TheHolbi

If you can build PHP 5.6 from scratch including OpenSSL v.1.1, in this case you can use AlmaLinux 9.x also. For a server I had to get PHP 5.6 running on AlmaLinux 9, but OpenSSL is not included in this PHP version yet. I had to keep a few outdated systems alive for a while. But, the CWP for AlamLinux 8 can run PHP 5.6 also.

This is the SMTP debug, from a WordPress SMTP Plugin, where the PHP is connecting to OpenSSL 1.1, instead of the OpenSSL 3.2.2: Versions: WordPress: 6.7.2 WordPress MS: No PHP: 8.2.27 WP Mail SMTP: 4.4.0 Params: Mailer: smtp Constants: No ErrorInfo: SMTP Error: Could not connect to SMTP host. Failed to connect to serverSMTP server error: Failed to connect to server Host: vps.example.com Port: 465 SMTPSecure: ssl SMTPAutoTLS: bool(false) SMTPAuth: bool(true) Server: OpenSSL: OpenSSL 1.1.1t 7 Feb 2023 Debug: Email Source: WP Mail SMTP Mailer: Other SMTP SMTP Error: Could not connect to SMTP host. Failed to connect to serverSMTP server error: Failed to connect to server SMTP Debug: 2025-03-09 20:58:34 Connection: opening to ssl://vps.example.com:465, timeout=30, options=array() 2025-03-09 20:58:34 Connection failed. Error #2: stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed [/home/user/public_html/wp-includes/PHPMailer/SMTP.php line 412] 2025-03-09 20:58:34 Connection failed. Error #2: stream_socket_client(): Failed to enable crypto [/home/user/public_html/wp-includes/PHPMailer/SMTP.php line 412] 2025-03-09 20:58:34 Connection failed. Error #2: stream_socket_client(): Unable to connect to ssl://vps.example.com:465 (Unknown error) [/home/user/public_html/wp-includes/PHPMailer/SMTP.php line 412] 2025-03-09 20:58:34 SMTP ERROR: Failed to connect to server: (0) SMTP Error: Could not connect to SMTP host. Failed to connect to server

So, we need change the PHP build script to include the right OpenSSL library (e.g. 3.2.2 for the AlmaLinux 9.5), or we need to move the OpenSSL 3.x to location /usr/local/opensslso/ instead of the v.1.1. The CWP uses PHP 7.x for admin-panel function so, the OpenSSL v.1.1 is not removable. @Sandeep B. What is your opinion?

Output of command (PHP 8.2): php -i | grep "OpenSSL" SSL Version => OpenSSL/3.2.2 OpenSSL support => enabled OpenSSL Library Version => OpenSSL 1.1.1t 7 Feb 2023 OpenSSL Header Version => OpenSSL 1.1.1t 7 Feb 2023 Native OpenSSL support => enabled Output of command (PHP-FPM 8.3): /opt/alt/php-fpm83/usr/bin/php -i | grep "OpenSSL" SSL Version => OpenSSL/3.2.2 OpenSSL support => enabled OpenSSL Library Version => OpenSSL 1.1.1t 7 Feb 2023 OpenSSL Header Version => OpenSSL 1.1.1t 7 Feb 2023 Native OpenSSL support => enabled php -i | grep "Configure Command" Configure Command => './configure' '--with-config-file-path=/usr/local/php' '--enable-cgi' '--with-config-file-scan-dir=/usr/local/php/php.d' '--with-zlib=/usr' '--enable-mbstring' '--with-zip' '--enable-bcmath' '--enable-pcntl' '--enable-ftp' '--enable-exif' '--enable-calendar' '--enable-sysvmsg' '--enable-sysvsem' '--enable-sysvshm' '--with-tidy' '--with-curl' '--with-gmp' '--with-pspell' '--enable-gd' '--with-jpeg' '--with-freetype' '--enable-gd-jis-conv' '--with-webp' '--with-avif' '--with-zlib-dir=/usr' '--with-xpm' '--with-openssl' '--with-pdo-mysql=mysqlnd' '--with-gettext=/usr' '--with-bz2=/usr' '--with-mysqli' '--enable-soap' '--enable-phar' '--with-xsl' '--with-kerberos' '--enable-posix' '--enable-sockets' '--with-external-pcre' '--with-libdir=lib64' '--with-mysql-sock=/var/lib/mysql/mysql.sock' '--enable-intl' '--with-imap' '--with-imap-ssl' '--with-password-argon2' 'PKG_CONFIG_PATH=/usr/local/opensslso/lib/pkgconfig' /opt/alt/php-fpm83/usr/bin/php -i | grep "Configure Command" Configure Command => './configure' '--prefix=/opt/alt/php-fpm83/usr' '--with-config-file-path=/opt/alt/php-fpm83/usr/php' '--with-config-file-scan-dir=/opt/alt/php-fpm83/usr/php/php.d' '--with-zlib=/usr' '--enable-mbstring' '--with-zip' '--enable-bcmath' '--enable-pcntl' '--enable-ftp' '--enable-exif' '--enable-calendar' '--enable-sysvmsg' '--enable-sysvsem' '--enable-sysvshm' '--with-tidy' '--with-curl' '--with-iconv' '--with-gmp' '--with-pspell' '--enable-gd' '--with-jpeg' '--with-freetype' '--enable-gd-jis-conv' '--with-webp' '--with-avif' '--with-zlib-dir=/usr' '--with-xpm' '--with-openssl' '--with-pdo-mysql=mysqlnd' '--with-gettext=/usr' '--with-bz2=/usr' '--with-mysqli' '--enable-soap' '--enable-phar' '--with-xsl' '--with-kerberos' '--enable-posix' '--enable-sockets' '--with-external-pcre' '--with-libdir=lib64' '--with-mysql-sock=/var/lib/mysql/mysql.sock' '--enable-intl' '--with-imap' '--with-imap-ssl' '--enable-fpm' '--enable-opcache' '--with-password-argon2' 'PKG_CONFIG_PATH=/usr/local/opensslso/lib/pkgconfig' The PHP is configured to use OpenSSL from: 🔴 PKG_CONFIG_PATH=/usr/local/opensslso/lib/pkgconfig This means PHP is still linked to OpenSSL 1.1.1t instead of OpenSSL 3.2.2. @Sandeep B. Do you have any suggestion to correct it as fast as possible? May all CWP in AlmaLinux 9 have this issue.

Resolved:The solution of TLSv1.3 in AlmaLinux 9.5 with CWP Pro was reinstall hostname certificates (for all services) in the Change Hostname menu with 4096 size key. After then all issue was resolved, and the TLSv1.3 check was pass in both way, from terminal and from browser also. Of course in all templates and Nginx config files was changed the setting to ssl_protocols TLSv1.2 TLSv1.3;

The output of command: `update-crypto-policies --show` is “DEFAULT“ In addition I tried to set in AlmaLinux 9.5 the following settings: `sudo update-crypto-policies --set FUTURE` and it cause error on Nginx configuration: `2025/01/25 13:01:53 [emerg] 69470#69470: SSL_CTX_use_certificate("/etc/pki/tls/certs/hostname.bundle") failed (SSL: error:0A00018F:SSL routines::ee key too small)`

Yes, it would be good to extend this guide for http3 support and AlmaLinux 9.x support, with OpenSSL 3.x.

@Sandeep B. How to modify the sequence described in this post, if using AlmaLinux 9.5 with latest CWP and the OpenSSL version in the server is 3.2.2 ? The TLSv1.2 with HTTP\2 is running well, and all CWP Nginx templates was modified to use ssl_protocols TLSv1.2 TLSv1.3; but TLS v 1.3 failed on the tests at https://www.cdn77.com/tls-test and also failed with terminal tests like: openssl s_client -connect example.com:443 -tls1_3 -debug while openssl s_client -connect example.com:443 -tls1_2 -debug is OK. And no error messages in the nginx log. Do you have any suggestion or my missing some necessary component in AlmaLinux 9.x ? Any help or ideas will be appreciated. Thanks for advance.

Hello, I am also using several Contabo VPS with AlmaLinux 9.x and CWP but the install issues (only 1 or 2 occurred) can be handled with some little correction. If you will be more specific with your issues may I can help you. So, I suggest to use AlmaLinux 9.x (latest). There may some issue with mod_security install (the mod_security config file have to be corrected manually) And there may some issue with postfix - openssl install, the config files have to be corrected manually, And there may some issue with amavis install, the config file have to be corrected manually. And finalizing the component install, the server with CWP and AlmaLinux 9.x running very well and stable. So, what were your issues?

The DKIM signature issue was resolved as follow: There were missing lines from the /etc/postfix/main.cf : #DKIM milter_default_action = accept milter_protocol = 6 smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891 and the correct /etc/opendkim.conf was : AutoRestart Yes AutoRestartRate 10/1h LogWhy Yes Syslog Yes SyslogSuccess Yes Mode sv Canonicalization relaxed/simple ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts KeyTable refile:/etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable SignatureAlgorithm rsa-sha256 Socket inet:8891@localhost PidFile /var/run/opendkim/opendkim.pid UMask 022 UserID opendkim:opendkim TemporaryDirectory /var/tmp After completed /etc/postfix/main.cf and restarted services, the DKIM signature was properly inserted to the outgoing emails.

Hi @Netino The output is the following: -o content_filter=smtp-amavis:127.0.0.1:10024 -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o content_filter= -o content_filter= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_client_restrictions=

I have just migrated a CWP installation from Centos 7 to AlmaLinux 9.4 by migrating the /home directory, the /var/vmail directory, and the databases. All the features have been configured, but I have two problems that I have not yet managed to solve. AlmaLinux 9.4 was installed with OpenSSL 3.0.7 1 Nov 2022 by CWP, and none of the programs, even a Laravel 11.x app under PHP 8.3.12, can send mail over port 465. Error message: Connection could not be established with host "ssl://mail.example.com:465": stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed {"exception":"[object] (Symfony\\Component\\Mailer\\Exception\\TransportException(code: 0): Connection could not be established with host \"ssl://mail.example.com:465\": stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed at /home/user/laravel/vendor/symfony/mailer/Transport/Smtp/Stream/SocketStream.php:154) I had to temporarily switch to using port 25 in the SMTP service. The other problem is that postfix does not put DKIM signatures on the mails, even though all elements of the system, OpenDKIM, etc. are installed and running. What should the config file of postfix and opendkim look like in CWP to get this service working properly?

Hello @Sandeep B. I started to move all my CWP based servers the CWP el9 with AlmaLinux 9.4.x Is there any update to the tutorial described above? The Apache or the NGINX version of HTTP2 recommended by you? Thank you for advance.

Thank you. I will back soon after tests.

Hi @Sandeep B. Did you find any solutions to this issue? Kindest regards: TheHolbi