Braintree Webhooks SNI

By dirkkelly

Friday, Feb 13, 2015

Yesterday we completed a PHP update to the Passport project. We’d done so a few weeks earlier in the staging environment and received few reports of errors, unfortunately our automated testing for this project is minimal, so we lacked any real confidence it had worked.

We’re using Amazon AWS at the moment, our goal was to jump from 5.3.28 to the more recent 5.5.20. We can’t use standard packages with the AMI operating system, so we recorded our steps for removing the old libraries and upgrading.

Remove the old.

sudo yum uninstall php-common httpd-tools

Update and install the new

sudo yum update
sudo yum install php55-pecl-imagick.x86_64 php55-soap.x86_64 \
                 php55-xml.x86_64 php55-xmlrpc.x86_64 \
                 php55-mysqlnd.x86_64 mod24_ssl

Of course, it didn’t go completely smoothly. A few things were immediately noticed by staff.

  • Image uploads weren’t working
  • Video uploads weren’t working

it turned out most had to do with a change of user from www to apache.

sudo chown -R apache:apache /var/www/passport
sudo chown -R apache:apache /tmp/reflexions_framework

All seemed well until it became apparent that our Braintree webhooks weren’t being received every 24 hours. Effectively this meant that while payments were getting processed, the Passport users had no idea this was the case.

After some discussions with Braintree we were informed that our configuration didn’t have a fallback for browsers which didn’t support Server Name Identification (SNI).

It turns out a default host for port 443 had been added in the new Apache configuration, namely in /etc/httpd/conf.d/ssl.conf.

$ apachectl -S
  *:443 is a NameVirtualHost
  default server ec2.internal (/etc/httpd/conf.d/ssl.conf)
  port 443 namevhost ec2.internal (/etc/httpd/conf.d/ssl.conf)
  port 443 namevhost passport.interexchange.org

Trick was to remove the following block

<VirtualHost _default_:44>
...
</VirtualHost>

Tested with

$ apachectl -S
  *:443 is a NameVirtualHost
  default server passport.interexchange.org
  port 443 namevhost passport.interexchange.org

Braintree wasn’t able to confirm through their support channel that things were fixed, leaving me to ponder what else the issue could be.

Luckily it turns out the problem was resolved, something we joyfully discovered a few days later when payments were confirmed to have been synchronized.

Take away from this is definitely the use of apachectl -S to confirm the configured Apache hosts, especially as a companion to checking your configuration before rebooting.

$ apachectl -t
    Syntax OK