OpenSSL (CURL Error: 56 - OpenSSL SSL_read: error:0A000126:SSL routines::unexpected eof while reading, errno 0) Issue on non-cPanel WHMCS

[pKris]

Hey all, looking for some guidance on this OpenSSL issue 

CURL Error: 56 - OpenSSL SSL_read: error:0A000126:SSL routines::unexpected eof while reading, errno 0

 

when connecting to the eNom API for a WHMCS installation that exists independently of cPanel (this is not helpful Troubleshooting CURL Error: 56 - OpenSSL SSL_read: Success error | Troubleshooting | Guides & Tutorials (whmcs.com)).

The only community articles I seem to find relate to WHMCS environments running on a cPanel server managed by EasyApache, this isn't the case when running on it's own VM.

Environment Details:

PHP Version 8.1.2-1ubuntu2.8

cURL support: enabled

cURL Information: 7.81.0

Apache/2.4.52 

[pKris]

Any love here?

[dahamsta]

I'm having this problem too. The problem appears to be that that curl on Ubuntu 22.04 (and perhaps others) used OpenSSL v3 , and that is stricter with connections that v1. That causes connections to the eNom API to fail, I assume because eNom uses older SSL algorithms. So strictly speaking the problem is with eNom, and I'll open a ticket with them about this, but I'm a sub-reseller, they're not going to take any notice of me for this.

I thought upgrading my PHP version might help, but unfortunately not. Still looking for workarounds.

[SaneChoiceLtd]

On 12/31/2022 at 10:05 PM, dahamsta said:

I'm having this problem too. The problem appears to be that that curl on Ubuntu 22.04 (and perhaps others) used OpenSSL v3 , and that is stricter with connections that v1. That causes connections to the eNom API to fail, I assume because eNom uses older SSL algorithms. So strictly speaking the problem is with eNom, and I'll open a ticket with them about this, but I'm a sub-reseller, they're not going to take any notice of me for this.

I thought upgrading my PHP version might help, but unfortunately not. Still looking for workarounds.

Hello @dahamsta

Did you get anywhere with ENOM or workarounds by any chance?

This has been a real pain for us as well. We tried to migrate our WHMCS to a new host and all was well - until we found that the new server (Ubuntu 22.04) came with OpenSSL3 and had the same error (EOF) when taking to ENOM.  We ended up cancelling the migration for this single reason.

There is apparently a flag you can set to work around this, but I could not work out how to apply it - some say it needs to be set in the application call.

Complete nightmare. Let me know if you have had any success….

Thanks,

Brad

[oliver.burkill]

I'm facing the same issue and have raised it with both enom and WHMCS.  Will share anything useful here

[oliver.burkill]

My email to enom about this:

I am able to reproduce this issue with a simple PHP script now, this has nothing to do with the WHMCS module.
It seems OpenSSL 3.0 enabled some mitigations for a particular kind of attack which causes issues when connecting to non-compliant servers. I think it's the same as the issue referenced in the link you gave about 1.1.1e but openssl reverted the change in 1.1.1f and deferred it till the next major upgrade to give people time to adapt. There is a flag you can set in openssl to mitigate this, however the php curl library currently does not support the option.  Currently using php curl functions to access the enom api with an up to date OpenSSL will fail. Ubuntu 18.04 LTS is end of life in a couple of months, I expect many people like me will be updating the next LTS version 22.04 and will find their enom integrations fail, with no obvious work around. To avoid confusion if you search for  more,  PHP its self is  now patched, so opening URL's without using the curl library does work.

This link gives some more detail https://github.com/php/php-src/issues/8369

I hope you can find a way to make your server work with newer OpenSSL clients. If not,  my current plan is to put connections to reseller.enom.com through a proxy, but it's less than ideal.

[heliomedia]

did you find a solution?

[oliver.burkill]

I found a workaround..

I used a hosts file entry to point reseller.enom.com to localhost, then I have a virtual host entry in Nginx to proxy the connection to the real address.  Config looks something like this:

 

server {
    listen 443 ssl;
    server_name reseller.enom.com;

    ssl_certificate      /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key  /etc/ssl/private/nginx-selfsigned.key;


    location / {
        proxy_pass https://98.124.224.15;
        proxy_set_header Host reseller.enom.com;
    }}

 

[heliomedia]

On 4/14/2023 at 6:10 PM, oliver.burkill said:

I found a workaround..

I used a hosts file entry to point reseller.enom.com to localhost, then I have a virtual host entry in Nginx to proxy the connection to the real address.  Config looks something like this:

 

server {
    listen 443 ssl;
    server_name reseller.enom.com;

    ssl_certificate      /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key  /etc/ssl/private/nginx-selfsigned.key;


    location / {
        proxy_pass https://98.124.224.15;
        proxy_set_header Host reseller.enom.com;
    }}

 

Thank you very much for the reply.

Can you please put in here the exact files and paths with your workaround ?

[oliver.burkill]

I dont think giving you the exact files or paths will help as it will depend a little bit on your environment.  You could and should do something similar with Apache if you are using that and not Nginx (WHMCS dont officially support Nginx). The paths will depend on if you are using a control panel or not. You will also need to generate a self singed SSL certificate for reseller.enom.com and make sure that it will be trusted on the server running the proxy.  All of that should be doable with some google-fu + trial and error.  If you are really struck post the specifics here or email me directly @eukhost.com

[heliomedia]

2 hours ago, oliver.burkill said:

I dont think giving you the exact files or paths will help as it will depend a little bit on your environment.  You could and should do something similar with Apache if you are using that and not Nginx (WHMCS dont officially support Nginx). The paths will depend on if you are using a control panel or not. You will also need to generate a self singed SSL certificate for reseller.enom.com and make sure that it will be trusted on the server running the proxy.  All of that should be doable with some google-fu + trial and error.  If you are really struck post the specifics here or email me directly @eukhost.com

You are right, in fact this is the real problem:

"I am getting this error:
Module Command Error
Curl Error: 56 - OpenSSL SSL_read: error:0A000126:SSL routines::unexpected eof while reading, errno 0"

when I try to make some actions on the virtualmin module.

I mention that the actions are made on the target server, but in whmcs is not reflected those results.

I have latest php version compatible with  the latest whmcs ( 8.7.1 General Release 8.7.1-release.1 ) installed.

On the server I have these:
OpenSSL 3.0.1 14 Dec 2021 (Library: OpenSSL 3.0.1 14 Dec 2021)
Apache/2.4.53 (Rocky Linux)
repo id                                                      repo name
appstream                                                    Rocky Linux 9 - AppStream
baseos                                                       Rocky Linux 9 - BaseOS
crb                                                          Rocky Linux 9 - CRB
epel                                                         Extra Packages for Enterprise Linux 9 - x86_64
extras                                                       Rocky Linux 9 - Extras
remi-modular                                                 Remi's Modular repository for Enterprise Linux 9 - x86_64
remi-safe                                                    Safe Remi's RPM repository for Enterprise Linux 9 - x86_64
virtualmin                                                   Virtualmin 7 - x86_64
virtualmin-noarch                                            Virtualmin 7 GPL - noarch
Rocky Linux release 9.1 (Blue Onyx)

[nocrom99]

Same issue here. I'm on Ubuntu 22.04 with defaults installs of PHP, Curl, etc.

Here is how I used the solution from oliver.burkill but with Apache:

 

cd /usr/local/etc/
openssl req -newkey rsa:2048 -nodes -keyout reseller.enom.com.key -x509 -days 3650 -out reseller.enom.com.crt
cat reseller.enom.com.crt > reseller.enom.com.pem
cat reseller.enom.com.key >> reseller.enom.com.pem
chmod 640 reseller.enom.com.pem

echo "127.0.0.1       reseller.enom.com" >> /etc/hosts

# /etc/apache2/sites-available/reseller.enom.com.conf
<VirtualHost *:443>
  ServerName    reseller.enom.com
  SSLEngine on
  SSLCertificateFile /usr/local/etc/reseller.enom.com.pem
  SSLProxyEngine On
  ProxyPreserveHost on
  ProxyPass / https://98.124.224.15/
  ProxyPassReverse / https://98.124.224.15/
</VirtualHost>

a2ensite reseller.enom.com.conf
systemctl reload apache2

Works for me, now WHMCS connects to eNom without error.

[RADRaze2KX]

On 5/8/2023 at 11:53 AM, nocrom99 said:

Same issue here. I'm on Ubuntu 22.04 with defaults installs of PHP, Curl, etc.

Here is how I used the solution from oliver.burkill but with Apache:

 

cd /usr/local/etc/
openssl req -newkey rsa:2048 -nodes -keyout reseller.enom.com.key -x509 -days 3650 -out reseller.enom.com.crt
cat reseller.enom.com.crt > reseller.enom.com.pem
cat reseller.enom.com.key >> reseller.enom.com.pem
chmod 640 reseller.enom.com.pem

echo "127.0.0.1       reseller.enom.com" >> /etc/hosts

# /etc/apache2/sites-available/reseller.enom.com.conf
<VirtualHost *:443>
  ServerName    reseller.enom.com
  SSLEngine on
  SSLCertificateFile /usr/local/etc/reseller.enom.com.pem
  SSLProxyEngine On
  ProxyPreserveHost on
  ProxyPass / https://98.124.224.15/
  ProxyPassReverse / https://98.124.224.15/
</VirtualHost>

a2ensite reseller.enom.com.conf
systemctl reload apache2

Works for me, now WHMCS connects to eNom without error.

is the 98.* address one we can all use? I did a geolocate by IP and that's located in Mississippi, is that where eNom is?