Braintree Webhooks SNI
Friday, Feb 13, 2015
Yesterday we completed a PHP update to the Passport project. We’d done so a few weeks earlier in the staging environment and received few reports of errors, unfortunately our automated testing for this project is minimal, so we lacked any real confidence it had worked.
We’re using Amazon AWS at the moment, our goal was to
5.3.28 to the more recent
5.5.20. We can’t use
standard packages with the AMI operating system, so we recorded
our steps for removing the old libraries and upgrading.
Remove the old.
sudo yum uninstall php-common httpd-tools
Update and install the new
sudo yum update sudo yum install php55-pecl-imagick.x86_64 php55-soap.x86_64 \ php55-xml.x86_64 php55-xmlrpc.x86_64 \ php55-mysqlnd.x86_64 mod24_ssl
Of course, it didn’t go completely smoothly. A few things were immediately noticed by staff.
- Image uploads weren’t working
- Video uploads weren’t working
it turned out most had to do with a change of user from www to apache.
sudo chown -R apache:apache /var/www/passport sudo chown -R apache:apache /tmp/reflexions_framework
All seemed well until it became apparent that our Braintree webhooks weren’t being received every 24 hours. Effectively this meant that while payments were getting processed, the Passport users had no idea this was the case.
After some discussions with Braintree we were informed that our configuration didn’t have a fallback for browsers which didn’t support Server Name Identification (SNI).
It turns out a default host for port
443 had been added in the new Apache
configuration, namely in /etc/httpd/conf.d/ssl.conf.
$ apachectl -S *:443 is a NameVirtualHost default server ec2.internal (/etc/httpd/conf.d/ssl.conf) port 443 namevhost ec2.internal (/etc/httpd/conf.d/ssl.conf) port 443 namevhost passport.interexchange.org
Trick was to remove the following block
<VirtualHost _default_:44> ... </VirtualHost>
$ apachectl -S *:443 is a NameVirtualHost default server passport.interexchange.org port 443 namevhost passport.interexchange.org
Braintree wasn’t able to confirm through their support channel that things were fixed, leaving me to ponder what else the issue could be.
Luckily it turns out the problem was resolved, something we joyfully discovered a few days later when payments were confirmed to have been synchronized.
Take away from this is definitely the use of apachectl -S to confirm the configured Apache hosts, especially as a companion to checking your configuration before rebooting.
$ apachectl -t Syntax OK