CODEWITHSUNDEEP
phpsymfonysymfony4open-basedir
zozo
zozo

Reputation: 8582

CaBundle open_basedir restriction

We have a project that has been in production for months (all its configs were working fine, no issues - including https and user access).

We rewrote part of code under Symfony 4 (no framework was used before that). Everything works perfectly on local, but, in production we started getting the following error in logs:

vendor/composer/ca-bundle/src/CaBundle.php is_dir(): open_basedir restriction in effect. File(/usr/local/etc/openssl) is not within the allowed path(s)

Any idea what might cause that (well... the error is obvious and one fix would be just to include that in allowed paths, but I don't want to do that until I understand the root cause of the problem)?

Important notes:

  1. We did not include that particular bundle, is part of the composer.
  2. Composer doesn't fail and no errors are received during composer install command.
  3. The project SEEMS to work as expected despite the log line.
  4. We have Cloudfare in front and https certificate is correcty handled there.
  5. The list of used bundles is rather short but if needed I can provide a list.
  6. We make no specific calls to functions from that bundle (if any are made, are made by something in symfony/3rd party bundles but a quick search in all code (including vendor) revealed nothing).

I'm kind of running out of ideas what might be causing the problem, especially since it doesn't happen on local and even in production the project seems OK.

Upvotes: 0

Views: 208

Answers (1)

yivi
yivi

Reputation: 47370

The CA-bundle is trying to read from the usr/local/etc/openssl, and it fails because it's not in one of the allowed directories for the PHP process.

It happens in one machine and not in the other because your local openbase_dir settings do not match those in production (and are likely to be much lax, as it usually happens on development).

Your have two options:

  • Change your openbase_dir setting on production so it's more permissive, at least for that specific virtual-host.

  • Check which package you are installing depends on Ca-Bundle, and remove that package so it's no longer included.

Further reading:

Upvotes: 1

Related Questions