• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Does this trick keep working?

M

mr-wolf

Silver Pleskian
Plesk Guru
A client of mine has a IIS-website running plain http on his premises.
To convert it to https I have created a file in /etc/nginx/conf.d/aa450_client_with_iis.conf which proxies his webserver.
I'm doing this more, but not with a LetsEncrypt certificate.

With Plesk I created a website for that same domain and let it create a LetsEncrypt-certificate.
I checked the /var/www/vhosts/system/domain/conf/nginx.conf file and copied the 3 lines there and inserted these in my own configuration file /etc/nginx/conf.d/aa450_client_with_iis.conf
Code: 
    ssl_certificate             /opt/psa/var/certificates/cert-X5Otet;
    ssl_certificate_key         /opt/psa/var/certificates/cert-X5Otet;
    ssl_client_certificate      /opt/psa/var/certificates/cert-n7WYbo;

Because aa450_ comes takes precedence over zz010_ (of the zz010_psa_nginx.conf) it will not use the Apache server on Plesk, but that on-premises IIS-website.

All good for now (at least for 3 months) :)

Now I can imagine a few things go wrong...
The LetsEncrypt-bot is creatively using the website to create a new certificate (is that so?) :eek:
The files containing the certificates will have changed names upon renewal. :eek:
Or I have a new nice trick to let Plesk manage a LetsEncrypt certificate for an IIS on-premises site. :cool:

I have not used LetsEncrypt long enough to know what it does.
What do you think?

@IgorG or @UFHH01 ??
 
Last edited:
Peter Debik said:
Yes, the file names are changing.
Click to expand...
I will consider to write a watchdog cronjob for that.....
It would be nicer if could tap into that renewal process somehow......

If the renewal is scheduled from cron it should be enough to run that script afterwards.
I haven't investigated that at all, but I will.

The solution will be published here...
Not that anyone will be needing it (but you never know).

Code: 
# grep letsencrypt /var/spool/cron/crontabs/root
29      21      *       *       *       /opt/psa/admin/bin/php -dauto_prepend_file=sdk.php '/opt/psa/admin/plib/modules/letsencrypt/scripts/renew.php'
Code: 
# grep letsencrypt /var/spool/cron/crontabs/root
58      18      *       *       *       /opt/psa/admin/bin/php -dauto_prepend_file=sdk.php '/opt/psa/admin/plib/modules/letsencrypt/scripts/renew.php'

These values are different on each Plesk server, which would make sense if they don't want to dDoS them by renewing all Plesk servers in the world at the same time....
I will now consider the best strategy to run that watchdog.
 
Last edited:
The script will add itself in crontab at the same time the LetsEncrypt renewal begins of your specific Plesk server. It will then start comparing the certificates in your custom scripts in /etc/nginx/conf.d that makes use of Plesk generated certificates.

It will start comparing those for the next hour....
If it finds a change it will rewrite the certificates in your custom nginx config and lets nginx reread its config.

The script does a lot of double-checking to make sure we have a valid situation.
It will also log into ./var/log/watchletsencrypt
Care has been taken that it doesn't write any config when it's not needed and most of the time when it's active it's actually sleeping (sleep 120).

I don't think a lot of people are using nginx for this, but if you do you don't have to reinvent the wheel.

EDIT: I've been thinking about the renewal process.... There's a big chance nginx will not be running after the renewal script has removed the old certificates. These certificates are still in use by the custom script when the Plesk renewal has nginx restarted.... In that case it will at least be running quickly afterward. I will wonder how Plesk handles this??


# cat /usr/local/sbin/watchletsenrypt
Code: 
#!/bin/bash

while getopts d OPTION
do
  case $OPTION in
    d)   DEBUG=true;;
    ?)   printf "Usage: %s: $0 [-d]\n" $0
    exit 2;;
  esac
done
shift $(($OPTIND - 1))

HEADLESS=
tty >/dev/null || HEADLESS=true

THISSCRIPT="`readlink -f $0`"
SCRIPTNAME=${THISSCRIPT##*/}
[ -z "${SCRIPTNAME}" ] && SCRIPTNAME=${0##*/}

SCRIPT_DOMAINS=${THISSCRIPT}.domains
LOG=/var/log/${SCRIPTNAME}.log
LOOPS=30
WAIT=120

NGINX_FOLDER=/etc/nginx/conf.d
SYSTEM_FOLDER=/var/www/vhosts/system
CERT_FOLDER=/opt/psa/var/certificates

if [ ! ${HEADLESS} ] ; then
  SCHEDULE="`grep "letsencrypt.*renew" /var/spool/cron/crontabs/root | sed 's/\/.*//g;s/\///g'`"
  if [ -z "${SCHEDULE}" ] ; then
    echo "I was unable to find a letsencrypt schedule in /var/spool/cron/crontabs/root" >&2
    exit 1
  else
    echo "I found the schedule \"${SCHEDULE}\" for the letsencrypt renewal script in /var/spool/cron/crontabs/root"
    CRONTABLINE="`grep "${THISSCRIPT}" /etc/crontab`"
    if [ -z "${CRONTABLINE}" ] ; then
      echo "I'm not scheduled yet, so I will add myself now to crontab"
      echo -e "\n${SCHEDULE}root\t${THISSCRIPT}" >>/etc/crontab
    elif ! grep -q "${SCHEDULE}.*${THISSCRIPT}" /etc/crontab ; then
      echo -e "I'm already scheduled in /etc/crontab, but the schedule is different\n\n`grep "${THISSCRIPT}" /etc/crontab`" >&2
      exit 1
    else
      echo "I don't need to do anything as I'm already scheduled in /etc/crontab"
    fi
  fi

  # Normal opertation in CLI-mode is quit now
  if [ ${DEBUG} ] ; then
    LOOPS=2
    WAIT=5
  else
    echo "If you run this script from CLI, this is all it will do...."
    echo "To debug the script use \"${SCRIPTNAME} -d\""
    exit 0
  fi
fi

check_lines()  {

  PATCHED=
  while read CERTLINE ; do
    [ ${HEADLESS} ] || echo "${CERTLINE}"
    CERTIDENTIFIER="`echo "${CERTLINE}" | awk '{print $1}' | sed 's/ *//g'`"
    CRT_VHOST="`echo "${CERTLINE}" | awk '{print $2}' | grep -o 'cert-.*'`"
    CRT_CONF="`grep "^\s*${CERTIDENTIFIER}\s" ${TMPDIR}/configfile | head -n1 | awk '{print $2}' | grep -o 'cert-.*'`"

    [ ${HEADLESS} ] || echo "ident: \"${CERTIDENTIFIER}\""
    [ ${HEADLESS} ] || echo "vhost: \"${CRT_VHOST}\""
    [ ${HEADLESS} ] || echo "conf:  \"${CRT_CONF}\""

    if [ ! "${CRT_VHOST}" == "${CRT_CONF}" ] ; then
      echo "${CRT_CONF} is now ${CRT_VHOST}, I will patch ${CONF}" | tee -a ${TMPLOG} >&2
      sed -i "s/${CRT_CONF}/${CRT_VHOST}/g" ${CONF}
      PATCHED=true
    fi
  done<${TMPDIR}/certlines

  if [ ${PATCHED} ] ; then
    echo "`date` The file ${CONF} is patched" | tee -a ${TMPLOG} >&2
    if nginx -t 2>/dev/null >/dev/null ; then
      echo "The file ${CONF} is tested and will now reread the nginx config" | tee -a ${TMPLOG} >&2
      if ! killall -HUP nginx ; then
        echo "A reread of the nginx config with \"killall -HUP nginx\" did NOT succeed, I will do a restart" | tee -a ${TMPLOG} >&2
        /etc/init.d/nginx restart
      fi
    else
      echo "Testing ${CONF} was not good.... check your nginx config!!!" | tee -a ${TMPLOG} >&2
      return 1
    fi
  fi
}


# Function to see if the nginx config needs checking
check_nginx_config() {

  # Get the port 443 part of the custom nginx config file
  grep -A30 ':443' ${CONF} >${TMPDIR}/configfile

  # get the server name out of the custom nginx config file
  SERVER_NAME="`grep '^\s*server_name' ${TMPDIR}/configfile | head -n1 | awk '{print $2}' | sed 's/;//g'`"

  # Use SERVER_NAME to obtain the nginx.conf in /var/www/system/??/
  NGINX_VHOSTFILE="`find ${SYSTEM_FOLDER}/${SERVER_NAME}/conf -maxdepth 1 -type f -name nginx.conf -mtime -1 2>/dev/null`"

  if [ -z "${NGINX_VHOSTFILE}" ] ; then
    [ ${HEADLESS} ] || echo "No young nginx.conf found in folder ${SYSTEM_FOLDER}/${SERVER_NAME}/conf"
  else
    echo "`date` found a young ${NGINX_VHOSTFILE}" | tee -a ${TMPLOG} >&2

    # Now that we have the nginx.conf extract the part where the ssl certificates are defined for this host
    grep -A30 ':443' ${NGINX_VHOSTFILE} 2>/dev/null | grep -A25 "${SERVER_NAME}" >${TMPDIR}/vhost_nginx_conf
    grep "^\s*ssl_.*${CERT_FOLDER}" ${TMPDIR}/vhost_nginx_conf >${TMPDIR}/certlines

    # count the amount of lines found
    CERTLINES=`grep -c . ${TMPDIR}/certlines`
    FOUNDFILES=0

    # Check if all files actually exist
    while read CERTLINE ; do
      CRT_FILE="`echo "${CERTLINE}" | awk '{print $2}' | sed 's/;//g'`"
      [ -e ${CRT_FILE} ] && let FOUNDFILES+=1
    done<${TMPDIR}/certlines

    # If all certificate files exist start checking if the custom nginx file needs patching
    if [ ${FOUNDFILES} -ne ${CERTLINES} ] ; then
      echo "`date` Some files in ${NGINX_VHOSTFILE} do not exist...." | tee -a ${TMPLOG} >&2
    else
      # There's a young valid nginx file in /var/www/system, so let's see if we need to do some patching
      echo "`date` ${NGINX_VHOSTFILE} seems to be a valid file" | tee -a ${TMPLOG} >&2
      check_lines
    fi
  fi
}

# This part only runs in debug mode or when running scheduled

TMPDIR=`mktemp -t -d ${0//*\/}.XXXXXXXXXX`
TMPLOG=${TMPDIR}/log
echo "`date` start of script $0" >>${TMPLOG}

# collect all the custom nginx configs that makes use of Plesk managed certificates
find ${NGINX_FOLDER} -type f -name \*.conf -exec grep -l "${CERT_FOLDER}" {} \; >${TMPDIR}/confs

# Start looping every 2 minutes (for an hour) from the moment Plesk starts renewing LetsEncrypt certificates
N=1
while [ $N -le ${LOOPS} ] ; do
  while read CONF ; do
    [ ${HEADLESS} ] || echo "$N. check ${CONF}"
    check_nginx_config
  done<${TMPDIR}/confs
  let N+=1
  [ ${HEADLESS} ] || echo "sleep ${WAIT} seconds"
  sleep ${WAIT}
done

echo "`date` end of script $0" >>${TMPLOG}
cat ${TMPLOG} >>${LOG}

rm -rf ${TMPDIR}
 
Last edited:
All dry tests went flawless...
If I patched my config, so the certificates would not be valid the script would correct them....
All good there....

But when forcing a LetsEncrypt renewal the new certificate files were made, but the nginx config in /var/www/vhosts/system/??/conf/ was not modified.
It was a newer file, but the certificate files it was referring to were still the same.
But these certificates are gone, so both my custom config and the plesk config is invalid.

What I think is that the renewal process did not work because my custom nginx file has taken the website from plesk....

mr-wolf said:
The LetsEncrypt-bot is creatively using the website to create a new certificate (is that so?) :eek:
Click to expand...

I need to rethink the whole thing.

What I'm thinking now is disabling my custom site before the renewing process starts....
But this happens each day :eek:
And I can't let this go on for an hour (I can of course watch if the LetsEncrypt script is finished).

mmmmm
 
@IgorG @UFHH01 @Peter Debik

What is failing now is the /.well-known/acme-challenge/ because I have snatched the site away from Plesk.
I could (automated) disable my custom config while it is doing the LetsEncrypt check, but that has downsides.
It means that my custom site is not available during the check and i could also have some timing problems.

I have (not thoroughly) checked how Plesk is pulling off this challenge. I can't see anything in the nginx config, apache config or in the folder where the website is placed.

Is it making this only available during the challenge.

Because sites should be working in Plesk without nginx, I presume that it is all handled by Apache.

Without exactly knowing the details it may be enough to permanently modify my custom nginx config (the one that's proxying the IIS-site) to let the local Apache handle all the url's starting with /.well-known/

I would really appreciate some info...
 
Another step further, but still not working as a concept....

I was able to add an extra part to my custom config so the LetsEncrypt will connect to the local Apache server instead of the remote IIS-server.
It even gives feedback that everything succeeded.
It generated a new certificate pair and removed the old pair.

What it didn't do is update the Plesk's nginx.conf with the newly generated certificates....

I think it doesn't write these keys because it fails some check....

Until I solve that I may need to return to the idea of temporarily disabling the custom config when the LetsEncrypt schedule starts....
 
it could have been so nice, but I'm now thinking it is easier to write something that has nothing to do with Plesk's LetsEncrypt
Did practice a lot of "bash"

The script itself is working, but Plesk is unable to patch its /var/www/vhosts/system/???/conf/nginx.conf if the custom nginx config is active.
If I disable the custom config Plesk has no problem to patch that file....

Here's what I have as custom nginx config

cat /etc/nginx/conf.d/ww100_gallery.domain.com.conf
Code: 
server {
        listen 20.16.232.180:80;
        server_name gallery.erwinolaf.com;

       error_log /var/log/nginx/ownservices/error.log;
       access_log /var/log/nginx/ownservices/access.log combined;

        location / {
                return 301 https://$host$request_uri;
        }

        location ^~ /.well-known/acme-challenge/ {
                allow all;
                proxy_pass http://20.16.232.180:7080;
                proxy_set_header Host             $host;
                proxy_set_header X-Real-IP        $remote_addr;
                proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
                proxy_set_header X-Accel-Internal /internal-nginx-static-location;
                access_log off;
        }
}

server {
    listen 20.16.232.180:443 ssl http2;
    server_name gallery.erwinolaf.com;

    error_log /var/log/nginx/ownservices/error.log;
    access_log /var/log/nginx/ownservices/access.log combined;

    ssl_certificate             /opt/psa/var/certificates/cert-TejJzJ;
    ssl_certificate_key         /opt/psa/var/certificates/cert-TejJzJ;
    ssl_client_certificate      /opt/psa/var/certificates/cert-6fojJL;

    ssl_stapling on;
    ssl_stapling_verify on;

    add_header          Referrer-Policy                 strict-origin-when-cross-origin always;
    add_header          X-Frame-Options                 SAMEORIGIN always;
    add_header          X-XSS-Protection                "1; mode=block" always;
    add_header          X-Content-Type-Options          nosniff always;

    ssl_dhparam         /etc/dhparam/dhparam4096.pem;
    ssl_session_timeout 5m;

    ssl_protocols       TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers   on;

    client_max_body_size 128m;

    location / {
                proxy_pass http://remote.domain.com:40080;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    location ^~ /.well-known/acme-challenge/ {
                allow all;
                proxy_pass https://20.16.232.180:7081;
                proxy_set_header Host             $host;
                proxy_set_header X-Real-IP        $remote_addr;
                proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
                proxy_set_header X-Accel-Internal /internal-nginx-static-location;
                access_log off;
        }
}
 
I decided to approach my problem from a complete different perspective.
I have copied the 2 certificate files from /opt/psa/var/certificates/ to /etc/nginx/ssl
They are there safe from any deletion by the Plesk auto-renew script....

I'm now starting to monitor the expiry date by Zabbix (wrote that years ago and has proven to be a powerful ally)

I will get alerted about the expiry several days before the expiration.
By then the Plesk auto-renew has already made 2 new certificates.....
Alas, I will not have their names, but they will be one of the newest ones....

I haven't done that before somehow, but with openssl I should be able to identify them.
Maybe I will script it one day.
Extract the hostname out of /etc/nginx/conf.d/ww100_*.conf and then start searching for an ssl keypair in /opt/psa/var/certificates/
If I find one and it's newer than the one /etc/nginx/conf.d/ww100_*.conf just copy it over to /etc/nginx/ssl/ and replace it in the custom nginx conf file.

I also need to fix Plesk's /var/www/vhosts/system/???/conf/nginx.conf
Plesk's renewal script has removed the old certificates and didn't update the nginx.conf
nginx's config is therefore invalid....
nginx is still running because it refused the new config, but this is not a good situation.
I also need to fix the (unused) nginx.conf of Plesk's helper domain.

This is a good reminder to create a Zabbix trigger that will do an "nginx -t" regularly.
One can intervene before it's too late (I already have a trigger on nginx running or not)

That's all much easier to make than what I created thus far.
 
Maybe no-one reads all this, but because I started it I may well finish it.

I'm now doing things differently.
The cronjob is light enough to run each 10 minutes as it will only act if "nginx -t" is unsuccessful

It checks all the nginx.conf's in /var/www/vhosts/*/conf/ for the existence of the ssl_certificate_key
If the file is missing it will do a "plesk repair web "domain" -y -v" for that host.
If the plesk repair is not successful it will try and find a key itself using openssl and the "server_name"
It finds the ssl_client_certificate by using a date stamp match.
Some tests revealed that they match on the second.

Afterward it will also parse all the /etc/nginx/conf.d/ configs that start with "ww"
Because "plesk repair" can't do anything there, it will use the "openssl method" immediately

Here's the code:

# cat /usr/local/sbin/repairletsencrypt
Code: 
#!/bin/bash

while getopts d OPTION
do
  case $OPTION in
    d)   DEBUG=true;;
    ?)   printf "Usage: %s: $0 [-d]\n" $0
    exit 2;;
  esac
done
shift $(($OPTIND - 1))

HEADLESS=
tty >/dev/null || HEADLESS=true

if nginx -t 2>/dev/null ; then
  [ ${HEADLESS} ] || echo "Nginx says everything's alright, so nothing to do" >&2
  exit
fi

TMPDIR=`mktemp -t -d ${0//*\/}.XXXXXXXXXX`
TMPLOG=${TMPDIR}/log
echo "`date` start of script $0" >>${TMPLOG}

THISSCRIPT="`readlink -f $0`"
SCRIPTNAME=${THISSCRIPT##*/}
[ -z "${SCRIPTNAME}" ] && SCRIPTNAME=${0##*/}

LOG=/var/log/${SCRIPTNAME}.log

NGINX_FOLDER=/etc/nginx/conf.d
SYSTEM_FOLDER=/var/www/vhosts/system
CERT_FOLDER=/opt/psa/var/certificates

# Parse all the certificates and remember their CN's and filedates
find ${CERT_FOLDER} -maxdepth 1 -type f >${TMPDIR}/certfiles
while read CERTFILE ; do
  CN="`openssl x509 -inform pem -in ${CERTFILE} -noout -text | grep -i 'Subject: CN=' | awk -F= '{print $2}'`"
  [ -n "${CN}" ] && echo "${CN} ${CERTFILE}" >>${TMPDIR}/host_and_cert
  echo "`date +%s -r ${CERTFILE}` ${CERTFILE}" >>${TMPDIR}/date_and_cert
done<${TMPDIR}/certfiles

alternate_repair() {

  # get the server name out of the custom nginx config file
  SERVER_NAME="`grep  '^\s*server_name' ${TMPDIR}/configfile | head -n1 | awk '{print $2}' | sed 's/;//g'`"
  MATCHING_CERT="`grep "^${SERVER_NAME} " ${TMPDIR}/host_and_cert | head -n1 | awk '{print $2}'`"

  DATE_CERT="`grep ${MATCHING_CERT} ${TMPDIR}/date_and_cert | head -n1 | awk '{print $1}'`"
  CLIENT_CERT="`grep "^${DATE_CERT} " ${TMPDIR}/date_and_cert | grep -v ${MATCHING_CERT} | head -n1 | awk '{print $2}'`"

  echo "Found this cert to ${MATCHING_CERT} matching ${SERVER_NAME} using openssl" | tee -a ${TMPLOG} >&2
  echo "Found this clientcert ${CLIENT_CERT} as it has the same filedate as ${MATCHING_CERT}" | tee -a ${TMPLOG} >&2

  CN="`grep "${CLIENT_CERT}" ${TMPDIR}/host_and_cert | head -n1 | awk '{print $2}' | sed 's/;//g'`"
  if [ -n "${CN}" ] ; then
    echo "I'm undecisive as I have found the CN \"${CN}\" in the client certificate ${CLIENT_CERT}, which should not contain one" | tee -a ${TMPLOG} >&2
    echo "I will therefore do nothing... nginx will probably stay broken" | tee -a ${TMPLOG} >&2
  else
    MATCH_C="${MATCHING_CERT##*/}"
    CLIENT_C="${CLIENT_CERT##*/}"

    if [ -z "${MATCH_C}" ] || [ -z "${CLIENT_C}" ] ; then
      echo "Something wrong here with parsing the found certificates cert=\"${MATCH_C}\" clientcert=\"${CLIENT_C}\"" | tee -a ${TMPLOG} >&2
    else
      echo "Replace ${CERTFILE} with ${MATCH_C} in ${NGINX_CONF}"    | tee -a ${TMPLOG} >&2
      echo "Replace ${CLIENTFILE} with ${CLIENT_C} in ${NGINX_CONF}" | tee -a ${TMPLOG} >&2

      sed -i "s/${CERTFILE}/${MATCH_C}/g" ${NGINX_CONF}
      sed -i "s/${CLIENTFILE}/${CLIENT_C}/g" ${NGINX_CONF}
    fi
  fi
}

get_certfile() {
  # Get the port 443 part of the custom nginx config file
  grep -A30 ':443' ${NGINX_CONF} >${TMPDIR}/configfile
  CERTFILE="`grep   "^\s*ssl_certificate_key.*${CERT_FOLDER}"    ${TMPDIR}/configfile | head -n1 | grep -o 'cert-.*' | sed 's/;//g'`"
  CLIENTFILE="`grep "^\s*ssl_client_certificate.*${CERT_FOLDER}" ${TMPDIR}/configfile | head -n1 | grep -o 'cert-.*' | sed 's/;//g'`"

  if [ -z "${CERTFILE}" ] ; then
    echo "Parsing ${NGINX_CONF} gave no valid ssl_certificate_key, abort!!" | tee -a ${TMPLOG} >&2
    return 1
  fi
  if [ -z "${CLIENTFILE}" ] ; then
    echo "Parsing ${NGINX_CONF} gave no valid ssl_client_certificate, abort!!" | tee -a ${TMPLOG} >&2
    return 1
  fi
}

# Parse all the nginx.conf files in /var/www/vhosts/system and remember the ssl_cerficate_key
find ${SYSTEM_FOLDER} -type f -name nginx.conf -exec grep -l "${CERT_FOLDER}" {} \; >${TMPDIR}/nginxfiles
while read NGINX_CONF ; do
  CERTFILE=
  CLIENTFILE=
  if get_certfile ; then
    if [ ! -f "${CERTFILE}" ] ; then
      echo "${CERTFILE} is missing in ${NGINX_CONF}"
      echo "I will first let plesk try and repair it!"

      SYSTEM_FOLDER="`echo "${NGINX_CONF}" | sed 's/.*system\///g;s/\/conf\/.*//g'`"
      plesk repair web ${SYSTEM_FOLDER} -y -v

      if nginx -t 2>/dev/null ; then
        echo "Nginx says everything's alright, so I guess it was fixed by \"plesk repair web ${SYSTEM_FOLDER} -y -v\"" >&2
        break
      else
        echo "Nginx still complains... The repair failed, or it's another host" | tee -a ${TMPLOG} >&2
        if get_certfile ; then
          if [ -f "${CERTFILE}" ] ; then
            echo "The file ${CERTFILE} exists, so it's probably another host" | tee -a ${TMPLOG} >&2
          else
            echo "Plesk repair failed, so I will do my own method" | tee -a ${TMPLOG} >&2
            alternate_repair
            if nginx -t ; then
              echo "Alternate repair succeeded, I can stop now" | tee -a ${TMPLOG} >&2
              break
            fi
          fi
        fi
      fi
    fi
  fi
done<${TMPDIR}/nginxfiles


# Parse all the nginx.conf files in /etc/nginx/conf.d  that start with ww* and remember the ssl_cerficate_key
find ${NGINX_FOLDER} -type f -name ww\*.conf -exec grep -l "${CERT_FOLDER}" {} \; >${TMPDIR}/nginxfiles
while read NGINX_CONF ; do
  CERTFILE=
  CLIENTFILE=
  if get_certfile ; then
    [ ${HEADLESS} ] || echo "${NGINX_CONF} ${CERTFILE} ${CLIENTFILE}"

    if [ ! -f "${CERTFILE}" ] ; then
      alternate_repair
      if nginx -t 2>/dev/null ; then
        echo "Alternate repair succeeded, I can stop now" | tee -a ${TMPLOG} >&2
        break
      else
        echo "still wrong, maybe there are more..." | tee -a ${TMPLOG} >&2
      fi
    fi
  fi
done<${TMPDIR}/nginxfiles

echo "`date` end of script $0" >>${TMPLOG}
cat ${TMPLOG} >>${LOG}

rm -rf ${TMPDIR}
 
Last edited:
You must log in or register to reply here.

Similar threads

D
Question NGINX Unit on server under plesk
Replies
4
Views
300
trialotto
T
Ehud
Resolved Plesk nginx conf files, seem to bring to an error notification when running 'nginx -s reload'
Replies
2
Views
922
Ehud
Ehud
P
Issue Check SSL certificates from command line
Replies
7
Views
2K
PeterKi
P
D
Issue certificate of VPS host still used after SSL configuration for newly added domain
Replies
4
Views
577
deepnpisgah
D
C
Question SSL certificate location for Prosody import
Replies
7
Views
2K
Kaspar
K
Back
Top