Facebook
Twitter
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
12.5.30, #58, CentOS 7.2, 64-Bit
Approximately 850 domains on the server, 350 of them using Let's Encrypt.
PROBLEM DESCRIPTION
After the monthly automatic Let's Encrypt renewals, most certificate filenames in /usr/local/psa/var/certificates were mismatching their httpd and nginx .conf files in /var/www/vhosts/system/DOMAIN/conf, leading to Apache and Nginx configuration test issues, leading to restart failures and outages of all websits.
STEPS TO REPRODUCE
Run scheduled task:
# /usr/local/psa/admin/bin/php -dauto_prepend_file=sdk.php '/usr/local/psa/admin/plib/modules/letsencrypt/scripts/renew-certificates.php'
ACTUAL RESULT
Certificates have been renewed, but the file names of the certs have changed. These file name changes were not reflected in the corresponding webserver configuration files.
EXPECTED RESULT
File name changes for certificates in /usr/local/psa/var/certificates on cert renewals must also be written to webserver configuration files.
ANY ADDITIONAL INFORMATION
A manual execution of "/usr/local/psa/admin/sbin/httpdmng --reconfigure-all" updated the webserver configuration files to match the new cert filenames. So obviously, the filenames were stored to the database. They've simply not been updated in the configuration files. We have seen this issue several times before on single cert changes, but only tonight it became clear, why this is happening.
SUGGESTED IMPROVEMENT OF EXTENSION
After each certificate renewal, the domain should be reconfigured with "/usr/local/psa/admin/sbin/httpdmng --reconfigure-domain DOMAIN.TLD" and it should be tested if the certificates listed in the web server configuration files match the certificates actually present in the file hierarchy before the web server is restarted. If not, create at least a "default" certificate to prevent web server outages and mail a warning to admin. It should be done on a "per certificate" basis, not a general reconfigure-all, because in that case, reconfiguration will fail if only a single (or more) certs is missing, incorrectly named, leaving many other domains offline.
12.5.30, #58, CentOS 7.2, 64-Bit
Approximately 850 domains on the server, 350 of them using Let's Encrypt.
PROBLEM DESCRIPTION
After the monthly automatic Let's Encrypt renewals, most certificate filenames in /usr/local/psa/var/certificates were mismatching their httpd and nginx .conf files in /var/www/vhosts/system/DOMAIN/conf, leading to Apache and Nginx configuration test issues, leading to restart failures and outages of all websits.
STEPS TO REPRODUCE
Run scheduled task:
# /usr/local/psa/admin/bin/php -dauto_prepend_file=sdk.php '/usr/local/psa/admin/plib/modules/letsencrypt/scripts/renew-certificates.php'
ACTUAL RESULT
Certificates have been renewed, but the file names of the certs have changed. These file name changes were not reflected in the corresponding webserver configuration files.
EXPECTED RESULT
File name changes for certificates in /usr/local/psa/var/certificates on cert renewals must also be written to webserver configuration files.
ANY ADDITIONAL INFORMATION
A manual execution of "/usr/local/psa/admin/sbin/httpdmng --reconfigure-all" updated the webserver configuration files to match the new cert filenames. So obviously, the filenames were stored to the database. They've simply not been updated in the configuration files. We have seen this issue several times before on single cert changes, but only tonight it became clear, why this is happening.
SUGGESTED IMPROVEMENT OF EXTENSION
After each certificate renewal, the domain should be reconfigured with "/usr/local/psa/admin/sbin/httpdmng --reconfigure-domain DOMAIN.TLD" and it should be tested if the certificates listed in the web server configuration files match the certificates actually present in the file hierarchy before the web server is restarted. If not, create at least a "default" certificate to prevent web server outages and mail a warning to admin. It should be done on a "per certificate" basis, not a general reconfigure-all, because in that case, reconfiguration will fail if only a single (or more) certs is missing, incorrectly named, leaving many other domains offline.
