File_get_contents Failed to enable crypto

OS type and version AlmaLinux 9.3
Virtualmin version 7.10.0

I get this message when I try to get remote file content with php

PHP Warning: file_get_contents(): Failed to open stream: operation failed in /home/user/script.php
PHP Warning: file_get_contents(): Failed to enable crypto in /home/user/script.php
error:0A000086:SSL routines::certificate verify failed in /home/user/script.php
error:80000002:system library::No such file or directory
error:16000069:STORE routines::unregistered scheme
error:80000002:system library::No such file or directory
error:16000069:STORE routines::unregistered scheme
error:80000002:system library::No such file or directory
error:16000069:STORE routines::unregistered scheme

This happens on every virtual server (I’ve added a new domain to verify)
SSL is enabled and the cert is from Letsencrypt
Is there a solution to this?

Use curl it’s safer.

Can you get content using http URL?

Yes pages are working correctly, https is fine, the cert tested with is ok, rating A (really at first it was B but after some setting and changes in webmin/virtualmin now is A).
But remote calls fail
With curl I get this error: error setting certificate file: /etc/pki/tls/certs/ca-bundle.crt

If I set CURLOPT_SSL_VERIFYPEER to false it works but it is not the solution
And however it works only on some domains but not on other domains that I need and where I have a 403 response, sure for something not working correctly my side

The same scripts on another server (with centos and another control panel) works without any problem

I’m testing first time Virtualmin (all new to me) and for me this is a big problem as I use php for my work
Any ideas?

Have you put your users into a chroot jail? And, did you make available to those jailed users everything they need to run their applications?

in virtualmin ->manage virtual server → edit owner limits there are those settings for the user

this is the default configuration from virtualmin
From webmin → user and groups I see the user has /sbin/jk_chrootsh shell
Are this information you asking?

What I need for me and users is php (working…), mysql, mail, ftp, the usual features…
However the configuration are made by me as root from webmin/virtualmin (change php version, etc…)
But a thing I sure need (and searching) is to have SFTP account that can have access only to specific folder. So they can access the folder but cannot have access to other folders (as mail folders for example). Is it possible with virtualmin?

Jails are not enabled by default. You chose that. I recommend you spend some time understanding the implications of that before enabling. It’s a pretty dramatic choice; you’re saying you want to strictly limit what is available to the user, and the default is almost nothing.

The simplest option for very limited users is to not allow ssh logins and instead use ProFTPd for all user filesystem access. In that case, the user doesn’t need to be chrooted, but they can be locked into their home (the File Manager can do that as well).

If you must use chroot jails, you must learn how they work and get familiar with customizing the software you place in the jails (and the implications/risks of adding things to the jail).

Of course it is.

ok, you asked about chroot jail, and I told you a my specific need (that is not imminent now).
But how can I solve the php problem of the “Failed to enable crypto” or of the curl error: “error setting certificate file: /etc/pki/tls/certs/ca-bundle.crt” ?
Is there a way?

Of course there is a way.

You have two options.

Sounds like you want a simple answer, and the simplest is to disable chroot jails for your users until you get familiar with how they work. If you need to limit users to their home (and don’t trust UNIX filesystem permissions), you can disable ssh logins for them, and force them to use ProFTPd (either via FTP on the usual ports or via FTP-over-ssh on port 2222). If the user is not jailed, they will have access to system files like the CA bundle without you needing to explicitly add them to the jail. (This likely won’t be the only missing file/library.)

The more difficult option is to keep using chroot jails, and to do that safely and comfortably, you need to understand them. The short answer is you need to put all the files your users need into the jail, including that specific file. You can edit jail configuration in the Webmin->System->Jailkit Jail Manager module. And you can use the Jailkit commands to manage your jails, jk_cp, specifically in this case. Jailkit - chroot jail utilities

I didn’t chose to enable jails for what I know. I setup the server in december but I’m using it now, so don’t remember if there were some option during the virtualmin installation about chroot or jail.
And to create the domain I used the default configuration template and the default plan. Then I saw that the shell for the user is /sbin/jk_chrootsh
So if I want go for the simple option I have to change the shell?
And what is the less problematic shell to choice? I dont know the real difference between the many shell in the list.
Instead if I dont change the shell I have only to copy /etc/pki/tls/certs/ca-bundle.crt in the chroot folder of the user?
The whole jail scenario is quite clear in theory but not simple in practice. And there is no info in Virtualmin documentation. Some example how to create and how to apply to users, through virtualmin, would be useful.
For my problem for example, i see I can create a new jail from webmin but I have to set “/etc/pki/tls/certs/ca-bundle.crt” in “Paths to include in jail” or in " Paths to include (keep ownership)" or in " Paths to include (with setuid)" ?
How to apply the jail to one or more users?
The user must be set in the box “Users and Groups” in Users? in Groups?
So this apply to the user inserted here?
Or it must be done with jk_cp?

Or … can I add the file to an existing jail? There is some default jail for virtual server so that the change applies to all users? Or one jail in the Jailkit Jail Manager that I can use?

Sorry for the many question but I don’t want make a mess on the server, it is in production.
Thank for any info you can give

Virtualmin Pro can significantly simply this process, e.g.:

I solved the file_get_contents problem and the curl error
This post was very clear and useful
Thanks to RobertoPastor for sharing

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.