1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Resolved Let's Encrypt extension

Discussion in 'Plesk Extensions' started by custer, Feb 15, 2016.

  1. WielM

    WielM New Pleskian

    17
    55%
    Joined:
    Jun 6, 2011
    Messages:
    20
    Likes Received:
    0
    Sorry for the confusion. I never alter tables in the psa database but use it as guidance to find the right GUI page where I can alter information. These were the locations where I found references to the wrong IPV6 address. In this case I guess that the only table that still matters, is the Configurations table. Where is that table maintained in the Plesk GUI?

    \Wiel
     
  2. UFHH01

    UFHH01 Plesk addicted!

    44
    64%
    Joined:
    Jun 11, 2013
    Messages:
    6,762
    Likes Received:
    1,712
    Location:
    Hamburg / Germany
    Hi WielM,

    These two tables are not directly maintained over the Plesk Control Panel.
     
  3. WielM

    WielM New Pleskian

    17
    55%
    Joined:
    Jun 6, 2011
    Messages:
    20
    Likes Received:
    0
    Bu
    But the Configurations table's field type 'nginxDomainVhost' seem to steer the Rebuild in generating the nginx .conf files where the errors occur. In several .conf files in /etc/nginx/plesk.conf.d/vhosts I find code like:

    Code:
    server {
            listen [2a01:238:40ab:cd12:dead:beef:dead:beef]:443 ssl;
    
            server_name xxx.domain.name
    
    The Rebuild does not fill the listen parameter with the right IPV6 address, because the database table Configurations contains the fake IPV6 address.

    \Wiel
     
  4. UFHH01

    UFHH01 Plesk addicted!

    44
    64%
    Joined:
    Jun 11, 2013
    Messages:
    6,762
    Likes Received:
    1,712
    Location:
    Hamburg / Germany
    Hi WielM,

    you know that you are able to delete misconfigured configuration files MANUALLY? The already given suggestion
    Code:
    plesk repair web -y -v
    ... will certainly rebuild missing configuration files with the correct setup of your IPv4/IPv6. ;)

    I already suggested to use the "Webserver Configurations Troubleshooter", which makes it really easy to remove misconfigured configuration files. Pls. give it a try. :)
     
  5. WielM

    WielM New Pleskian

    17
    55%
    Joined:
    Jun 6, 2011
    Messages:
    20
    Likes Received:
    0
    That command still crashes Apache/nginx:
    Code:
    
    > plesk repair web nosysoft.net -y -v
    
    Repairing web server configuration
        Repairing web server configuration for the domain nosysoft.net .. [2017-08-07 20:09:50] ERR [util_exec] proc_close() failed ['/opt/psa/admin/bin/httpdmng' '--reconfigure-domain' 'nosysoft.net'] with exit code [1] 
    Error occured while sending feedback. HTTP code returned: 502
    [FAILED]
        - httpdmng failed: [2017-08-07 20:09:47] ERR [util_exec]
          proc_close() failed ['/opt/psa/admin/bin/nginx-config' '-t']
          with exit code [1] 
          Error occured while sending feedback. HTTP code returned: 502
          [2017-08-07 20:09:48] ERR [util_exec] proc_close() failed
          ['/opt/psa/admin/bin/nginx-config' '-t'] with exit code [1] 
          Error occured while sending feedback. HTTP code returned: 502
          [2017-08-07 20:09:49] ERR [panel] Apache config
          (15021293860.39949500) generation failed: Template_Exception:
          nginx: [emerg]
          BIO_new_file("/opt/psa/var/certificates/cert-PMXQOC") failed
          (SSL: error:02001002:system library:fopen:No such file or
          directory:fopen('/opt/psa/var/certificates/cert-PMXQOC','r')
          error:2006D080:BIO routines:BIO_new_file:no such file)
          nginx: configuration file /etc/nginx/nginx.conf test failed
         
          file:
          /opt/psa/admin/plib/Template/Writer/Webserver/Abstract.php
          line: 75
          code: 0
          Error occured while sending feedback. HTTP code returned: 502
          nginx: [emerg]
          BIO_new_file("/opt/psa/var/certificates/cert-PMXQOC") failed
          (SSL: error:02001002:system library:fopen:No such file or
          directory:fopen('/opt/psa/var/certificates/cert-PMXQOC','r')
          error:2006D080:BIO routines:BIO_new_file:no such file)
          nginx: configuration file /etc/nginx/nginx.conf test failed
    
    Error messages: 0; Warnings: 0; Errors resolved: 0
    
    The resulting .conf file is empty after this command.
     
  6. UFHH01

    UFHH01 Plesk addicted!

    44
    64%
    Joined:
    Jun 11, 2013
    Messages:
    6,762
    Likes Received:
    1,712
    Location:
    Hamburg / Germany
    Hi WielM,

    as you can see, you still have an existent configuration file, where a non-existent certificate has been configured.
    Pls. delete the misconfigured configuration file(s). A corresponding search could look like:

    Code:
    find /etc/apache2 -type f -name "*.conf" -exec grep --color -Hni "/opt/psa/var/certificates/cert-PMXQOC" {} \;
    
    find /etc/nginx -type f -name "*.conf" -exec grep --color -Hni "/opt/psa/var/certificates/cert-PMXQOC" {} \;
    After you deleted the depending configuration file, pls. repeat your "plesk repair" - command.
     
    WielM likes this.
  7. WielM

    WielM New Pleskian

    17
    55%
    Joined:
    Jun 6, 2011
    Messages:
    20
    Likes Received:
    0
    BINGO! The fake IPV6 address has been removed from all the nginx conf files! Thanx!
    But the wsvalem site still uses the root certificate after I succesfully installed a new domain certificate through Plesk: SSL Server Test: wsvalem.nl (Powered by Qualys SSL Labs)

    \Wiel
     
  8. UFHH01

    UFHH01 Plesk addicted!

    44
    64%
    Joined:
    Jun 11, 2013
    Messages:
    6,762
    Likes Received:
    1,712
    Location:
    Hamburg / Germany
    Hi WielM,

    Pls. have a closer look at this bug - report, as it contains as well work-arounds which might help you to solve your ( last ) current issue.

     
  9. WielM

    WielM New Pleskian

    17
    55%
    Joined:
    Jun 6, 2011
    Messages:
    20
    Likes Received:
    0
    Although, thanks to UFHH01, I managed to solve the IPV6 problem, my original problem (not able to get an LE certificate working for a domain) still exists.
    The conf files seem to look ok:
    httpd.conf shows
    Code:
           SSLEngine on
           SSLVerifyClient none
           SSLCertificateFile /opt/psa/var/certificates/cert-t3AtJi
           SSLCACertificateFile /opt/psa/var/certificates/cert-dXjMah
    
    and nginx.conf:
    Code:
       ssl_certificate             /opt/psa/var/certificates/cert-t3AtJi;
       ssl_certificate_key         /opt/psa/var/certificates/cert-t3AtJi;
       ssl_client_certificate      /opt/psa/var/certificates/cert-dXjMah;
    

    echo | openssl x509 -in /opt/psa/var/certificates/cert-t3AtJi -noout -text shows:
    Code:
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                04:1f:a7:ed:90:32:b3:0c:5e:41:39:70:89:10:15:da:26:60
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
            Validity
                Not Before: Aug 16 14:46:00 2017 GMT
                Not After : Nov 14 14:46:00 2017 GMT
            Subject: CN=wsvalem.nl
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
    ........
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Key Usage: critical
                    Digital Signature, Key Encipherment
                X509v3 Extended Key Usage:
                    TLS Web Server Authentication, TLS Web Client Authentication
                X509v3 Basic Constraints: critical
                    CA:FALSE
                X509v3 Subject Key Identifier:
                    .......
                X509v3 Authority Key Identifier:
                    keyid:.........
    
                Authority Information Access:
                    OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                    CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
    
                X509v3 Subject Alternative Name:
                    DNS:webmail.wsvalem.nl, DNS:wsvalem.nl, DNS:www.wsvalem.nl
                X509v3 Certificate Policies:
                    Policy: 2.23.140.1.2.1
                    Policy: 1.3.6.1.4.1.44947.1.1.1
                      CPS: http://cps.letsencrypt.org
                      User Notice:
                        Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
    
        Signature Algorithm: sha256WithRSAEncryption
         .......
    
    This looks ok to me.

    Preferred domain in Plesk and internal WP settings refer to (https://)www.wsvalem.nl.

    But.. SSL Server Test: www.wsvalem.nl (Powered by Qualys SSL Labs) still gives ' Certificate not valid for domain name' .
    It looks like the certificate from Tools and settings - SSL/TLS settings is used in stead of the configured certificate?

    This starts to drive me crazy.... :(

    \Wiel
     
    Last edited: Aug 17, 2017
  10. UFHH01

    UFHH01 Plesk addicted!

    44
    64%
    Joined:
    Jun 11, 2013
    Messages:
    6,762
    Likes Received:
    1,712
    Location:
    Hamburg / Germany
    Hi WielM,

    you missed some facts here:

    Quoted from SSL Labs:
    wsvalem.nl redirects to www.wsvalem.nl with:
    Code:
    Location:    http://www.wsvalem.nl/
     
  11. WielM

    WielM New Pleskian

    17
    55%
    Joined:
    Jun 6, 2011
    Messages:
    20
    Likes Received:
    0
    I have some 10 sites running SSL through LE, that operate without problems using the same IP address. I guess that's because of the SNI (Server Name Indication) that allows multiple sites running SSL using the same IP address. This is the only domain having a problem.

    Where did you find the location redirect? I cannot find it?

    Cheers,
    \Wiel
     
  12. UFHH01

    UFHH01 Plesk addicted!

    44
    64%
    Joined:
    Jun 11, 2013
    Messages:
    6,762
    Likes Received:
    1,712
    Location:
    Hamburg / Germany
    Hi WielM,

    To get the header of an URL, you could use for example:
    Code:
    curl -X HEAD -i YOUR-DOMAIN.COM
     
  13. WielM

    WielM New Pleskian

    17
    55%
    Joined:
    Jun 6, 2011
    Messages:
    20
    Likes Received:
    0
    Code:
    HTTP/1.1 301 Moved Permanently
    Server: nginx
    Date: Thu, 17 Aug 2017 17:38:52 GMT
    Content-Type: text/html
    Content-Length: 178
    Connection: keep-alive
    Location: http://www.wsvalem.nl/
    X-Powered-By: PleskLin
    
    Weird...WP does not insert that in the header. As it is just before the "X-Powered-By" I suspect Plesk inserts this line? If so, why? Can't find it any of the sites' conf files.

    \Wiel
     
  14. UFHH01

    UFHH01 Plesk addicted!

    44
    64%
    Joined:
    Jun 11, 2013
    Messages:
    6,762
    Likes Received:
    1,712
    Location:
    Hamburg / Germany
    Hi WielM,

    you might want to use a forum - search, as for example:


    ... to inform yourself about the "X-Powered-By" - definition at your configuration files or at your configuration templates.​

    A "find" - search will display results at your server ( as for example ):
    Code:
    find /var/www/vhosts/system/*/conf -type f -name "*.conf" -exec grep --color -Hni "X-Powered-By" {} \;


    Could you pls. explain, how this is relevant at this thread?
     
  15. WielM

    WielM New Pleskian

    17
    55%
    Joined:
    Jun 6, 2011
    Messages:
    20
    Likes Received:
    0
    A server reboot eventually did the job. Location has switched to https now and no errors anymore on that domain. The real cause of the problem will still be hidden in the dark, I guess.

    Thanks!

    \Wiel
     
  16. JacobColton

    JacobColton New Pleskian

    11
     
    Joined:
    Jan 2, 2013
    Messages:
    8
    Likes Received:
    0
    Two suggestions for the Plesk LE plugin:

    1. If for example a domain alias fails it should just move onto the next URL and renews the ones it can.
    2. If a URL fails it should be an option to the customer / reseller / admin to be notified.

    Thanks,

    Jacob
     
  17. Moritz von Schweinitz

    Moritz von Schweinitz New Pleskian

    1
     
    Joined:
    Aug 30, 2017
    Messages:
    2
    Likes Received:
    0
    Location:
    Costa Rica
    I just updated to Plesk 12.5 on Debian 7 Wheezy.

    No matter what I do, I can't get letsencrypt to work, or, better said, I can't get Plesk to actuall use the certificates that the letsencrypt extension generates.

    I can see the generated files in /opt/psa/var/modules/letsencrypt/etc/live/[domain.tld]/
    but the vhost config files
    /etc/apache2/plesk.conf.d/vhosts/[domain.tld].conf
    don't seem to get updated. They still read:

    SSLEngine on
    SSLVerifyClient none
    SSLCertificateFile /opt/psa/var/certificates/certFbvREQb




    This results in Plesk handing out the server's self-signed default certificate to visitors, resulting in
    (Chrome)
    NET::ERR_CERT_AUTHORITY_INVALID
    or (Firefox)
    domain.tld uses an invalid security certificate.

    errors.

    Could someone please point me in the general direction how to fix this? All log files I know of (which is not too many) seem ok.
     
  18. Moritz von Schweinitz

    Moritz von Schweinitz New Pleskian

    1
     
    Joined:
    Aug 30, 2017
    Messages:
    2
    Likes Received:
    0
    Location:
    Costa Rica
    I think I figured it out: Server Name Idication was not turned on, because this Plesk was updated from some older versions.

    To, fix, change set "SNI_SUPPORT" to "true" in the file /etc/psa/psa.conf
     
  19. Ruslan Kosolapov

    Ruslan Kosolapov Basic Pleskian Staff Member

    7
    70%
    Joined:
    Sep 29, 2016
    Messages:
    26
    Likes Received:
    13
    Location:
    Novosibirsk
  20. Ruslan Kosolapov

    Ruslan Kosolapov Basic Pleskian Staff Member

    7
    70%
    Joined:
    Sep 29, 2016
    Messages:
    26
    Likes Received:
    13
    Location:
    Novosibirsk
    Danilo Schwabe and UFHH01 like this.
Loading...