org:443.

On two local BD versions of the site, update data is working normally, but I just put an installation on a remote subdomain for further testing, with consistently only this issue. Cleared caches, cron run.

indigoxela commented 2 years ago

Hi @echozone,

many thanks for taking the time to report.

We had similar observations reported in the forum (see this one), and were able to identify two possible causes:

  1. An expired root cert on your server
  2. Quirky IPv6 handling (routing or firewall) on your server

In both cases you probably need to contact your hoster to further investigate. The problem is outside Backdrop.

Error opening socket ssl://updates.backdropcms.org:443

It seems to be a problem with the ssl setup on your server (likely the expired Let's Encrypt certificate - needs an update of the ISRG_Root_X1.pem, which has to be done by your hoster (should have been done months ago by your hoster!)).

But also check your SSL version on /admin/reports/status/php on that host.

echozone commented 2 years ago

Thanks so much! I did see the other posts, but being about local didn't quite nail it, although me and my host have been working on it with no luck. I will take this info to her and see where we can get.

echozone commented 2 years ago

Host replied, "The server cert is not expired. We spent quite a bit of time going around to each server when the original root was expiring to replace the root cert." She included 2 ways to check, and the A rating from ssllabs.

The SSL version from /admin/reports/status/php on that host: SSL Version OpenSSL/1.0.2k-fips

So we know it's not an expired cert on either side, what else can it be? The local version (2 actually) on MAMP Pro works fine.

indigoxela commented 2 years ago

So we know it's not an expired cert on either side, what else can it be?

Maybe some connectivity problem...

Does the host connect via IPv4 or IPv6?

updates.backdropcms.org has address 66.175.208.83 updates.backdropcms.org has IPv6 address 2600:3c03::f03c:91ff:fec2:d257

Are both IPs reachable from that webserver?

Could we get the full message from dblog re that problem (from /admin/reports/dblog).

echozone commented 2 years ago

I sent your message back to my host again. I get through on the first, I don't know how to test the second.

The complete log contains my first or last module like this, or BD itself:

HTTP request to https://updates.backdropcms.org/release-history/webform/1.x?site_key=NX4XWV70ASyiUQrby6NZHmvA8zynpXkK_K3-4DyES3k&version=1.x-4.24.2&list=webform failed with error: Error opening socket ssl://updates.backdropcms.org:443.

===== Host's reply: We don't block on IPV6. The IPV4 address is not blocked by our firewall, however a service might connect from something other than their website's IP. I've flushed all the other nonpermanent blocks.

This has not changed check for available updates.

obi-one-k commented 1 year ago

Where you able to solve this?

Exactly the same issue on clean install. Host uses valid Let's Encrypt SSL for all sites. (No issues for D7 and D9 on the same shared hosting account).

echozone commented 1 year ago

I don't recall enough to explain it throughly, but there was a problem with a "ghost" commercial cert on the server, hiding along with the good letsencrypt cert, so the host could only see a good unexpired cert. She figured out the procedure on her end just needed to clear it out before spinning up anew. We then moved for other reasons to shiny new server, but the problem was resolved on the old ones. Good luck!

obi-one-k commented 1 year ago

Thanks a million. I will contact the hosting service to get it fixed.

I've been working with D9 using manual installation, without a hitch. But now D10 it looks like another ballgame, with composer needed on the server, SSH absolute necessity, forced server terminal work, and my current shared hosting max at php 7.4. After 15 years of Drupal, change is in the air...