Jump to content

Recommended Posts

Posted

Can someone help me find the url that an Invision Community 4 upgrade license check hits to verify the license key? From multiple servers over multiple days and multiple copies of the 4.7.15 software, I always get "There was an error communicating with the IPS License Server. Please try again later or contact IPS technical support for assistance." I'd like to troubleshoot whether this url is being blocked by my infrastructure. Thanks for any pointers you can give me.

Posted

It calls this domain to check the license:

Quote

https://remoteservices.invisionpower.com

Make sure your server can reach it.

 

The editor's code button doesn't work, so I put it inside a quote. (I'll make a separate bug report for it.)

Posted (edited)

Thank you very much for the url.

From my server I can ping, telnet, and get good nslookup data from the address.

Quote

# ping remoteservices.invisionpower.com
PING remoteservices.invisionpower.com (18.173.132.35) 56(84) bytes of data.
64 bytes from server-18-173-132-35.jfk52.r.cloudfront.net (18.173.132.35): icmp_seq=1 ttl=249 time=1.73 ms
64 bytes from server-18-173-132-35.jfk52.r.cloudfront.net (18.173.132.35): icmp_seq=2 ttl=249 time=1.59 ms
64 bytes from server-18-173-132-35.jfk52.r.cloudfront.net (18.173.132.35): icmp_seq=3 ttl=249 time=1.13 ms

Quote

# telnet remoteservices.invisionpower.com 443
Trying 18.173.132.60...
Connected to remoteservices.invisionpower.com.
Escape character is '^]'.
^]
telnet>
 

Quote

# nslookup remoteservices.invisionpower.com
Server:         67.207.67.3
Address:        67.207.67.3#53

Non-authoritative answer:
Name:   remoteservices.invisionpower.com
Address: 18.173.132.64
 

Do you know if this is something I can open a ticket for?

Edited by micahdg
Posted (edited)

If you can’t reach the license server but you can ping it… I would check if your curl supports TLS 1.2.  If you ONLY accept 1.1 or 1.3 you will likely have problems. 

Edited by Randy Calvert
Posted

In reality, if this is being an issue with multiple sites on multiple servers but all within your infrastructure, you need to speak to the person who controls that infrastructure. The reality is, if the licensing was down, we would know very very quickly from many many clients.

Posted

Sorry, I meant the infrastructure I use at two different hosts/datacenters/linux distros etc, in which the only real similarity between the two is that I rent them. I set up this newest one exclusively to gain access to php 8 for installing IB forums' latest version.

I'm able to curl GET/PUT/POST from both servers to other companies' servers with successful responses.

I'm able to connect and negotiate http2 and tls 1.2 but then get a 500 from invision's servers hosted or routed through cloudfront.net, presumably because I'm not offering the required query params or body:

Quote

> Host: remoteservices.invisionpower.com
> user-agent: curl/7.76.1
> accept: */*
>
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Unknown (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.2 (IN), TLS header, Unknown (23):
< HTTP/2 500
< content-type: text/html; charset=UTF-8
< content-length: 0
< date: Fri, 08 Mar 2024 14:31:05 GMT
< set-cookie: AWSALB=UOaZRIV6XnVGekLH+q7Kxxcs9KZC6NpJ29N7POu8K4YhUYmZybq36h1vSprmzhFvQqU+eIHlPpjGStOVGsv82U09+XOc9qKPhmN0munQPiue8jqgTAop8THeyy0b; Expires=Fri, 15 Mar 2024 14:31:05 GMT; Path=/
< set-cookie: AWSALBCORS=UOaZRIV6XnVGekLH+q7Kxxcs9KZC6NpJ29N7POu8K4YhUYmZybq36h1vSprmzhFvQqU+eIHlPpjGStOVGsv82U09+XOc9qKPhmN0munQPiue8jqgTAop8THeyy0b; Expires=Fri, 15 Mar 2024 14:31:05 GMT; Path=/; SameSite=None
< server: Apache
< x-cache: Error from cloudfront
< via: 1.1 c28d583393bad4965b8efa4ef27ccc9e.cloudfront.net (CloudFront)
< x-amz-cf-pop: JFK52-P2
< x-amz-cf-id: j5hBRPbPh70PnjcT7Wkd8VlYQ5Ko-5IrAdMEvJg7PE4gkBDFYn_nEw==
<
* Connection #0 to host remoteservices.invisionpower.com left intact
 

Is there a way to obtain what the whole request to https://remoteservices.invisionpower.com should look like? Query parameters, body, http method, etc? That would allow me (while inserting my own license key) to truly test this flow.

Thank you for your patience and suggestions so far.

 

Posted

Thank you, Marc. When I curl POST to that URL, I get this response body, which seems okay:

Quote

{
    "key": "[redacted]",
    "url": "http:\/\/www.[redacted unless you need it].com\/forums",
    "test_url": null,
    "active": true,
    "cloud": false,
    "expires": "2024-09-01 16:41:19",
    "products": {
        "forums": true,
        "calendar": true,
        "spam": true
    },
    "chat_limit": 5,
    "support": "Standard",
    "account": 5733,
    "alts": "",
    "legacy": false,
    "plan": null,
    "is_5": 0
}

The url matches the url I'm attempting to run the upgrade from (including the http vs https), and the same info matches in the conf_global.php.

What's next? 😄 

Posted

No cloudflare currently fronting the server, and I didn't pay for any WAF or ddos services yet. SELinux is enabled and the firewall is currently not installed.

Posted

Anything security enhanced may be blocking it. I would check your server logs and consult with your server administrator to temporarily disable it or whitelist the subdomain. 

Posted

I am the server administrator. There is no whitelist. Given what I've posted above, from my server I can POST to the license URL and get a response body.

Additionally, the requirements checker here works well:

Screenshot of the output is somewhere below. Two of the steps this requirements checker does includes hitting these two URLs:
https://remoteservices.invisionpower.com/requirements
https://remoteservices.invisionpower.com/updateCheck

These are both successful.

Any way to make the php output more of the error? It's sadly quite generic:
"There was an error communicating with the IPS License Server. Please try again later or contact IPS technical support for assistance."

Could contain: Page, Text, Advertisement, Poster

Posted

If it could connect successfully, it would not say 4.x, it would say 4.7. it looks longer it's falling back to the hard coded base requirements.

You can temporarily enable the DEBUG_LOG constant, send the license request and then immediately remove it (it can generate a lot of logs). Then you should be able to find a log of the HTTP request in the system logs.

Posted

@micahdg Your screenshot says PHP 8.2. Try downgrading to 8.1 because 8.2 is not supported.

 

This comes up often. IPS should really update the requirements checker script to throw an error for PHP 8.2+. I've already seen some people use even 8.3... 🙄

Posted

 @teraßyte I downgraded to php 8.1 and see the same results 😞 Great idea, though.

@Stuart Silvester I see what you're talking about now - that 4.x reference means the requirements check isn't able to connect to the urls below, either. For some reason I thought I inadvertently resolved that issue a few days ago, but in fact I just hadn't refreshed the ips4.php file until after downgrading php to 8.1.

Quote

# vi /var/www/html/forums/ips4.php

$remoteRequirements = json_decode( file_get_contents( 'https://remoteservices.invisionpower.com/requirements', FALSE, $streamContext ), TRUE );
$latestVersion = json_decode( file_get_contents( 'https://remoteservices.invisionpower.com/updateCheck', FALSE, $streamContext ), TRUE );
$majorVersion = '4.x';

Quote

# less /var/log/php-fpm/www-error.log

[09-Mar-2024 16:28:27 UTC] PHP Warning:  file_get_contents(https://remoteservices.invisionpower.com/requirements): Failed to open stream: Permission denied in /var/www/html/forums/ips4.php on line 4
[09-Mar-2024 16:28:27 UTC] PHP Warning:  file_get_contents(https://remoteservices.invisionpower.com/updateCheck): Failed to open stream: Permission denied in /var/www/html/forums/ips4.php on line 5

I was able to get more precise google search results using "php8 file_get_contents Failed to open stream: Permission denied in" and found the suggestion that SELinux is causing the problem, so I executed the following two commands:

Quote

# sudo setsebool -P httpd_can_network_connect 1
# sudo setsebool -P httpd_unified 1

These commands appear to give apache access to the network and internet. And now the install script can reach the license server 😄

So in the end, it was my own local security issue even though curls worked great. I confess I'm not super familiar with SELinux.

Thank you for your patience and assistance! Hopefully this rabbit trail helps someone else in the future. This is all running on CentOS Stream 9, rhel 9 on a DigitalOcean vps.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...