Index syndication
comment syndication

OpenBSD – Akismet key could not be verified

February 26, 2008 at 01:37 · Filed under openbsd, webdev

If you are using OpenBSD to host your wordpress installation, and using the Akismet plug-in to block spam, you may come across set-up problems with Akismet.

The errors that can occur could be either or both of these:

  • There was a problem connecting to the Akismet server
  • The key you entered could not be verified because a connection to akismet.com could not be established

There may be a couple of issues here.

The first issue could well be you blocking outbound HTTP/HTTPS traffic to the akismet servers. This is fixed by a couple of PF rules added to your pf.conf and these are the rules I added to my PF config. YMMV:


#Allow HTTP out to specific servers
pass out on $ext_if proto { tcp udp } from ($ext_if) to \
{66.135.58.61, 66.135.58.62, 72.233.69.2, 72.233.69.3} port { www, https } keep state

The IP addresses there are the ones that the hosts akismet.com and rest.akismet.com resolve to. Adjust as required.

The second issue will be around name resolution. WordPress still complains with the “could not be verified” error now instead of the “problem connecting” error. However, all your tcpdumps show nothing is being blocked.

What is the likely cause? If you are using a default OpenBSD installation (secure by default!) then apache is probably running in a chroot “jail”. Name resolution by apache/php is done by reading your /etc/resolv.conf file on start-up.
However, the chrooted web-server can not access outside of /var/www which is the new “root” or / directory (for all intents and purposes). /etc is outside the chroot and php will not be able to do name/dns look-ups.

To confirm this is an issue, create a testakismet.php file in /var/www/htdocs, with the following code to test a http connection to akismet:


<?php
$fp = fsockopen("rest.akismet.com", 80, $errno, $errstr, 30);
if (!$fp) {
        echo "$errstr ($errno)<br />\n";
} else {
        $out = "GET / HTTP/1.1\r\n";
        $out .= "Host: rest.akismet.com\r\n";
        $out .= "Connection: Close\r\n\r\n";

        fwrite($fp, $out);
        while (!feof($fp)) {
                echo fgets($fp, 128);
        }
        fclose($fp);
}
?>

Load this test page at http://<yourhost>/testakismet.php and if you see an error, the key words being getaddrinfo failed, like this:

Warning: fsockopen() [function.fsockopen]: php_network_getaddresses: getaddrinfo failed: non-recoverable failure in name resolution in /adminosphere/akistest.php on line 2

Warning: fsockopen() [function.fsockopen]: unable to connect to rest.akismet.com:80 (Unknown error) in /adminosphere/akistest.php on line 2

Then your name resolution is indeed not working in your OpenBSD Apache Chroot “jail”. It’s locked down to /var/www and can not see your /etc/resolv.conf file.

The fix?

Simply do the following from your web-server shell.
Log-in as yourself, then su to root and fix this issue:


sudo su -
mkdir -p /var/www/etc
cp -p /etc/resolv.conf /var/www/etc/resolv.conf
apachectl stop
/usr/sbin/apachectl stop: httpd stopped
apachectl start
/usr/sbin/apachectl start: httpd started

Access your http://<yourhost>/testakismet.php and look for a successful HTTP connection (albeit without a valid API key at this time):


HTTP/1.1 200 OK X-Powered-By: PHP/4.4.4 Content-type: text/html Content-Length: 16 Date: Mon, 25 Feb 2008 14:27:57 GMT Server: LiteSpeed Connection: close Invalid API key.

At this time you can delete your testakismet.php file.

Log-in to your wordpress installation, http://<yourhost>/wp-admin/plugins.php?page=akismet-key-config and populate your akismet API key.

This key is valid.

A win against spam, for sure…… and OpenBSD continues to keep your sever secure.

Php script said,

September 1, 2008 @ 17:02

ow thanks 🙂

Interphero said,

November 20, 2008 @ 15:33

Thank you for posting this. Casino comment spam was driving me nuts! I’m hoping that the combination of ReCaptcha and Akismet will it off.

lantrix said,

November 20, 2008 @ 20:50

No problems. Akismet works fine, but I also use Spam Karma 2. It also uses Akismet as a DB and a whole lot more to limit the spam.

Puppafish said,

March 9, 2009 @ 03:22

Thanks for posting this, saved me loads of hassle 😉

Lock Pick Set said,

September 27, 2010 @ 15:38

Thank you soooooo much…. 🙂

Josh said,

March 16, 2011 @ 00:02

This problem plagues OpenBSD wordpress installations in other ways as well. Many plugins require outbound web connectivity. Even the main page of the admin dashboard checks a number of RSS feeds!

When I installed wordpress I searched long and hard for this solution. It never occurred to me that it could be something so simple! Thanks!

Blog is Back… | my intellectual compost heap said,

October 25, 2011 @ 16:00

[…] of some of the web applications I had been hosting, especially this WordPress blog but thanks to this final helpful tip, it is back up and running under […]

Krastyo Komsalov said,

August 18, 2012 @ 05:20

Seems there is one more piece in the puzzle.

php5_curl turn out to be necessary to fix it; at least this is what worked on Solaris 10.

Presence of php5_curl does not affect the way your script work.
http://komsalov.homelinux.org/testakismet.php

Seems either there is two problems leading to same error or some functionality had been moved to php5_curl.

Here is the bug track record which gave me the idea to install php5_curl.
https://www.opencsw.org/mantis/view.php?id=4627

My guess is that this is not strictly Solaris problem and it will be observed on any Unix PHP installation where php5_curl is not installed by default.
Anyway there is no harm in installing one more PHP library 🙂

Eric Brown said,

October 9, 2013 @ 23:52

@krastyo — on my OpenBSD 5.3, I did

pkg_add -i -v php-curl-5.3.21
ln -sf /etc/php-5.3.sample/curl.ini /etc/php-5.3/curl.ini

and that solved the problem. Thanks for posting this fix!

Eric Brown said,

October 9, 2013 @ 23:53

(followed by)

/etc/rc.d/httpd restart

RSS feed for comments on this post · TrackBack URI

Leave a Comment