background

Assume a SSL Domain is used without a valid intermediate certificate. From the browser this works, but not via curl / fsockopen in the PHP code. See https://confluence.translate5.net/display/CON/Curl+SSL+Problems as background.

The problem is now, that the workers may not start, since fsockopen can not create a SSL connection internally. This could be fixed by changin the runtimeOptions.worker.server config, or by provide the missing certificate in the apache config as chain file.

The problem is now to recognize that situation. Modern browsers will work, since they load the missing certificates, but the curl and fsockopen will fail.

problem

Using fsockopen (like the workers do) will just fail on such a domain, logging some PHP warnings in the PHP log:

PHP Warning:  fsockopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in /webs/instance-XXXX/library/ZfExtended/Worker/TriggerByHttp.php on line 78

PHP Warning:  fsockopen(): Failed to enable crypto in /webs/instance-XXXX/library/ZfExtended/Worker/TriggerByHttp.php on line 78

PHP Warning:  fsockopen(): unable to connect to ssl://testdomain.translate5.net:443 (Unknown error) in /webs/instance-XXXX/library/ZfExtended/Worker/TriggerByHttp.php on line 78

Currently the only error which is logged in the application log is:

ERROR: E1072 - Can not trigger worker URL: ssl://testdomain.translate5.net:443 Error:  (0)  in core.worker /webs/instance-XXXX/library/ZfExtended/Worker/TriggerByHttp.php (84)  by POS
T /editor/task?format=json

Which does not provide any useful information about the real problem.

solution

Change the worker invocation away from fsockopen to a different technology (like socket_create)