Issue letsencrypt not work with www

[Michael Huber]

I move some Servers (Plesk Migrator) from 12.5 to onyx. Now my SSL Sites not work anymore with www.

by create a new Cert with www, the apache Config go broken. some certs are success renewed, show me in PLesk it's with www but is not.

someone know this and know how to fix ?

regards, Michael

 

[Bitpalast]

Regarding the broken Apache config: Can you give a little more details on what is broken? Is it only some config files and what type of error do they suffer. Does Apache no longer start in general?

 

[Michael Huber]

i am sure, This was certainly my mistake.. i am "power User" I do many operations on the same time. I open the Letsencrypt site of 35 Domains in Tabs and klich www and renew > next tab klich www and renew.. by apache reload other processes not finish..

nginx:
2017/03/03 12:50:26 [emerg] 21201#0: BIO_new_file("/opt/psa/var/certificates/cert-6jAMXM") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/opt/psa/var/certificates/cert-6jAMXM','r') error:2006D080:BIO routines:BIO_new_file:no such file)

and many more. apache sure same.

I generate the config files new and start a batch

plesk bin extension --exec letsencrypt cli.php -d xxxxxxx.com -d www.xxxxxxx.com --email [email protected] --expand
with all domains.

now server run. but the Problem is that letsencrypt via plesk GUI not use www as subdomain.

 

[Bitpalast]

Yes, doing serveral Let's Encrypt updates at the same time will for sure break it, because the cert file names change while the web server reconfiguration is not completed.

I think I've had a similar issue before, and the simple solution was to run
# httpdmng --reconfigure-all
This takes all the current configuration values from psa database and corrects the web server configuration files. Please also see https://github.com/plesk/letsencrypt-plesk/issues/93 and scroll down to the comment where we provide the cert_emergency_response.zip script. It can rename certificate files on-the-fly to the values given in the web server configuration files. Read comment in the thread and in the file before using this script! It does not provide a final solution, it is only a fast correction method in case you really urgently need to bring the web server back up and cannot wait on reconfiguration of the configuration files.

In order to make a cert work for a "www." subdomain, the checkbox "include www" needs to be checked when the cert is generated. Look into the certificate if it was generated WITH the www part:
# openssl x509 -in CERTIFICATEFILE -text | grep DNS:
If the www part is there, it can be used for the www-subdomain. If it is missing, reissue the certificate WITH www subdomain. Certificates can be found in /usr/local/psa/var/certificates .

 

[Michael Huber]

I check the checkbox. but it not work. I call the site with my browser and get on www a error. by view the cert it was only the main domain.

thank for the hint to github
i test it with a new Domain what not moved .. but now I need a break. tomorrow i fligh to Hong kong ... next week i have a look on this and report.. thank you

regrads, Michael