If you are using OpenBSD to host your wordpress installation, and using the Akismet plug-in to block spam, you may come across set-up problems with Akismet.

The errors that can occur could be either or both of these:

• There was a problem connecting to the Akismet server
• The key you entered could not be verified because a connection to akismet.com could not be established

There may be a couple of issues here.

The first issue could well be you blocking outbound HTTP/HTTPS traffic to the akismet servers. This is fixed by a couple of PF rules added to your pf.conf and these are the rules I added to my PF config. YMMV:

#Allow HTTP out to specific servers
pass out on $ext_if proto { tcp udp } from ($ext_if) to \
{66.135.58.61, 66.135.58.62, 72.233.69.2, 72.233.69.3} port { www, https } keep state

The IP addresses there are the ones that the hosts akismet.com and rest.akismet.com resolve to. Adjust as required.

The second issue will be around name resolution. WordPress still complains with the “could not be verified” error now instead of the “problem connecting” error. However, all your tcpdumps show nothing is being blocked.

What is the likely cause? If you are using a default OpenBSD installation (secure by default!) then apache is probably running in a chroot “jail”. Name resolution by apache/php is done by reading your /etc/resolv.conf file on start-up.
However, the chrooted web-server can not access outside of /var/www which is the new “root” or / directory (for all intents and purposes). /etc is outside the chroot and php will not be able to do name/dns look-ups.

To confirm this is an issue, create a testakismet.php file in /var/www/htdocs, with the following code to test a http connection to akismet:

< ?php $fp = fsockopen("rest.akismet.com", 80, $errno, $errstr, 30); if (!$fp) { echo "$errstr ($errno)
\n";
} else {
$out = "GET / HTTP/1.1\r\n";
$out .= "Host: rest.akismet.com\r\n";
$out .= "Connection: Close\r\n\r\n";

fwrite($fp, $out);
while (!feof($fp)) {
echo fgets($fp, 128);
}
fclose($fp);
}
?>

Load this test page at http://<yourhost>/testakismet.php and if you see an error, the key words being getaddrinfo failed, like this:

Warning: fsockopen() [function.fsockopen]: php_network_getaddresses: getaddrinfo failed: non-recoverable failure in name resolution in /adminosphere/akistest.php on line 2

Warning: fsockopen() [function.fsockopen]: unable to connect to rest.akismet.com:80 (Unknown error) in /adminosphere/akistest.php on line 2

Then your name resolution is indeed not working in your OpenBSD Apache Chroot “jail”. It’s locked down to /var/www and can not see your /etc/resolv.conf file.

The fix?

Simply do the following from your web-server shell.
Log-in as yourself, then su to root and fix this issue:

sudo su -
mkdir -p /var/www/etc
cp -p /etc/resolv.conf /var/www/etc/resolv.conf
apachectl stop
/usr/sbin/apachectl stop: httpd stopped
apachectl start
/usr/sbin/apachectl start: httpd started


Access your http://<yourhost>/testakismet.php and look for a successful HTTP connection (albeit without a valid API key at this time):

HTTP/1.1 200 OK X-Powered-By: PHP/4.4.4 Content-type: text/html Content-Length: 16 Date: Mon, 25 Feb 2008 14:27:57 GMT Server: LiteSpeed Connection: close Invalid API key.

At this time you can delete your testakismet.php file.

Log-in to your wordpress installation, http://<yourhost>/wp-admin/plugins.php?page=akismet-key-config and populate your akismet API key.

This key is valid.

A win against spam, for sure…… and OpenBSD continues to keep your sever secure.