I have a PHP Laravel (5.6) system that I need to connect to an FTP server to upload a single file. The FTP server that I am connecting to is restricting access by ip address, uses port 990, and other than that has a seemingly simple configuration. On my local machine (I'm running on Linux Ubuntu if that helps) I am able to connect to the ftp server in FileZilla just fine, FileZilla did seem to automatically choose ftps. I am also able to ping this server.
Now this PHP Laravel (5.6) application is running on NGINX (had this for a while, everything else server-wise seems fine). As of now I am just trying to get this working locally, though there is a production server that it will have to be pushed onto (pretty much identical configuration though).
I started out trying to use the built in PHP function ftp_connect and ftp_ssl_connect - both using the same host and port number (990) as in FileZilla. I have been unable to get past this step - it returns false (so never even gets to my login logic).
$ftp = ftp_connect(env('FTP_HOST'),env('FTP_PORT')); // returns FALSE
$ftp = ftp_ssl_connect(env('FTP_HOST'),env('FTP_PORT')): // returns FALSE
After searching for a while I decided to try Laravel's filesystem to see if that would make it easier, these are my settings in config/filesystems.php:
'ftp' => [
'driver' => 'ftp',
'host' => env('FTP_HOST'),
'username' => env('FTP_USER'),
'password' => env('FTP_PASSWORD'),
'port' => env('FTP_PORT'),
'ssl' => true,
'timeout' => 60,
],
'sftp' => [
'driver' => 'sftp',
'host' => env('FTP_HOST'),
'username' => env('FTP_USER'),
'password' => env('FTP_PASSWORD'),
'port' => env('FTP_PORT'),
'timeout' => 60,
],
I figured I'd try both ftp and sftp here, I then tried the following:
Storage::disk('ftp')->put('test.csv', $file);
and
Storage::disk('sftp')->put('test.csv', $file);
The first just timed out, the second gave me the message: League\Flysystem\Sftp\ConnectionErrorException: Could not login with username: ###, host: ### in...
Any ideas of what this could be or next steps I could take towards troubleshooting would be greatly appreciated, I feel like I just don't know what to try to get a better understanding of what's wrong here. Thanks!
EDIT:
I realized that previously I had always used the quick connect feature in FileZilla for this. I looked into it further and was able to confirm that the encryption has to be implicit FTP over TLS - So I'm wondering if there is a setting for that I'm missing.
The port 990 is for implicit TLS/SSL, as you have eventually figured out.
The implicit TLS/SSL is not supported by the PHP built-in FTP implementation. Neither is implicit TLS/SSL supported by flysystem used by Laravel (which probably internally uses PHP built-in FTP anyway).
The implicit TLS/SSL was a temporary hack back in 90s to allow legacy FTP software to use encrypted connection without modification. It was never something that should have been used in long term, definitely not 30 years later! The implicit FTP never even became part of FTP standard. Only the explicit TLS/SSL was standardized by RFC 4217 in 2005. Since then, noone should be using implicit TLS/SSL ever.
Get your FTP server fixed to use the explicit TLS/SSL.
Take a look at the additional settings (https://flysystem.thephpleague.com/v2/docs/adapter/ftp/) you can add to the filesystem.php for your ftp settings. Match them with what you have on your FileZilla settings and see if it helps.
Laravel underneath uses the flysystem adapters to connect to different storage types and you can reference the settings from the above URL.
I'm running the next script from my local host and the production server, and Im getting different outputs. Anyone knows why am I getting that false from my localhost?
<?php
$host = 'ssl://mail.companyname.org';
$port = 993;
$error = 0;
$errorString = "";
var_dump(fsockopen($host, $port, $error, $errorString, 30));
var_dump($errorString);
var_dump($error);
Local host output:
bool(false)
Production server output:
resource(4) of type (stream)
UPDATE: after the comments/answer I have modified the code and now Im getting this output on my local host:
PHP Warning: fsockopen(): SSL operation failed with code 1. OpenSSL
Error messages: error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed in
/tmp/test.php on line 7 PHP Warning: fsockopen(): Failed to enable
crypto in /tmp/test.php on line 7 PHP Warning: fsockopen(): unable to
connect to ssl://mail.twmdata.org:993 (Unknown error) in /tmp/test.php
on line 7 bool(false) string(0) "" int(0)
it seems this is problem with server certificate :
first you can check if your server certificate and its chains are valid by this:
https://www.sslshopper.com/ssl-checker.htm
if somethings were wrong in ssl-checker?
you can try to correct SSL certificate configs in companyname.org
if you succeed and error was persists ?
you have to add Certificate files manually.
if you have a self-signed certificate:
you have to add Certificate files manually.
if you dont have certificate nor you dont care about man-in-the-middle attack,
you can still use SSL without Certificate.
turn off php fsock Certificate check (not recommended)
its recommended to have a certificate at least a self-signed. if you have a self-signed try 1 solution.
I have found the Problem
You have exposed your Domain name in your PHP Warning Log, so i have checked your domain SSL.
after i check your company`s domain certificate using this tool:
https://www.sslshopper.com/ssl-checker.html#hostname=twmdata.org
it had 2 errors with your certificates:
This certificate has expired (0 days ago). Renew now.
None of the common names in the certificate match the name that was entered (twmdata.org). You may receive an error when accessing this site in a web browser.
so it seems you have to renew your certificate first
Update:
i have found this answer maybe helpful
https://stackoverflow.com/a/40962061/9287628
it suggested to use
stream_context_create(['ssl' => [
'ciphers' => 'RC4-MD5'
]])
as #ChrisHaas suggested connecting with stream_context_create and stream_socket_client brings you a lot of option if you want to dictate the cert directory or you want to turn off certificate check.
Per the documentation for fsockopen
The function stream_socket_client() is similar but provides a richer set of options, including non-blocking connection and the ability to provide a stream context.
Basically, fsockopen is very low-level but without many options, or, arguably, "sane defaults".
Instead, you can switch to stream_socket_client which will allow you to specify a context as the last parameter, and that object has many options, including a dedicated one with over a dozen options specific to SSL. The object created from this function is compatible with fwrite and other functions, so it should do everything you are hoping for.
$context = stream_context_create([/*Options here*/]);
$connection = stream_socket_client($host, $errno, $errorString, 30, null, $context);
Now, what options should you use?
The worst option that might work is probably verify_peer. I say "worst" because you are throwing away the verifiability part of SSL/TLS and only using it for encryption, and doing this will make you susceptible to MitM attacks. However, there's a place and time for this, so you could try it if the other options are too complicated.
$context = stream_context_create(['ssl' => ['verify_peer' => false]]);
$connection = stream_socket_client($host, $errno, $errorString, 30, null, $context);
Instead, I'd recommend using either cafile or capath which do the same thing except the former is for a file while the latter is for a directory.
$context = stream_context_create(['ssl' => ['verify_peer' => true, 'cafile' => '/path/to/file']]);
$connection = stream_socket_client($host, $errno, $errorString, 30, null, $context);
What certs should you use? We use this library to pull in recent CA files on a periodic basis, very convenient. There's a little bit of setup that's per-project but once you get it it goes pretty fast. See this for pulling in a CA file at a well-known location.
One other last option is local_cert which you can use with a PEM file that holds the certificate and private key from the server, if you have access to that.
EDIT
The cert on mail.twmdata.org:993 is different than the web server's cert that other people are talking about, which is generally a best practice. You can inspect that cert using:
openssl s_client -connect mail.twmdata.org:993 -servername mail.twmdata.org
If you do that, you'll see that the server has a self-signed cert which you can get around by setting the verify_peer option to false.
Remove the # symbol. You are hiding error messages that might tell you what the problem is. You should also set a variable in the errorno argument to fsockopen() and echo it for debugging.
My guess would be that you haven't installed PHP with SSL support on your local server. See here.
Companyname.org might also block requests from your local server that are allowed from the production server.
I'm busy with a curl php library which needs to connect to an FTPS server.
I have this semi working... If I connect to ftp://domain.com then it does work. If I watch the comms on the server with tcpflow I see it logging in with AUTH TLS and and all the comms is encrypted. The file is uploaded so all's good..
What I'm unsure of is if its valid to try connecting instead to ftps://domain.com?
The reason I'm asking is because if I change the protocol from ftp to ftps in curl then the login fails and the server (watching tcpflow comms) says that the login has failed:
191.101.002.204.00021-088.099.012.154.51630: 530 Please login with USER and PASS.
Also, when I watch the comms when trying to connect to ftps:// I don't see the client issuing the AUTH TLS command as it does with plain ftp://
The problem I have is that it seems that my client's FTP server we have to ultimately connect to doesn't seem to allow connections without the ftps:// protocol.
If I connect using lftp I can do so using ftps:// but then I have to disable ssl:
set ftp://ssl-allow no
If I try the lftp connection using ftp:// it just hangs on the login command...
I'm not really that experienced with FTP or TLS / SSL so I don't know if its maybe because the client's server doesn't have the certificates set up correctly..
Here is a portion of my curl code which works with ftp:// but not ftps://
// Works
$url = "ftp://proxy.plettretreat.co.za/";
// Does not work
$url = "ftps://proxy.plettretreat.co.za/";
$port = 990;
$username = "ftpuser";
$password = "pass";
$filename = "/test.php";
$file = dirname(__FILE__)."/test.php";
$c = curl_init();
// check for successful connection
if ( ! $c)
throw new Exception( 'Could not initialize cURL.' );
$options = array(
CURLOPT_USERPWD => $username.':'.$password,
CURLOPT_SSL_VERIFYPEER => 0,
CURLOPT_SSL_VERIFYHOST => 0,
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_BINARYTRANSFER => 1,
CURLOPT_FTP_SSL => CURLFTPSSL_ALL, // require SSL For both control and data connections
CURLOPT_FTPSSLAUTH => CURLFTPAUTH_TLS, // let cURL choose the FTP authentication method (either SSL or TLS)
CURLOPT_UPLOAD => true,
CURLOPT_PORT => $port,
CURLOPT_TIMEOUT => 30,
);
Another thing I'm unsure of is that my client has given me an IP address to connect to.. Can an IP address be used in ftps? I would have thought that certificates are mostly certifying a domain name?
tl;dr
1) Can I use ftps://domain.com to connect using CURL PHP?
2) If I can use ftps:// in curl, then how do I get curl to log in (issue auth tls command)?
3) Can an FTP server use SSL / TLS with only an IP address?
Thanks...
John
Many many hours of struggling led me to an eventual answer.
Part of the answer was that the client server and the FTP server had "overly" strict firewall rules blocking the passive ports.
I was getting the following error:
Error no: 35; Error: SSL connect error.
Error 35 was because of the firewall rules. Once those were relaxed that error went away, but as a note, you will also see this error if the client machine is NAT'ed. If it is you need to set the curl option:
curl_setopt($c, CURLOPT_FTPPORT, '1.2.4.5' ); // change to your actual IP.
This tells the FTP server where to open up its data channel (instead of trying to open it to the client server's internal address).
Anyway, once the firewall and FTPPORT options were set I got:
Error no: 30; Error: bind(port=0) failed: Cannot assign requested address
This one baffled me for quite a while as everything looked correct.
I eventually stumbled upon a few thread here and elsewhere which talk about an issue with older versions of Curl using NSS for its encryption. I checked and I was using libcurl version 7.19.7 (about 8 years old) and sure enough it uses NSS...
I updated my Curl using this guide: https://www.digitalocean.com/community/questions/how-to-upgrade-curl-in-centos6.
That updated me to libcurl 7.52.1 which uses OpenSSL and lo and behold, my app started working...
So, if you're having issues connecting curl-ftp to a FTPS server, check the FTPPORT (passive IP) if you're NAT'ed, check your firewall, but most importantly, check your curl:
<?php
print print_r(curl_version());
?>
I hope this helps someone..
Sometimes fail to call the web service.
This problem happens all the time.
What could be the problem?
Error:
SoapFault exception: [HTTP] Could not connect to host in
0 [internal function]: SoapClient->__doRequest('<?xml version="...', http://.', '', 1, 0)
The problem was solved.The problem is the cache
ini_set('soap.wsdl_cache_enabled',0);
ini_set('soap.wsdl_cache_ttl',0);
I am adding my comment for completeness, as the solutions listed here did not help me. On PHP 5.6, SoapClient makes the first call to the specified WSDL URL in SoapClient::SoapClient and after connecting to it and receiving the result, it tries to connect to the WSDL specified in the result in:
<soap:address location="http://"/>
And the call fails with error Could not connect to host if the WSDL is different than the one you specified in SoapClient::SoapClient and is unreachable (my case was SoapUI using http://host.local/).
The behaviour in PHP 5.4 is different and it always uses the WSDL in SoapClient::SoapClient.
The host is either down or very slow to respond. If it's slow to respond, you can try increasing the timeout via the connection_timeout option or via the default_socket_timeout setting and see if that reduces the failures.
http://www.php.net/manual/en/soapclient.soapclient.php
http://www.php.net/manual/en/filesystem.configuration.php#ini.default-socket-timeout
You can also include error handling as zanlok pointed out to retry a few times. If you have users actually waiting on these SOAP calls then you'll want to queue them up and process them in the background and notify the user when they're finished.
A misconfigured service leaves the default namespace with tempuri.org
This means the connection to the wsdl will work, but the function call will fail.
Stacktrace:
SoapClient->__doRequest('http://example.com...', 'http://tempuri.org....', 2, 0)
To remediate this, you must explicitly set the location using __setLocation()
$this->soapClient = new \SoapClient(WS_URL);
$this->soapClient->__setLocation(WS_URL);
This work for me
$opts = array(
'ssl' => array('verify_peer' => false, 'verify_peer_name' => false)
);
if (!isset($this->soap_client)) {
$this->soap_client = new SoapClient($this->WSDL, array(
'soap_version' => $this->soap_version,
'location' => $this->URL,
'trace' => 1,
'exceptions' => 0,
'stream_context' => stream_context_create($opts)
));
there is a soap config section in your php.ini file, which control the wsdl access cache, may be shown as:
[soap]
; Enables or disables WSDL caching feature.
soap.wsdl_cache_enabled=1 ;
Sets the directory name where SOAP extension will put cache files.
soap.wsdl_cache_dir="/tmp"
; (time to live) Sets the number of second while cached file will be used ; instead of original one.
soap.wsdl_cache_ttl=86400
if wsdl file cache is enabled, it may cause this problem when changing wsdl URI in php code.
in this example, you can just delete file start with wsdl- under /tmp directory.
or you just set soap.wsdl_cache_enabled=0; and soap.wsdl_cache_ttl=0;
PHP will fetch the wsdl file every-time you visit the page.
In our case, it was a Ciphers negotiation problem. We were getting this error randomly. We solved our problem by forcing a Cipher like this:
$soapClient = new SoapClient ('http://example.com/soap.asmx?wsdl',
array (
"stream_context" => stream_context_create (
array (
'ssl' => array (
'ciphers'=>'AES256-SHA'
)
)
)
)
);
Looks like PHP wasn't negotiating the same Ciphers at each service call.
In my case it worked after the connection to the wsdl, use the function __setLocation() to define the location again because the call fails with the error:
Could not connect to the host
This happens if the WSDL is different to the one specified in SoapClient::SoapClient.
I hit this issue myself and after much digging I eventually found this bug for ubuntu:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/965371
specifically
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/965371/comments/62
openssl s_client -connect site.tld:443 failed however openssl s_client -tls1 -connect site.tld:443 gave success. In my particular case part of the output included
New, TLSv1/SSLv3, Cipher is RC4-MD5 so I set the php context ssl/cipher value appropriately.
It seems the error SoapFault exception: Could not connect to host can be caused be several different things. In my cased it wasn't caused by proxy, firewall or DNS (I actually had a SOAP connection from the same machine working using nusoap without any special setup).
Finally I found that it was caused by an invalid pem file which I referenced in the local_cert option in my SoapClient contructor.
Solution:
When I removed the certificate chain from the pem file, so it only contained certificate and private key, the SOAP calls started going through.
For me it was a certificate problem. Following worked for me
$context = stream_context_create([
'ssl' => [
// set some SSL/TLS specific options
'verify_peer' => false,
'verify_peer_name' => false,
'allow_self_signed' => true
]
]);
$client = new SoapClient(null, [
'location' => 'https://...',
'uri' => '...',
'stream_context' => $context
]);
In my case service address in wsdl is wrong.
My wsdl url is.
https://myweb.com:4460/xxx_webservices/services/ABC.ABC?wsdl
But service address in that xml result is.
<soap:address location="http://myweb.com:8080/xxx_webservices/services/ABC.ABC/"/>
I just save that xml to local file and change service address to.
<soap:address location="https://myweb.com:4460/xxx_webservices/services/ABC.ABC/"/>
Good luck.
I finally found the reason,its becuse of the library can't find a CA bundle on your system.
PHP >= v5.6 automatically sets verify_peer to true by default. However, not all systems have a known CA bundle on disk .
You can try one of these procedures:
1.If you have a CA file on your system, set openssl.cafile or curl.cainfo in your php.ini to the path of your CA file.
2.Manually specify your SSL CA file location
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($cHandler, CURLOPT_CAINFO, $path-of-your-ca-file);
3.disabled verify_peer
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
For those who struggled the same as me with laravel artisan console command that makes a lot of requests to same wsdl of external soap server and then after some time fails with Could not connect to host error.
The problem was because I was creating new SoapClient instance each time before request was made. Do not do that. Create it once and make each request from the same client.
Hope it helps.
For me it was a DNS issue. My VPS's nameservers crapped out, so I switched to Google's by editing my /etc/resolv.conf to be:
nameserver 8.8.8.8
nameserver 8.8.4.4
If you have a firewall on your server, make sure to open the port used by SOAP.
In my case, I had to open the port 1664.
iptables -t filter -A INPUT -p tcp --dport 1664 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 1664 -j ACCEPT
if ujava's solution can't help you,you can try to use try/catch to catch this fatal,this works fine on me.
try{
$res = $client->__call('LineStopQueryJson',array('Parameters' => $params));
}catch(SoapFault $e){
print_r($client);
}
With me, this problem in base Address in app.config of WCF service:
When I've used:
<baseAddresses><add baseAddress="http://127.0.0.1:9022/Service/GatewayService"/> </baseAddresses>
it's ok if use .net to connect with public ip or domain.
But when use PHP's SoapClient to connect to "http://[online ip]:9022/Service/GatewayService", it's throw exception "Coulod not connect to host"
I've changed baseAddress to [online ip]:9022 and everything's ok.
Another possible reason for this error is when you are creating and keeping too many connections open.
SoapClient sends the HTTP Header Connection: Keep-Alive by default (through the constructor option keep_alive). But if you create a new SoapClient instance for every call in your queue, this will create and keep-open a new connection everytime. If the calls are executed fast enough, you will eventually run into a limit of 1000 open connections or so and this results in SoapFault: Could not connect to host.
So make sure you create the SoapClient once and reuse it for subsequent calls.
I had a bad php.ini configuration. Verify the path and the certificate validity...
[openssl]
openssl.cafile = "C:/good/phpath/ca-bundle.crt"
Because my new \SoapClient($wsdl) was https !
Just to help other people who encounter this error, the url in <soap:address location="https://some.url"/> had an invalid certificate and caused the error.
For me, this was a problem in the httpd service (Fedora 24). A simple restart did the trick:
sudo service httpd restart
If the connection is through SSL, could be a problem of server instead of client (it is my case).
In PHP versions greater than 5.6 and 7, is important to check the CipherSuite used in server certificate.
There is a full list of ciphers allowed by this versions and a full list of ciphers that do not in this web link: https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Ciphersuite
If the cipher used is not allowed (it is a deprecated algorithm), SoapClient receives "Could not connect to host" and there is no more trace about it.
The cipher used can be checked by clients like SoapUI in the section of "SSL Info", for example.
There is no thread forum treating about this in internet.
Check this out, too: http://php.net/manual/en/migration56.openssl.php
In my case the host requires TLS 1.2 so needed to enforce using the crypto_method ssl param.
$client = new SoapClient($wsdl,
array(
'location' => $location,
'keep_alive' => false,
"stream_context" => stream_context_create([
'ssl' => [
'crypto_method' => STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT,
]
]),
'trace' => 1, // used for debug
)
);
In my case, disabled SELINUX allow PHP to call my WebService.
I run PHP in FPM with Apache2
SELinux status :
# sestatus
Disable SELinux :
setenforce 0
Enable SELinux :
# setenforce 1
Permanent disable :
edit this file /etc/selinux/config
Version check helped me OpenSSL. OpenSSL_1_0_1f not supported TSLv.1_2 !
Check version and compatibility with TSLv.1_2 on github openssl/openssl
. And regenerate your certificate with new openssl
openssl pkcs12 -in path.p12 -out newfile.pem
P.S I don’t know what they were minus, but this solution will really help.
That most likely refers to a connection issue. It could be either that your internet connection was down, or the web service you are trying to use was down. I suggest using this service to see if the web service is online or not: http://downforeveryoneorjustme.com/