luisroc
By:
luisroc

Cannot communicate securely with peer: no common encryption algorithm(s)

July 17, 2017 2.7k views
Apache Server Optimization Linux Basics Linux Commands CentOS

Hi there, I have a question, my vps Centos 7 works fine but I recently upload a php script that allows payments with paypal via REST, unfourtnately, always receive next exception:
Fatal error: Uncaught exception 'PayPal\Exception\PayPalConnectionException' with message 'Cannot communicate securely with peer: no common encryption algorithm(s).' in **/*/paypal/paypal/rest-api-sdk-php/lib/PayPal/Core/PayPalHttpConnection.php:137

I tested the script in a couple of servers more and everything works fine, I don't know if there's a configuration I'm missing.
Can anyone help me with this? I don't know what can be the problem.

Greetings!

2 Answers
hansen July 18, 2017
Accepted Answer

@luisroc

I'm not sure, but I guess PayPal maybe does a reverse check. And if they do, then yes, a self-signed certificate is not allowed.
You either need to use Let's Encrypt (which is free) or buy a certificate.

And according to checking your certificate, it states that you're running OpenSSL/1.0.1e-fips in Apache/2.4.6, which is probably the reason why you're getting the error, since that version of OpenSSL is old and insecure.

  • @luisroc
    By the way, you might want to allow IPv6 traffic to your Apache 443 port, since you have configured the DNS with IPv6, but you're not allowing traffic through.

    If you're unsure what to do, then just paste your Apache VirtualHost configuration here (please use the </> button in the comment editor to preserve formatting) and I'll try to make the correct configuration and then we're going to add Let's Encrypt, so we have proper HTTPS, which doesn't give a warning.

    • ok sure, this is my config file:

      <VirtualHost 138.197.45.62:80 [2604:a880:800:10::20bb:6001]:80>
      
          ServerName pbpusa.org
          ServerAlias www.pbpusa.org
          ServerAdmin info@pbpusa.org
          DocumentRoot /home/admin/web/pbpusa.org/public_html
          ScriptAlias /cgi-bin/ /home/admin/web/pbpusa.org/cgi-bin/
          Alias /vstats/ /home/admin/web/pbpusa.org/stats/
          Alias /error/ /home/admin/web/pbpusa.org/document_errors/
          #SuexecUserGroup admin admin
          CustomLog /var/log/httpd/domains/pbpusa.org.bytes bytes
          CustomLog /var/log/httpd/domains/pbpusa.org.log combined
          ErrorLog /var/log/httpd/domains/pbpusa.org.error.log
          <Directory /home/admin/web/pbpusa.org/public_html>
              AllowOverride All
              Options +Includes -Indexes +ExecCGI
              php_admin_value open_basedir /home/admin/web/pbpusa.org/public_html:/home/admin/tmp
              php_admin_value upload_tmp_dir /home/admin/tmp
              php_admin_value session.save_path /home/admin/tmp
          </Directory>
          <Directory /home/admin/web/pbpusa.org/stats>
              AllowOverride All
          </Directory>
      
          <IfModule mod_ruid2.c>
              RMode config
              RUidGid admin admin
              RGroups apache
          </IfModule>
          <IfModule itk.c>
              AssignUserID admin admin
          </IfModule>
      
          IncludeOptional /home/admin/conf/web/httpd.pbpusa.org.conf*
      
      </VirtualHost>
      
      
  • Excellent, I'll try to update my apache and open ssl and check the certificate. Thanks for your time and answers.

  • @luisroc
    Can you also post your VirtualHost configuration for the HTTPS (port 443)?

    • Sure:

      <VirtualHost 138.197.45.62:443>
      
          ServerName pbpusa.org
          ServerAlias www.pbpusa.org
          ServerAdmin info@pbpusa.org
          DocumentRoot /home/admin/web/pbpusa.org/public_html
          ScriptAlias /cgi-bin/ /home/admin/web/pbpusa.org/cgi-bin/
          Alias /vstats/ /home/admin/web/pbpusa.org/stats/
          Alias /error/ /home/admin/web/pbpusa.org/document_errors/
          #SuexecUserGroup admin admin
          CustomLog /var/log/httpd/domains/pbpusa.org.bytes bytes
          CustomLog /var/log/httpd/domains/pbpusa.org.log combined
          ErrorLog /var/log/httpd/domains/pbpusa.org.error.log
          <Directory /home/admin/web/pbpusa.org/public_html>
              AllowOverride All
              SSLRequireSSL
              Options +Includes -Indexes +ExecCGI
              php_admin_value open_basedir /home/admin/web/pbpusa.org/public_html:/home/admin/tmp
              php_admin_value upload_tmp_dir /home/admin/tmp
              php_admin_value session.save_path /home/admin/tmp
          </Directory>
          <Directory /home/admin/web/pbpusa.org/stats>
              AllowOverride All
          </Directory>
          SSLEngine on
          SSLVerifyClient none
          SSLCertificateFile /home/admin/conf/web/ssl.pbpusa.org.crt
          SSLCertificateKeyFile /home/admin/conf/web/ssl.pbpusa.org.key
          #SSLCertificateChainFile /home/admin/conf/web/ssl.pbpusa.org.ca
      
          <IfModule mod_ruid2.c>
              RMode config
              RUidGid admin admin
              RGroups apache
          </IfModule>
          <IfModule itk.c>
              AssignUserID admin admin
          </IfModule>
      
          IncludeOptional /home/admin/conf/web/shttpd.pbpusa.org.conf*
      
      </VirtualHost>
      
      
      • @luisroc
        Okay, just wanted to see the configuration, if it was different in some ways.
        Can you change your HTTP from this:

        <VirtualHost 138.197.45.62:80 [2604:a880:800:10::20bb:6001]:80>
        

        To this:

        <VirtualHost *:80>
        

        Because then we don't have to think about IP address changes, since it will be listening on all interface IPs.

        And then remove your HTTPS (the port 443) VirtualHost configuration completely, since we're going to remake it with Let's Encrypt instead.

        Then we check the configuration and restart Apache:

        sudo apachectl configtest
        sudo systemctl restart httpd
        

        Then you follow the tutorial for setting up Let's Encrypt. You can skip step 2.
        https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-centos-7

        SSL certificates are used within web servers to encrypt the traffic between the server and client, providing extra security for users accessing your application. Let’s Encrypt provides an easy way to obtain and install trusted certificates for free. This tutorial will show you how to set up a TLS/SSL certificate from Let’s Encrypt on a CentOS 7 server running Apache as a web server. Additionally, we will cover how to automate the certificate renewal process using a cron job.
        • Sr. Thanks so much for you time and your help
          The guide you provided me didn't work for me but I followed this one:
          https://gethttpsforfree.com/
          and everything works now!
          I have free SSL for my site and updated my Paypal API and now everything is working fine!.
          Thanks for all!

Hi @luisroc

Which version of PHP, cURL and OpenSSL are you using?
My guess would be that that one of these libraries are outdated and using an old algorithm (SSL or TLSv1) to try to communicate with PayPal, which they don't allow.

  • Hi, thanks for answer.
    My PHP verison is PHP 5.6.31

    My CURL version:
    curl 7.54.1 (x86_64-redhat-linux-gnu) libcurl/7.54.1 NSS/3.28.4 zlib/1.2.7 libpsl/0.7.0 (+libicu/50.1.2) libssh2/1.8.0 nghttp2/1.21.1
    Release-Date: 2017-06-14

    and openssl:
    OpenSSL 1.0.2l 25 May 2017

    Is there something outdated or missing? Thanks

    • @luisroc

      You're right, that's not outdated at all.

      Can you post what's on line 137 (exactly) in this file:

      **/*/paypal/paypal/rest-api-sdk-php/lib/PayPal/Core/PayPalHttpConnection.php
      

      Which version of the SDK are you using?
      https://github.com/paypal/PayPal-PHP-SDK/releases

      • Sure, the line are:

        //Throw Exception if Retries and Certificates doenst work
        if (curlerrno($ch)) {
        $ex = new PayPalConnectionException(
        $this->httpConfig->getUrl(),
        curl
        error($ch),
        curlerrno($ch)
        );
        curl
        close($ch);
        throw $ex;
        }

        I checked my sdk, I see the version is 1.6.3 or 1.6.4

        • @luisroc
          Okay, it's a fairly old SDK you're using and I can see that multiple bugs has been fixed involving cURL or SSL, so you might want to try a newer version.

          Are you running the same version of CentOS, PHP and cURL on the other servers, where the script is working fine?

          Some people are having issues on CentOS 7, but runs the following command to update central algorithm libraries:

          yum update nss nss-util nss-sysinit nss-tools
          
Have another answer? Share your knowledge.