Resolved OCSP stapling with Nginx issue

[UFHH01]

Hi Walter,

pls. consider to add nginx to "psacln" and "www-data" ( on Debian/Ubuntu - based systems - pls. use the corresponding apache - group "apache" on RHEL/CentOS - based systems ).

Example command on Debian/Ubuntu - based systems:

usermod -aG psacln nginx

Pls. check as well the group - permissions of "psaserv"

grep psaserv /etc/group

( should be like => psaserv : x : 100X : www-data,psaftp,psaadm,nginx - - - where "100X" depends on your server specific setting )

... and pls. let us know your current settings:

grep nginx /etc/group

 

[Walter]

grep psaserv /etc/group
psaserv:x:1002:psaadm,psaftp,apache,nginx

I have CentOS 7.3.1611 with Plesk Onyx Version 17.0.17 Update #22

So before making these additional changes... can I ask the elephant in the room question. Assuming I don't go around making backend changes to this production system (which I don't) why would these settings need to be made? The only back-end changes made to this system till now would be from Plesk technical support in the past.

1. In a standard production system with my version OS and Onyx, is nginx supposed to be the user or is this for troubleshooting/root cause?
2. Is psacln and www-data supposed to be added to the psaserv group or is this for troubleshooting/root cause?

 

[UFHH01]

Hi Walter,

to 1.: nginx is suppose to run as user "nginx", yes. If you would like to know, if the "sw-nginx" - package, provided by Plesk setup the global "nginx.conf" and is therefore responsible for the commented settings, pls. investigate it by unpacking the package in a folder of your choice and have a look at the provided configuration files. When you installed nginx first over templates/images from your vendor, you should investigate THEIR standart setting from the vendor - nginx - package.

to 2.: "www-data" is ONLY for Debian/Ubuntu - based system, as I already stated. On CentOS/RHEL - based systems, the equivalent is "apache".
Adding the system-user nginx to the system - group "psacln" will reduce possible permission issues in case you use as well PHP-FPM for certain domains. Due to the fact that the certificates are not setup to be "world read" ( currently they are setup with "644" = "-rw-r--r--" ) , you are going to solve possible issues, which you noticed in your error - message in your post => #13 .

I always correct permissions on servers I administrate so that the apache-user is in the nginx group and the nginx - user is as well in the apache-group, because most customers use PHP-FPM, where the standart setting is

user = DOMAIN-SYSTEM-USER
group = psacln

As you can see, the Plesk - PHP-FPM - configuration is not set to an apache - group, or nginx - group and this way yo might experience issue, when you use a combination of apache+nginx on your server.

 

[Walter]

Would the exact command for CentOS be:

usermod -aG psacln apache

 

[UFHH01]

Hi Walter,

usermod -aG psacln apache

Correct. Just to inform you: usermod -aG GROUP-NAME USER-NAME

... but (!!!) "apache" should already be in the "psacln" - group, where nginx is not in this group on standart Plesk installations. Pls. check FIRST before you perform commands:

grep nginx /etc/group

grep apache /etc/group

 

[Walter]

grep nginx /etc/group
psaserv:x:1002:psaadm,psaftp,apache,nginx
nginx:x:991:nginx

grep apache /etc/group
psaserv:x:1002:psaadm,psaftp,apache,nginx
apache:x:48:apache,tortix
psasb:x:1009:psaadm,apache

 

[UFHH01]

...

I have CentOS 7.3.1611 with Plesk Onyx Version 17.0.17 Update #22

...

Btw. You don't seem to notice, that you asking questions in the wrong forum. You are here: => Home > Forum > Plesk Discussion > Plesk 12.x for Linux

 

[Walter]

Based on the grep results, what command should I enter?

Regarding Plesk Onyx vs Plesk 12.x I will be sure to post new issues in proper forum. For this issue would you prefer I create the question under the Onyx forum and we can resume under that one?

 

[Walter]

The actual issue is: SELinux is stopping the ability for nginx to access the /usr/local/psa/var/modules/letsencrypt/etc/ directory. Plesk support has placed an internal request into Plesk development to look into this for a formal update to resolve.

 

[Walter]

In working with Plesk support they were able to resolve the issue with SELINUX permissions blocking the LE certificate directory. We were unable to replicate the problem on brand new systems. We also identified that we do not have to identify the certificate as Plesk already identifies the certificate internally. The following command is fine to enable OCSP. Note: ssl_trusted_certificate commented out. Just add the following to nginx additional directives to enable OCSP for each domain:

#Enable OCSP
ssl_stapling on;
ssl_stapling_verify on;
#ssl_trusted_certificate /usr/local/psa/var/modules/letsencrypt/etc/live/yourdomain.tld/chain.pem;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;

 

[Denver Prophit Jr.]

Hi Gabor H

It WOULD be nice if Plesk modified their templates to php write to file the SSL + CA so that stapling worked out of the barn gate. Where do I feature request that. And, in the interim, can you fork and propose a change in a custom template that php concats and fwrites creates the
ssl_trusted_certificate?

Might change the whole repo if I can get others involved and have new branches for various types of open source software settings for nginx.