micahdg Posted March 8 Posted March 8 Can someone help me find the url that an Invision Community 4 upgrade license check hits to verify the license key? From multiple servers over multiple days and multiple copies of the 4.7.15 software, I always get "There was an error communicating with the IPS License Server. Please try again later or contact IPS technical support for assistance." I'd like to troubleshoot whether this url is being blocked by my infrastructure. Thanks for any pointers you can give me.
teraßyte Posted March 8 Posted March 8 It calls this domain to check the license: Quote https://remoteservices.invisionpower.com Make sure your server can reach it. The editor's code button doesn't work, so I put it inside a quote. (I'll make a separate bug report for it.)
micahdg Posted March 8 Author Posted March 8 (edited) Thank you very much for the url. From my server I can ping, telnet, and get good nslookup data from the address. Quote # ping remoteservices.invisionpower.com PING remoteservices.invisionpower.com (18.173.132.35) 56(84) bytes of data. 64 bytes from server-18-173-132-35.jfk52.r.cloudfront.net (18.173.132.35): icmp_seq=1 ttl=249 time=1.73 ms 64 bytes from server-18-173-132-35.jfk52.r.cloudfront.net (18.173.132.35): icmp_seq=2 ttl=249 time=1.59 ms 64 bytes from server-18-173-132-35.jfk52.r.cloudfront.net (18.173.132.35): icmp_seq=3 ttl=249 time=1.13 ms Quote # telnet remoteservices.invisionpower.com 443 Trying 18.173.132.60... Connected to remoteservices.invisionpower.com. Escape character is '^]'. ^] telnet> Quote # nslookup remoteservices.invisionpower.com Server: 67.207.67.3 Address: 67.207.67.3#53 Non-authoritative answer: Name: remoteservices.invisionpower.com Address: 18.173.132.64 Do you know if this is something I can open a ticket for? Edited March 8 by micahdg
Randy Calvert Posted March 8 Posted March 8 (edited) If you can’t reach the license server but you can ping it… I would check if your curl supports TLS 1.2. If you ONLY accept 1.1 or 1.3 you will likely have problems. Edited March 8 by Randy Calvert
micahdg Posted March 8 Author Posted March 8 Quote # openssl ciphers -v | awk '{print $2}' | sort | uniq SSLv3 TLSv1 TLSv1.2 TLSv1.3
Marc Posted March 8 Posted March 8 In reality, if this is being an issue with multiple sites on multiple servers but all within your infrastructure, you need to speak to the person who controls that infrastructure. The reality is, if the licensing was down, we would know very very quickly from many many clients.
micahdg Posted March 8 Author Posted March 8 Sorry, I meant the infrastructure I use at two different hosts/datacenters/linux distros etc, in which the only real similarity between the two is that I rent them. I set up this newest one exclusively to gain access to php 8 for installing IB forums' latest version. I'm able to curl GET/PUT/POST from both servers to other companies' servers with successful responses. I'm able to connect and negotiate http2 and tls 1.2 but then get a 500 from invision's servers hosted or routed through cloudfront.net, presumably because I'm not offering the required query params or body: Quote > Host: remoteservices.invisionpower.com > user-agent: curl/7.76.1 > accept: */* > * TLSv1.2 (IN), TLS header, Unknown (23): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.2 (IN), TLS header, Unknown (23): * Connection state changed (MAX_CONCURRENT_STREAMS == 128)! * TLSv1.2 (OUT), TLS header, Unknown (23): * TLSv1.2 (IN), TLS header, Unknown (23): * TLSv1.2 (IN), TLS header, Unknown (23): < HTTP/2 500 < content-type: text/html; charset=UTF-8 < content-length: 0 < date: Fri, 08 Mar 2024 14:31:05 GMT < set-cookie: AWSALB=UOaZRIV6XnVGekLH+q7Kxxcs9KZC6NpJ29N7POu8K4YhUYmZybq36h1vSprmzhFvQqU+eIHlPpjGStOVGsv82U09+XOc9qKPhmN0munQPiue8jqgTAop8THeyy0b; Expires=Fri, 15 Mar 2024 14:31:05 GMT; Path=/ < set-cookie: AWSALBCORS=UOaZRIV6XnVGekLH+q7Kxxcs9KZC6NpJ29N7POu8K4YhUYmZybq36h1vSprmzhFvQqU+eIHlPpjGStOVGsv82U09+XOc9qKPhmN0munQPiue8jqgTAop8THeyy0b; Expires=Fri, 15 Mar 2024 14:31:05 GMT; Path=/; SameSite=None < server: Apache < x-cache: Error from cloudfront < via: 1.1 c28d583393bad4965b8efa4ef27ccc9e.cloudfront.net (CloudFront) < x-amz-cf-pop: JFK52-P2 < x-amz-cf-id: j5hBRPbPh70PnjcT7Wkd8VlYQ5Ko-5IrAdMEvJg7PE4gkBDFYn_nEw== < * Connection #0 to host remoteservices.invisionpower.com left intact Is there a way to obtain what the whole request to https://remoteservices.invisionpower.com should look like? Query parameters, body, http method, etc? That would allow me (while inserting my own license key) to truly test this flow. Thank you for your patience and suggestions so far.
Marc Posted March 8 Posted March 8 It would actually be calling https://remoteservices.invisionpower.com/license/{key}
micahdg Posted March 8 Author Posted March 8 Thank you, Marc. When I curl POST to that URL, I get this response body, which seems okay: Quote { "key": "[redacted]", "url": "http:\/\/www.[redacted unless you need it].com\/forums", "test_url": null, "active": true, "cloud": false, "expires": "2024-09-01 16:41:19", "products": { "forums": true, "calendar": true, "spam": true }, "chat_limit": 5, "support": "Standard", "account": 5733, "alts": "", "legacy": false, "plan": null, "is_5": 0 } The url matches the url I'm attempting to run the upgrade from (including the http vs https), and the same info matches in the conf_global.php. What's next? 😄
Randy Calvert Posted March 8 Posted March 8 Are you using some sort of WAF or Cloudflare on your site?
micahdg Posted March 8 Author Posted March 8 No cloudflare currently fronting the server, and I didn't pay for any WAF or ddos services yet. SELinux is enabled and the firewall is currently not installed.
Jim M Posted March 8 Posted March 8 Anything security enhanced may be blocking it. I would check your server logs and consult with your server administrator to temporarily disable it or whitelist the subdomain.
micahdg Posted March 8 Author Posted March 8 I am the server administrator. There is no whitelist. Given what I've posted above, from my server I can POST to the license URL and get a response body. Additionally, the requirements checker here works well: Screenshot of the output is somewhere below. Two of the steps this requirements checker does includes hitting these two URLs: https://remoteservices.invisionpower.com/requirements https://remoteservices.invisionpower.com/updateCheck These are both successful. Any way to make the php output more of the error? It's sadly quite generic: "There was an error communicating with the IPS License Server. Please try again later or contact IPS technical support for assistance."
Stuart Silvester Posted March 8 Posted March 8 If it could connect successfully, it would not say 4.x, it would say 4.7. it looks longer it's falling back to the hard coded base requirements. You can temporarily enable the DEBUG_LOG constant, send the license request and then immediately remove it (it can generate a lot of logs). Then you should be able to find a log of the HTTP request in the system logs.
teraßyte Posted March 8 Posted March 8 @micahdg Your screenshot says PHP 8.2. Try downgrading to 8.1 because 8.2 is not supported. This comes up often. IPS should really update the requirements checker script to throw an error for PHP 8.2+. I've already seen some people use even 8.3... 🙄
micahdg Posted March 9 Author Posted March 9 @teraßyte I downgraded to php 8.1 and see the same results 😞 Great idea, though. @Stuart Silvester I see what you're talking about now - that 4.x reference means the requirements check isn't able to connect to the urls below, either. For some reason I thought I inadvertently resolved that issue a few days ago, but in fact I just hadn't refreshed the ips4.php file until after downgrading php to 8.1. Quote # vi /var/www/html/forums/ips4.php $remoteRequirements = json_decode( file_get_contents( 'https://remoteservices.invisionpower.com/requirements', FALSE, $streamContext ), TRUE ); $latestVersion = json_decode( file_get_contents( 'https://remoteservices.invisionpower.com/updateCheck', FALSE, $streamContext ), TRUE ); $majorVersion = '4.x'; Quote # less /var/log/php-fpm/www-error.log [09-Mar-2024 16:28:27 UTC] PHP Warning: file_get_contents(https://remoteservices.invisionpower.com/requirements): Failed to open stream: Permission denied in /var/www/html/forums/ips4.php on line 4 [09-Mar-2024 16:28:27 UTC] PHP Warning: file_get_contents(https://remoteservices.invisionpower.com/updateCheck): Failed to open stream: Permission denied in /var/www/html/forums/ips4.php on line 5 I was able to get more precise google search results using "php8 file_get_contents Failed to open stream: Permission denied in" and found the suggestion that SELinux is causing the problem, so I executed the following two commands: Quote # sudo setsebool -P httpd_can_network_connect 1 # sudo setsebool -P httpd_unified 1 These commands appear to give apache access to the network and internet. And now the install script can reach the license server 😄 So in the end, it was my own local security issue even though curls worked great. I confess I'm not super familiar with SELinux. Thank you for your patience and assistance! Hopefully this rabbit trail helps someone else in the future. This is all running on CentOS Stream 9, rhel 9 on a DigitalOcean vps. Stuart Silvester 1
Recommended Posts