Let's Encrypt extension

[WielM]

Hi WielM,


Could you pls. explain, what makes you think, that altering the "psa" - tables "exp_event" and "log_components" ( which both have got absolute nothing to do with configuration settings! ) could solve your issue?

"Altering" a "psa" - database - entry is never recommended and you do this without Plesk support.



Your root cause is here, as you still use one of your misconfigured IPv6 - addresses at one of your hosting settings ( otherwise Plesk would never point you to this fact, which makes it impossible for Plesk to completely remove the depending IPv4/IPv6 ).


Pls. check as well your network settings on your server, to solve your issue(s).

Sorry for the confusion. I never alter tables in the psa database but use it as guidance to find the right GUI page where I can alter information. These were the locations where I found references to the wrong IPV6 address. In this case I guess that the only table that still matters, is the Configurations table. Where is that table maintained in the Plesk GUI?

\Wiel

 

[UFHH01]

Hi WielM,

Where is that table maintained in the Plesk GUI?

These two tables are not directly maintained over the Plesk Control Panel.

 

[WielM]

Bu

Hi WielM,


These two tables are not directly maintained over the Plesk Control Panel.

But the Configurations table's field type 'nginxDomainVhost' seem to steer the Rebuild in generating the nginx .conf files where the errors occur. In several .conf files in /etc/nginx/plesk.conf.d/vhosts I find code like:

server {
        listen [2a01:238:40ab:cd12:dead:beef:dead:beef]:443 ssl;

        server_name xxx.domain.name

The Rebuild does not fill the listen parameter with the right IPV6 address, because the database table Configurations contains the fake IPV6 address.

\Wiel

 

[UFHH01]

Hi WielM,

you know that you are able to delete misconfigured configuration files MANUALLY? The already given suggestion

plesk repair web -y -v

... will certainly rebuild missing configuration files with the correct setup of your IPv4/IPv6.

I already suggested to use the "Webserver Configurations Troubleshooter", which makes it really easy to remove misconfigured configuration files. Pls. give it a try.

 

[WielM]

Hi WielM,

you know that you are able to delete misconfigured configuration files MANUALLY? The already given suggestion

plesk repair web -y -v

... will certainly rebuild missing configuration files with the correct setup of your IPv4/IPv6.

I already suggested to use the "Webserver Configurations Troubleshooter", which makes it really easy to remove misconfigured configuration files. Pls. give it a try.

That command still crashes Apache/nginx:

> plesk repair web nosysoft.net -y -v

Repairing web server configuration
    Repairing web server configuration for the domain nosysoft.net .. [2017-08-07 20:09:50] ERR [util_exec] proc_close() failed ['/opt/psa/admin/bin/httpdmng' '--reconfigure-domain' 'nosysoft.net'] with exit code [1] 
Error occured while sending feedback. HTTP code returned: 502
[FAILED]
    - httpdmng failed: [2017-08-07 20:09:47] ERR [util_exec]
      proc_close() failed ['/opt/psa/admin/bin/nginx-config' '-t']
      with exit code [1] 
      Error occured while sending feedback. HTTP code returned: 502
      [2017-08-07 20:09:48] ERR [util_exec] proc_close() failed
      ['/opt/psa/admin/bin/nginx-config' '-t'] with exit code [1] 
      Error occured while sending feedback. HTTP code returned: 502
      [2017-08-07 20:09:49] ERR [panel] Apache config
      (15021293860.39949500) generation failed: Template_Exception:
      nginx: [emerg]
      BIO_new_file("/opt/psa/var/certificates/cert-PMXQOC") failed
      (SSL: error:02001002:system library:fopen:No such file or
      directory:fopen('/opt/psa/var/certificates/cert-PMXQOC','r')
      error:2006D080:BIO routines:BIO_new_file:no such file)
      nginx: configuration file /etc/nginx/nginx.conf test failed
     
      file:
      /opt/psa/admin/plib/Template/Writer/Webserver/Abstract.php
      line: 75
      code: 0
      Error occured while sending feedback. HTTP code returned: 502
      nginx: [emerg]
      BIO_new_file("/opt/psa/var/certificates/cert-PMXQOC") failed
      (SSL: error:02001002:system library:fopen:No such file or
      directory:fopen('/opt/psa/var/certificates/cert-PMXQOC','r')
      error:2006D080:BIO routines:BIO_new_file:no such file)
      nginx: configuration file /etc/nginx/nginx.conf test failed

Error messages: 0; Warnings: 0; Errors resolved: 0

The resulting .conf file is empty after this command.

 

[UFHH01]

Hi WielM,

as you can see, you still have an existent configuration file, where a non-existent certificate has been configured.

BIO_new_file("/opt/psa/var/certificates/cert-PMXQOC") failed
(SSL: error:02001002:system library:fopen:No such file or
directory:fopen('/opt/psa/var/certificates/cert-PMXQOC','r')
error:2006D080:BIO routines:BIO_new_file:no such file)

Pls. delete the misconfigured configuration file(s). A corresponding search could look like:

find /etc/apache2 -type f -name "*.conf" -exec grep --color -Hni "/opt/psa/var/certificates/cert-PMXQOC" {} \;

find /etc/nginx -type f -name "*.conf" -exec grep --color -Hni "/opt/psa/var/certificates/cert-PMXQOC" {} \;

After you deleted the depending configuration file, pls. repeat your "plesk repair" - command.

 

[WielM]

Hi WielM,

as you can see, you still have an existent configuration file, where a non-existent certificate has been configured.

Pls. delete the misconfigured configuration file(s). A corresponding search could look like:

find /etc/apache2 -type f -name "*.conf" -exec grep --color -Hni "/opt/psa/var/certificates/cert-PMXQOC" {} \;

find /etc/nginx -type f -name "*.conf" -exec grep --color -Hni "/opt/psa/var/certificates/cert-PMXQOC" {} \;

After you deleted the depending configuration file, pls. repeat your "plesk repair" - command.

BINGO! The fake IPV6 address has been removed from all the nginx conf files! Thanx!
But the wsvalem site still uses the root certificate after I succesfully installed a new domain certificate through Plesk: SSL Server Test: wsvalem.nl (Powered by Qualys SSL Labs)

\Wiel

 

[UFHH01]

Hi WielM,

But the wsvalem site still uses the root certificate after I succesfully installed a new domain certificate through Plesk

Pls. have a closer look at this bug - report, as it contains as well work-arounds which might help you to solve your ( last ) current issue.

=> Let's Encrypt SSL Certificate​

 

[WielM]

Although, thanks to UFHH01, I managed to solve the IPV6 problem, my original problem (not able to get an LE certificate working for a domain) still exists.
The conf files seem to look ok:
httpd.conf shows

       SSLEngine on
       SSLVerifyClient none
       SSLCertificateFile /opt/psa/var/certificates/cert-t3AtJi
       SSLCACertificateFile /opt/psa/var/certificates/cert-dXjMah

and nginx.conf:

   ssl_certificate             /opt/psa/var/certificates/cert-t3AtJi;
   ssl_certificate_key         /opt/psa/var/certificates/cert-t3AtJi;
   ssl_client_certificate      /opt/psa/var/certificates/cert-dXjMah;

echo | openssl x509 -in /opt/psa/var/certificates/cert-t3AtJi -noout -text shows:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            04:1f:a7:ed:90:32:b3:0c:5e:41:39:70:89:10:15:da:26:60
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
        Validity
            Not Before: Aug 16 14:46:00 2017 GMT
            Not After : Nov 14 14:46:00 2017 GMT
        Subject: CN=wsvalem.nl
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
........
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                .......
            X509v3 Authority Key Identifier:
                keyid:.........

            Authority Information Access:
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name:
                DNS:webmail.wsvalem.nl, DNS:wsvalem.nl, DNS:www.wsvalem.nl
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org
                  User Notice:
                    Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

    Signature Algorithm: sha256WithRSAEncryption
     .......

This looks ok to me.

Preferred domain in Plesk and internal WP settings refer to (https://)www.wsvalem.nl.

But.. SSL Server Test: www.wsvalem.nl (Powered by Qualys SSL Labs) still gives ' Certificate not valid for domain name' .
It looks like the certificate from Tools and settings - SSL/TLS settings is used in stead of the configured certificate?

This starts to drive me crazy....

\Wiel

 

[UFHH01]

Hi WielM,

you missed some facts here:

Quoted from SSL Labs:

What does this mean?

We were able to retrieve a certificate for this site, but the domain names listed in it do not match the domain name you requested us to inspect. It's possible that:

• The web site does not use SSL, but shares an IP address with some other site that does.
• The web site no longer exists, yet the domain name still points to the old IP address, where some other site is now hosted.
• The web site uses a content delivery network (CDN) that does not support SSL.
• The domain name is an alias for a web site whose main name is different, but the alias was not included in the certificate by mistake.

wsvalem.nl redirects to www.wsvalem.nl with:

Location:    http://www.wsvalem.nl/

 

[WielM]

Hi WielM,

you missed some facts here:

Quoted from SSL Labs:


wsvalem.nl redirects to www.wsvalem.nl with:

Location:    http://www.wsvalem.nl/

I have some 10 sites running SSL through LE, that operate without problems using the same IP address. I guess that's because of the SNI (Server Name Indication) that allows multiple sites running SSL using the same IP address. This is the only domain having a problem.

Where did you find the location redirect? I cannot find it?

Cheers,
\Wiel

 

[UFHH01]

Hi WielM,

Where did you find the location redirect? I cannot find it?

To get the header of an URL, you could use for example:

curl -X HEAD -i YOUR-DOMAIN.COM

 

[WielM]

Hi WielM,


To get the header of an URL, you could use for example:

curl -X HEAD -i YOUR-DOMAIN.COM

HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Thu, 17 Aug 2017 17:38:52 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: http://www.wsvalem.nl/
X-Powered-By: PleskLin

Weird...WP does not insert that in the header. As it is just before the "X-Powered-By" I suspect Plesk inserts this line? If so, why? Can't find it any of the sites' conf files.

\Wiel

 

[UFHH01]

Hi WielM,

you might want to use a forum - search, as for example:

=> Search Results for Query: "PleskLin" | Plesk Forum
or/and
=> Search Results for Query: "X-Powered-By" | Plesk Forum​

... to inform yourself about the "X-Powered-By" - definition at your configuration files or at your configuration templates.​

A "find" - search will display results at your server ( as for example ):

find /var/www/vhosts/system/*/conf -type f -name "*.conf" -exec grep --color -Hni "X-Powered-By" {} \;

Could you pls. explain, how this is relevant at this thread?

 

[WielM]

A server reboot eventually did the job. Location has switched to https now and no errors anymore on that domain. The real cause of the problem will still be hidden in the dark, I guess.

Thanks!

\Wiel

 

[JacobColton]

Two suggestions for the Plesk LE plugin:

1. If for example a domain alias fails it should just move onto the next URL and renews the ones it can.
2. If a URL fails it should be an option to the customer / reseller / admin to be notified.

Thanks,

Jacob

 

[Moritz von Schweinitz]

I just updated to Plesk 12.5 on Debian 7 Wheezy.

No matter what I do, I can't get letsencrypt to work, or, better said, I can't get Plesk to actuall use the certificates that the letsencrypt extension generates.

I can see the generated files in /opt/psa/var/modules/letsencrypt/etc/live/[domain.tld]/
but the vhost config files
/etc/apache2/plesk.conf.d/vhosts/[domain.tld].conf
don't seem to get updated. They still read:

SSLEngine on
SSLVerifyClient none
SSLCertificateFile /opt/psa/var/certificates/certFbvREQb




This results in Plesk handing out the server's self-signed default certificate to visitors, resulting in
(Chrome)
NET::ERR_CERT_AUTHORITY_INVALID
or (Firefox)
domain.tld uses an invalid security certificate.

errors.

Could someone please point me in the general direction how to fix this? All log files I know of (which is not too many) seem ok.

 

[Moritz von Schweinitz]

I think I figured it out: Server Name Idication was not turned on, because this Plesk was updated from some older versions.

To, fix, change set "SNI_SUPPORT" to "true" in the file /etc/psa/psa.conf

 

[Ruslan Kosolapov]

Hi all.

JFYI: We’ve just released Let’s Encrypt 2.3.0

Changes: Change Log for Plesk

 

[Ruslan Kosolapov]

Hello. Let's Encrypt Extension 2.4.0 has been released.
Changes: Change Log for Plesk