Input nginx server

[UHolthausen]

Hello

i have activated nginx as webserver on all domains. So far it has worked well, but recently I saw that the nginx service is no longer running. Ergo restarted.
But, still Apache is used as webserver.
What I overlook??

OS: Debian 9.1 Plesk onyx incl. last update
Error log nginx:
[ N 2019-09-22 07:22:33.5431 1211/T7 age/Cor/CoreMain.cpp:641 ]: Signal received. Gracefully shutting down... (send signal 1 more time(s) to force shutdown)
[ N 2019-09-22 07:22:33.6305 1211/T1 age/Cor/CoreMain.cpp:1296 ]: Passenger core shutdown finished
2019/09/22 07:22:33 [info] 3177#0: [ngx_pagespeed 1.13.35.2-0] No threading detected. Own threads: 1 Rewrite, 1 Expensive Rewrite.
2019/09/22 07:22:33 [warn] 3177#0: "ssl_stapling" ignored, issuer certificate not found for certificate "/opt/psa/var/certificates/certbSE00lB"
2019/09/22 07:22:33 [warn] 3180#0: "ssl_stapling" ignored, issuer certificate not found for certificate "/opt/psa/var/certificates/certbSE00lB"
[ N 2019-09-22 07:22:33.6928 3182/T1 age/Wat/WatchdogMain.cpp:1307 ]: Starting Passenger watchdog...
[ N 2019-09-22 07:22:33.7039 3185/T1 age/Cor/CoreMain.cpp:1311 ]: Starting Passenger core...
[ N 2019-09-22 07:22:33.7039 3185/T1 age/Cor/CoreMain.cpp:256 ]: Passenger core running in multi-application mode.
[ N 2019-09-22 07:22:33.7292 3185/T1 age/Cor/CoreMain.cpp:986 ]: Passenger core online, PID 3185
[ N 2019-09-22 07:22:35.7783 3185/T5 age/Cor/SecurityUpdateChecker.h:517 ]: Security update check: no update found (next check in 24 hours)

 

[Ales]

The log shows no errors.

What does the following command return:

systemctl status nginx.service

 

[UHolthausen]

Hello

is running since 22.sept.2019

see attachment

 

[Bitpalast]

It is possible that Nginx is running but not serving websites as the configuration might not be set to it. Do this:

Use Nginx as Frontend proxy: /usr/local/psa/admin/sbin/nginxmng -e
Use Apache only: /usr/local/psa/admin/sbin/nginxmng -d
Show status: /usr/local/psa/admin/sbin/nginxmng -s

Changing the status will reconfigure all domains (which could take a while).

 

[UHolthausen]

Hello

Thank you so much for your support.
Tested it.
After the commands, Nginx was disabled.
Service restarted, unfortunately the error is still there.
Every domain has its own nginx.conf.
Plesk Webserver Configurations Troubleshooter does not show any errors.

 

[Bitpalast]

It seems that there are two questions here. The one, what we understood, is why Nginx is not running or not serving the websites. The other question is probably, why the lines
"ssl_stapling" ignored, issuer certificate not found for certificate "/opt/psa/var/certificates/certbSE00lB"
are shown in the log?

For the first question, check the "nginx configuration files" section in
Appendix A: Web Server Configuration Files
and verify that the nginx configuration files exist on your system (check that /etc/nginx/conf.d/zz010_psa_nginx.conf exists and that it includes the conf file directories of the separate domain configuration files), that the service is up and running ("systemctl status nginx.service" as @Ales mentioned or "service nginx status"). If the files exist and the service is running, Nginx is serving websites.

For the other question, decode the certificate content of /opt/psa/var/certificates/certbSE00lB to find out what this is used for, e.g.
# openssl x509 -in /opt/psa/var/certificates/certbSE00lB -issuer -noout -subject -dates
Then, when you know what this certificate is for, you will probably be able to identify the cause or replace the cert with a working one.

 

[trialotto]

Hello

i have activated nginx as webserver on all domains. So far it has worked well, but recently I saw that the nginx service is no longer running. Ergo restarted.
But, still Apache is used as webserver.
What I overlook??

OS: Debian 9.1 Plesk onyx incl. last update
Error log nginx:
[ N 2019-09-22 07:22:33.5431 1211/T7 age/Cor/CoreMain.cpp:641 ]: Signal received. Gracefully shutting down... (send signal 1 more time(s) to force shutdown)
[ N 2019-09-22 07:22:33.6305 1211/T1 age/Cor/CoreMain.cpp:1296 ]: Passenger core shutdown finished
2019/09/22 07:22:33 [info] 3177#0: [ngx_pagespeed 1.13.35.2-0] No threading detected. Own threads: 1 Rewrite, 1 Expensive Rewrite.
2019/09/22 07:22:33 [warn] 3177#0: "ssl_stapling" ignored, issuer certificate not found for certificate "/opt/psa/var/certificates/certbSE00lB"
2019/09/22 07:22:33 [warn] 3180#0: "ssl_stapling" ignored, issuer certificate not found for certificate "/opt/psa/var/certificates/certbSE00lB"
[ N 2019-09-22 07:22:33.6928 3182/T1 age/Wat/WatchdogMain.cpp:1307 ]: Starting Passenger watchdog...
[ N 2019-09-22 07:22:33.7039 3185/T1 age/Cor/CoreMain.cpp:1311 ]: Starting Passenger core...
[ N 2019-09-22 07:22:33.7039 3185/T1 age/Cor/CoreMain.cpp:256 ]: Passenger core running in multi-application mode.
[ N 2019-09-22 07:22:33.7292 3185/T1 age/Cor/CoreMain.cpp:986 ]: Passenger core online, PID 3185
[ N 2019-09-22 07:22:35.7783 3185/T5 age/Cor/SecurityUpdateChecker.h:517 ]: Security update check: no update found (next check in 24 hours)

@UHolthausen

I am pretty sure that you will have to check Passenger - after all, Nginx works, but your sites apparently do not.

Moreover, from the first lines of the log, there is a clear indication that Passenger gets some signal causing a shut down - if Nginx is still working afterwards, then there should not be and/or is nothing wrong with your Nginx server or Nginx config.

There is or has been a known issue with Passenger, related to problems of interaction between the startup and shutdown sequences of Passenger and the web server.

Even though your current issue seems to be closely related to the above mentioned Passenger issue, I cannot be sure - you do not provide sufficient log output.

I would really recommend to do a small test : running Nginx without Passenger - if it works fine, then there is a Passenger related issue OR an issue with an application that makes use of Passenger (and kills Passenger core, to be more precise).

Please note that if and when you do not need Passenger and Nginx without Passenger works fine ......... just use Nginx without Passenger.

Hope the above helps a bit.

Kind regards.........

 

[UHolthausen]

Hello

Excuse me for the late answer, yesterday was not my day....

@Peter Deblik

but this certificate is present, if you delete it, Apache does not work anymore, nginx also needs this certificate.
Also the zz010_psa_nginx.conf is present, but all domains are missing these files: vhost_ssl.conf and vhost.conf ???


@trialotto

deleted the passenger, not in use.
Nothing has changed.

 

[learning_curve]

@UHolthausen Everything posted so far by @Peter Debik and @trialotto makes perfect sense. Is there just a simple misunderstanding somewhere? Can you not post on here, the results of: # openssl x509 -in /opt/psa/var/certificates/certbSE00lB -issuer -noout -subject -dates as suggested earlier?

Plus, you're probably already aware, but the vhost.conf file and the vhost_ssl.conf file - if you do actually use these methods for custom modifications (we never have) are both located in /var/www/vhosts/system/conf/your-domain.com NOT /var/www/vhosts/your-domain.com. If you have no custom modifications on a domain, then you won't find these two files anyway...

Finally, the only time that we have seen ..."ssl_stapling" ignored, issuer certificate not found for certificate... in an error report, despite the certificate being valid and existing, turned out to be a DNS / Name Server temporary issue over at our cloud server hosting company, which they very quickly fixed. It was nothing relating to our own set up. FWIW You could easily ping a few domains direct from your server via SSH and that would very quickly illustrate if there was a similar DNS / Name Server temporary issue in your case too...

 

[UHolthausen]

Hello

openssl x509 -in /opt/psa/var/certificates/certbSE00lB -issuer -noout -subject -dates

openssl x509 -in /opt/psa/var/certificates/certbSE00lB -issuer -noout -subject -dates
issuer=C = CH, L = Schaffhausen, O = Plesk, CN = Plesk, emailAddress = [email protected]
subject=C = CH, L = Schaffhausen, O = Plesk, CN = Plesk, emailAddress = [email protected]
notBefore=Feb 25 09:27:48 2019 GMT
notAfter=Feb 25 09:27:48 2020 GMT

i try the ping test later this morning.
Thanks for the help

 

[Bitpalast]

This seems to be the server's default certificate. In this case, have you considered to generate your own Let's Encrypt server and mail server certificate in
GUI > Tools & Settings > Security > SSL/TLS Certificates > +Let's Encrypt
and use it instead of the default certificate?

 

[UHolthausen]

In this case, have you considered to generate your own Let's Encrypt server and mail server certificate in
GUI > Tools & Settings > Security > SSL/TLS Certificates > +Let's Encrypt
and use it instead of the default certificate?

yes, that would be nice.
i have opened this posting some time agho, but still solution:
Question - Lets encrypt for a server

i get always this error:

Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/508341615.
Details:
Type: urn:ietfarams:acme:error:dns
Status: 400
Detail: DNS problem: NXDOMAIN looking up A for server.xxx-xxxxx.de

 

[Bitpalast]

Next problem here.
- If an AAAA record is present in DNS, remove the IPv6 AAAA entry from your DNS configuration of the host name.
- Verify that an A record (IPv4) is present for server.xxx-xxxxx.de and that it actually resolves to the correct IP address of your host.
Then wait a few hours, then try again to create the certificate, it will then most likely work.

 

[learning_curve]

yes, that would be nice....

Everything that @Peter Debik has already suggested is very good, solid advice & pretty easy to do, assuming, that you're in control of your own DNS? You haven't told us that bit yet...You don't have any server / setup details on your foum signature, so unless you post a summary / who does what etc, there might be a few more 'best guesses' along the way...

What happened with your various Domain Ping tests? That's a very fast, simple answer to one question on here. You're pinging domain names not IP addresses don't forget...

 

[UHolthausen]

Hello

What happened with your various Domain Ping tests? That's a very fast, simple answer to one question on here. You're pinging domain names not IP addresses don't forget..

the ping goes through, no error message, no packet losses

that you're in control of your own DNS?

no, i use the dns/nameserver of my provider.

 

[learning_curve]

the ping goes through, no error message, no packet losses

So in your case, there's no DNS / Name Server issue then, which is good news. It's looks like the certificate itself has no OCSP validation method i.e. the certificate issuer (which looks like Plesk in your case as it appears to be the server's default Plesk certificate) can't be validated. Hence the suggestion by @Peter Debik to proceed to Let's Encrypt etc which can and will be validated so the error will not re-appear.

no, i use the dns/nameserver of my provider.

Hmmmmmm You'll need some patience then

 

[UHolthausen]

Hello

a short feedback.
Nginx is running, but is no longer recognized by the software.
No Plesk error !

the second:
lets encrypt still does not secure the web server properly. Furthermore the DNS error.
In the meantime, I plan to purchase of a server certificate.

 

[learning_curve]

Nginx is running, but is no longer recognized by the software. No Plesk error!

Do you mean Nginx is not recognised by Plesk and there are no Nginx errors in any of your Plesk logs?
Or did you mean something different?

lets encrypt still does not secure the web server properly. Furthermore the DNS error. In the meantime, I plan to purchase of a server certificate.

Let's Encryt Certificates are FREE. There's no need to buy anything yet, especially, as it's very unlikely (from what you've described so far...) that the issue is attributable to Let's Encrypt anyway. Can you not simply place a ticket HERE They are very good and pretty sure they will solve your problems quite quickly...

 

[UHolthausen]

Hello

its a software problem, not a plesk problem. Dont know what they have changed, but it was changed.
thanks for noting a ticket,

 

[learning_curve]

its a software problem, not a plesk problem. Dont know what they have changed, but it was changed.
thanks for noting a ticket,

Ahhhh okay but what's quite odd... is... that Nginx is provided by Plesk, if you're running Plesk! (normally!) There might be a either host provider's version of Nginx or an OS provider's version of Nginx alrerady on your hosting account server? Do you have root access? You could easily check... If not, do raise a ticket, as that's probably one of the 1st things they'll check for you