TheHolbi

This is the SMTP debug, from a WordPress SMTP Plugin, where the PHP is connecting to OpenSSL 1.1, instead of the OpenSSL 3.2.2: Versions: WordPress: 6.7.2 WordPress MS: No PHP: 8.2.27 WP Mail SMTP: 4.4.0 Params: Mailer: smtp Constants: No ErrorInfo: SMTP Error: Could not connect to SMTP host. Failed to connect to serverSMTP server error: Failed to connect to server Host: vps.example.com Port: 465 SMTPSecure: ssl SMTPAutoTLS: bool(false) SMTPAuth: bool(true) Server: OpenSSL: OpenSSL 1.1.1t 7 Feb 2023 Debug: Email Source: WP Mail SMTP Mailer: Other SMTP SMTP Error: Could not connect to SMTP host. Failed to connect to serverSMTP server error: Failed to connect to server SMTP Debug: 2025-03-09 20:58:34 Connection: opening to ssl://vps.example.com:465, timeout=30, options=array() 2025-03-09 20:58:34 Connection failed. Error #2: stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed [/home/user/public_html/wp-includes/PHPMailer/SMTP.php line 412] 2025-03-09 20:58:34 Connection failed. Error #2: stream_socket_client(): Failed to enable crypto [/home/user/public_html/wp-includes/PHPMailer/SMTP.php line 412] 2025-03-09 20:58:34 Connection failed. Error #2: stream_socket_client(): Unable to connect to ssl://vps.example.com:465 (Unknown error) [/home/user/public_html/wp-includes/PHPMailer/SMTP.php line 412] 2025-03-09 20:58:34 SMTP ERROR: Failed to connect to server: (0) SMTP Error: Could not connect to SMTP host. Failed to connect to server

So, we need change the PHP build script to include the right OpenSSL library (e.g. 3.2.2 for the AlmaLinux 9.5), or we need to move the OpenSSL 3.x to location /usr/local/opensslso/ instead of the v.1.1. The CWP uses PHP 7.x for admin-panel function so, the OpenSSL v.1.1 is not removable. @Sandeep B. What is your opinion?

Output of command (PHP 8.2): php -i | grep "OpenSSL" SSL Version => OpenSSL/3.2.2 OpenSSL support => enabled OpenSSL Library Version => OpenSSL 1.1.1t 7 Feb 2023 OpenSSL Header Version => OpenSSL 1.1.1t 7 Feb 2023 Native OpenSSL support => enabled Output of command (PHP-FPM 8.3): /opt/alt/php-fpm83/usr/bin/php -i | grep "OpenSSL" SSL Version => OpenSSL/3.2.2 OpenSSL support => enabled OpenSSL Library Version => OpenSSL 1.1.1t 7 Feb 2023 OpenSSL Header Version => OpenSSL 1.1.1t 7 Feb 2023 Native OpenSSL support => enabled php -i | grep "Configure Command" Configure Command => './configure' '--with-config-file-path=/usr/local/php' '--enable-cgi' '--with-config-file-scan-dir=/usr/local/php/php.d' '--with-zlib=/usr' '--enable-mbstring' '--with-zip' '--enable-bcmath' '--enable-pcntl' '--enable-ftp' '--enable-exif' '--enable-calendar' '--enable-sysvmsg' '--enable-sysvsem' '--enable-sysvshm' '--with-tidy' '--with-curl' '--with-gmp' '--with-pspell' '--enable-gd' '--with-jpeg' '--with-freetype' '--enable-gd-jis-conv' '--with-webp' '--with-avif' '--with-zlib-dir=/usr' '--with-xpm' '--with-openssl' '--with-pdo-mysql=mysqlnd' '--with-gettext=/usr' '--with-bz2=/usr' '--with-mysqli' '--enable-soap' '--enable-phar' '--with-xsl' '--with-kerberos' '--enable-posix' '--enable-sockets' '--with-external-pcre' '--with-libdir=lib64' '--with-mysql-sock=/var/lib/mysql/mysql.sock' '--enable-intl' '--with-imap' '--with-imap-ssl' '--with-password-argon2' 'PKG_CONFIG_PATH=/usr/local/opensslso/lib/pkgconfig' /opt/alt/php-fpm83/usr/bin/php -i | grep "Configure Command" Configure Command => './configure' '--prefix=/opt/alt/php-fpm83/usr' '--with-config-file-path=/opt/alt/php-fpm83/usr/php' '--with-config-file-scan-dir=/opt/alt/php-fpm83/usr/php/php.d' '--with-zlib=/usr' '--enable-mbstring' '--with-zip' '--enable-bcmath' '--enable-pcntl' '--enable-ftp' '--enable-exif' '--enable-calendar' '--enable-sysvmsg' '--enable-sysvsem' '--enable-sysvshm' '--with-tidy' '--with-curl' '--with-iconv' '--with-gmp' '--with-pspell' '--enable-gd' '--with-jpeg' '--with-freetype' '--enable-gd-jis-conv' '--with-webp' '--with-avif' '--with-zlib-dir=/usr' '--with-xpm' '--with-openssl' '--with-pdo-mysql=mysqlnd' '--with-gettext=/usr' '--with-bz2=/usr' '--with-mysqli' '--enable-soap' '--enable-phar' '--with-xsl' '--with-kerberos' '--enable-posix' '--enable-sockets' '--with-external-pcre' '--with-libdir=lib64' '--with-mysql-sock=/var/lib/mysql/mysql.sock' '--enable-intl' '--with-imap' '--with-imap-ssl' '--enable-fpm' '--enable-opcache' '--with-password-argon2' 'PKG_CONFIG_PATH=/usr/local/opensslso/lib/pkgconfig' The PHP is configured to use OpenSSL from: 🔴 PKG_CONFIG_PATH=/usr/local/opensslso/lib/pkgconfig This means PHP is still linked to OpenSSL 1.1.1t instead of OpenSSL 3.2.2. @Sandeep B. Do you have any suggestion to correct it as fast as possible? May all CWP in AlmaLinux 9 have this issue.

Resolved:The solution of TLSv1.3 in AlmaLinux 9.5 with CWP Pro was reinstall hostname certificates (for all services) in the Change Hostname menu with 4096 size key. After then all issue was resolved, and the TLSv1.3 check was pass in both way, from terminal and from browser also. Of course in all templates and Nginx config files was changed the setting to ssl_protocols TLSv1.2 TLSv1.3;

The output of command: `update-crypto-policies --show` is “DEFAULT“ In addition I tried to set in AlmaLinux 9.5 the following settings: `sudo update-crypto-policies --set FUTURE` and it cause error on Nginx configuration: `2025/01/25 13:01:53 [emerg] 69470#69470: SSL_CTX_use_certificate("/etc/pki/tls/certs/hostname.bundle") failed (SSL: error:0A00018F:SSL routines::ee key too small)`

Yes, it would be good to extend this guide for http3 support and AlmaLinux 9.x support, with OpenSSL 3.x.

@Sandeep B. How to modify the sequence described in this post, if using AlmaLinux 9.5 with latest CWP and the OpenSSL version in the server is 3.2.2 ? The TLSv1.2 with HTTP\2 is running well, and all CWP Nginx templates was modified to use ssl_protocols TLSv1.2 TLSv1.3; but TLS v 1.3 failed on the tests at https://www.cdn77.com/tls-test and also failed with terminal tests like: openssl s_client -connect example.com:443 -tls1_3 -debug while openssl s_client -connect example.com:443 -tls1_2 -debug is OK. And no error messages in the nginx log. Do you have any suggestion or my missing some necessary component in AlmaLinux 9.x ? Any help or ideas will be appreciated. Thanks for advance.

Hello, I am also using several Contabo VPS with AlmaLinux 9.x and CWP but the install issues (only 1 or 2 occurred) can be handled with some little correction. If you will be more specific with your issues may I can help you. So, I suggest to use AlmaLinux 9.x (latest). There may some issue with mod_security install (the mod_security config file have to be corrected manually) And there may some issue with postfix - openssl install, the config files have to be corrected manually, And there may some issue with amavis install, the config file have to be corrected manually. And finalizing the component install, the server with CWP and AlmaLinux 9.x running very well and stable. So, what were your issues?

The DKIM signature issue was resolved as follow: There were missing lines from the /etc/postfix/main.cf : #DKIM milter_default_action = accept milter_protocol = 6 smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891 and the correct /etc/opendkim.conf was : AutoRestart Yes AutoRestartRate 10/1h LogWhy Yes Syslog Yes SyslogSuccess Yes Mode sv Canonicalization relaxed/simple ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts KeyTable refile:/etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable SignatureAlgorithm rsa-sha256 Socket inet:8891@localhost PidFile /var/run/opendkim/opendkim.pid UMask 022 UserID opendkim:opendkim TemporaryDirectory /var/tmp After completed /etc/postfix/main.cf and restarted services, the DKIM signature was properly inserted to the outgoing emails.

Hi @Netino The output is the following: -o content_filter=smtp-amavis:127.0.0.1:10024 -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o content_filter= -o content_filter= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_client_restrictions=

I have just migrated a CWP installation from Centos 7 to AlmaLinux 9.4 by migrating the /home directory, the /var/vmail directory, and the databases. All the features have been configured, but I have two problems that I have not yet managed to solve. AlmaLinux 9.4 was installed with OpenSSL 3.0.7 1 Nov 2022 by CWP, and none of the programs, even a Laravel 11.x app under PHP 8.3.12, can send mail over port 465. Error message: Connection could not be established with host "ssl://mail.example.com:465": stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed {"exception":"[object] (Symfony\\Component\\Mailer\\Exception\\TransportException(code: 0): Connection could not be established with host \"ssl://mail.example.com:465\": stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed at /home/user/laravel/vendor/symfony/mailer/Transport/Smtp/Stream/SocketStream.php:154) I had to temporarily switch to using port 25 in the SMTP service. The other problem is that postfix does not put DKIM signatures on the mails, even though all elements of the system, OpenDKIM, etc. are installed and running. What should the config file of postfix and opendkim look like in CWP to get this service working properly?

Hello @Sandeep B. I started to move all my CWP based servers the CWP el9 with AlmaLinux 9.4.x Is there any update to the tutorial described above? The Apache or the NGINX version of HTTP2 recommended by you? Thank you for advance.

Thank you. I will back soon after tests.

Hi @Sandeep B. Did you find any solutions to this issue? Kindest regards: TheHolbi

Hi @Sandeep B. do you find any solutions to handle this issue?

Other data: The HTTP2 installation deletes the mod_security2.so file from the modules folder. And if mod_security is installed again, it will incompatible and won't load.

Hi @Sandeep B. The process in the tutorial was tested in an other CWPPro instance of my services. The mod_security was installed on the server before this test. The error appeared after running Goto Apache Settings >> Apache Re-Build >> Select Next : Next delete/replace all with this flags/lines under “Additional configuration” (the config was changed properly) -- then Click on Start Compiler in background. Feb 06 12:55:27 vps.trianity.dev systemd[1]: Stopped Web server Apache. Feb 06 12:55:27 vps.trianity.dev systemd[1]: Unit httpd.service entered failed state. Feb 06 12:55:27 vps.trianity.dev systemd[1]: httpd.service failed. Feb 06 12:55:27 vps.trianity.dev systemd[1]: Starting Web server Apache... Feb 06 12:55:27 vps.trianity.dev apachectl[30361]: httpd: Syntax error on line 511 of /usr/local/apache/conf/httpd.conf: Syntax error on line 9 of /usr/local/apache/conf.d/mod_security.conf: Cannot load modules/mod_security2.so into server: /usr/local/apache/modules/mod_security2.so: undefined symbol: apr_crypto_block_cleanup Feb 06 12:55:27 vps.trianity.dev systemd[1]: httpd.service: control process exited, code=exited status=1 Feb 06 12:55:27 vps.trianity.dev systemd[1]: Failed to start Web server Apache. Feb 06 12:55:27 vps.trianity.dev systemd[1]: Unit httpd.service entered failed state. Feb 06 12:55:27 vps.trianity.dev systemd[1]: httpd.service failed.

OK, thank you. Is there a special reason to use Nghttp2 version 1.42.0, and not the latest, available Nghttp2 v1.59.0 in the tutorial? It is true, the Nghttp2 v1.59.0 dropped the support old OpenSSL (< 1.1.1) but we uses 1.1.1u in the build and it can be good.

Hi @Sandeep B. Thank you for the tutorial. It works in a newly installed VPS powered by CWPPro. The only issue is: The installed mod_security (CWP admin panel) brakes the httpd.service with HTTP2 protocol and produced the following error lines: What do you suggest? How to handle it? Feb 5 15:17:40 vps apachectl: httpd: Syntax error on line 511 of /usr/local/apache/conf/httpd.conf: Syntax error on line 9 of /usr/local/apache/conf.d/mod_security.conf: Cannot load modules/mod_security2.so into server: /usr/local/apache/modules/mod_security2.so: undefined symbol: apr_crypto_block_cleanup Feb 5 15:17:40 vps systemd: httpd.service: control process exited, code=exited status=1 Feb 5 15:17:40 vps systemd: Failed to start Web server Apache. Feb 5 15:17:40 vps systemd: Unit httpd.service entered failed state.