Resolved After installing Let's encrypt on Plesk 12.0, apache crashes

[drusixtynine]

Hi there,
I tried to install a Let's encrypt certificate through Certbot on my VPS running CentOS 6.0 through ssh using this command
sudo ./path/to/certbot-auto --apache
restarting Apache to have the certificate running makes it crash
the only way I managed to make it run again is to edit the httpd.conf file and comment these new lines at the end of the file:
#<IfModule mod_ssl.c>
#Listen 443
#</IfModule>
But now Plesk is showing me this message

Which is saying the following:
The new configuration files for the Apache web server were not created due to errors in the configuration templates: Can not restart web server: Service /etc/init.d/httpd failed to start Service / etc / init .d / httpd failed to start. Detailed descriptions of the errors have been sent to you by email. Please fix the issues and click here to generate the corrupted configuration files again or here to generate all the configuration files.

Obviously something is corrupted and doesn't work correctly
Also my plesk app on my iPhone is not working correctly and this message is shown when I try to check services with it and here the certificate is shown as corrupted or something
Please any help would be very appreciated.

 

[Bitpalast]

As far as I know modifications of the Let's Encrypt certbot script are incompatible with the Plesk httpdmng reconfiguration tool output. Plesk has a complex "include file" structure while certbot will most likely not modify the Plesk virtual host files but the main httpd configuration files. My suggestion is to first run
# plesk repair web
to see whether a reconfiguraton of all webserver configuration files by Plesk will solve the issue. The command should remove the remains of certbot modifications and recreate the correct Plesk file structure for web server configuration files.

 

[drusixtynine]

Thank you very much for your answer
What about the error message I have on the plesk app, do you think it would be resolved with that same command?
Or do you think, one step at a time?

 

[Bitpalast]

The message that you are seeing in the browser when you try to open the website is a result of the misconfiguration of the webserver.

 

[drusixtynine]

I'm talking about the error message on plesk phone app that is shown in this screenshot, the blue is in french saying that an internal error has occured, please contact our support service

 

[Bitpalast]

Yes, I have understood this. The message is being displayed, because the web server request is not responded to properly. It cannot be responded to correctly, because the web server configuration is wrong. This likely is a result of the certbot script that has placed directives into wrong files, thus influencing the web server behavior in a negative fashion. The message that you are seeing is a symptom, it is not the cause. The cause is a web server misconfiguration. Did you try to run
# plesk repair web
?

 

[drusixtynine]

I just did and it says

PHP Notice: Undefined index: web in /usr/sbin/plesk on line 57

 

[drusixtynine]

the red plesk message has two links, shall I try one of them?

 

[Bitpalast]

My mistake probably. I don't exactly remember, but there is a chance that in 12.0 the repair command was not yet available. I think it was established with the 12.5 upghrade, but don't really remember. Instead you can try a reconfiguration like this:
# usr/local/psa/admin/sbin/httpdmng --reconfigure-all

 

[drusixtynine]

U rock man, it worked for the plesk part, no more the red banner
but for the plesk app, it didn't change anything, still have the SSL CA cert error. Any idea?
sorry but it is kinda obscure for me

 

[Bitpalast]

For mail.kazan.tn there is no valid certificate installed. That domain is using the self-signed host certificate. In addition, that self-signed certificate has expired.

Other from that I cannot confirm issues. You might want to test it here to find out all the details:
SSL Server Test: mail.kazan.tn (Powered by Qualys SSL Labs)

 

[drusixtynine]

Yeah I also had another self signed certificate I have created that was conflicting. Now I removed it and my phone app is back to work.
Is it ok to work with a self assigned or is it better to use a 'real' certificate?
Can you tell me if there is a way to use a let's encrypt certificate with this version of plesk 12.0.18 or shall I upgrade my plesk to 12.5?

 

[Bitpalast]

The Plesk Let's Encrypt extension requires Plesk version 12.5 or newer.

An upgrade to Plesk 12.5 or Plesk Onyx (if your system meets the minimum requirements for that) is recommended.
For minimum requirements for Onyx please see these pages:
Software Requirements for Plesk
Hardware Requirements for Plesk

 

[drusixtynine]

My problem with upgrading is what happens if I have an upgrade failure, I can't have my server being down
but before that, can you answer me for the certificates questions?

 

[Bitpalast]

A self-signed certificate will always trigger warnings in browsers. It is better to either use a Let's Encrypt certificate or a commercial certificate.

An upgrade always comes with some risks. You can always sign up for a support contract with official Plesk support, though.

 

[drusixtynine]

for the Let's Encrypt certificate, I know that the plugin is only for 12.5 but it must be a way to use and configure such a certificate through ssh, no?

How does a support contract work, would they guarantee that there wouldn't be a server downtime?

 

[virtubox]

for the Let's Encrypt certificate, I know that the plugin is only for 12.5 but it must be a way to use and configure such a certificate through ssh, no?

How does a support contract work, would they guarantee that there wouldn't be a server downtime?

You can generate a let's encrypt certificate even on another server with certbot : User Guide — Certbot 0.19.0.dev0 documentation
It will not install automatically the certificate, but you can install it manually from the Plesk interface.

In your first tentative, the issue was to use --apache option, because in this case, certbot will edit apache configuration. But with the standalone server or with the option --certonly, it will only create the SSL certificate.

 

[drusixtynine]

hey Virtubox,
awesome, so can I generate the certificate on a virtual machine on my computer? should it be the same unix distribution?
thx

 

[drusixtynine]

or even better, on my mac?

 

[virtubox]

hey Virtubox,
awesome, so can I generate the certificate on a virtual machine on my computer? should it be the same unix distribution?
thx

You can generate a SSL certificate with certbot on your Plesk server without changing your server configuration, or from another linux server.
I don't know if there are certbot implementations on Windows or Mac.

With the DNS validation, you just have to add the TXT record displayed by cerbot to generate your SSL certificate.
Or you can use the certonly option on your Plesk server. Here the command to stop nginx before launching certbot with the standalone server :

certbot certonly --pre-hook "service nginx stop" --standalone --cert-name yourdomain.ltd -d yourdomain.ltd -d www.yourdomain.ltd --post-hook "service nginx start" -n --agree-tos -m [email protected] --rsa-key-size 4096