Issue Simple update of host SSL cert removes two subscription SSL files and breaks Nginx

[Bitpalast]

Plesk 12.5.30 #48, CentOS 7.2 64 bit

The host certificate is coming up for renewal. Host certificate = the main SSL certificate used to secure Plesk and acting as a default shared certificate if a customer is not using its own. We uploaded a new host cert and a new host certificate chain via the text input fields of the certificate manager. Upload, installation, activation etc. worked.

The trouble is, while this was done, exactly one subscription was missing its private key and ssl cert files from /usr/local/psa/var/certificates. This has happened on two machines while other machines with the same Plesk version and same setup did not show the same behavior. It seems to happen while a reconfiguration is running and the host cert installation is still active, because while this was still running the system already notified us by mail on an issue with missing cert files. Example
/usr/local/psa/var/certificates/cert-gt388T
/usr/local/psa/var/certificates/cert-yrTqKT
were present immediately before the host certificate was updated, and were missing immediately afterwards.

We are using scripts to auto-check every minute whether all certificate files that are required by configuration directives in the webserver configuration files are present on the system. We did check manually that these files were present immediately before the host certificate was updated. There is no doubt, that they were removed while the host certificate was updated. The random string after "cert-..." was different of course on the second machine where this happened, the above lines are examples only. The issue does not seem to depend on the number of domains or the number of domains using SSL certs, as we were updating a machine with a high number of domains (e.g. 1000) and another one with only a few without errors while two other machines with a medium number of domains (e.g. 500) were showing the issue.

Nginx is not starting if an SSL certificate or key file is missing that is referenced in an nginx.conf file. That behavior is correct. However not correct is that these files were deleted seemingly randomly from one subscription, because Nginx failed to restart as a result. We were not able to determine the reason why exactly the one subscription in question was the one that lost the files. It appears to be a random effect. We saw this issue on two different machines on subscriptions using Let's Encrypt certs.

The missing files also broke httpdmng reconfiguration / configuration trouble shooter. The configuration trouble shooter continued to display errors on the main panel although - after the missing cert files were manually replaced - the configuration could be re-created and all domains were active. We had to delete all error messages from the configuration trouble shooter, reconfigure all domains and restart the web server to be back to normal operations.

 

[SpAcEDeViL]

Hy,

i have an error with the ssl certificates, too.
On weekend, any update has destroy the config. The cert. filename is different as the filename in the httpd.conf

In httpd.conf the name is "/usr/local/psa/var/certificates/cert-f1TcvQ"
But when i recreate it, the name is "/usr/local/psa/var/certificates/cert-fPq8Y2"

the recreate of the website config dont help. Only a rename of the files helps, but then the recreate of the cert. fails on the next update interval.
How can we fix that?

Unable to generate the web server configuration file on the host <*****.keymachine.de> because of the following errors:



Template_Exception: nginx: [emerg] BIO_new_file("/usr/local/psa/var/certificates/cert-f44snr") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/usr/local/psa/var/certificates/cert-f44snr','r') error:2006D080:BIO routines:BIO_new_file:no such file)

nginx: configuration file /etc/nginx/nginx.conf test failed



file: /usr/local/psa/admin/plib/Template/Writer/Webserver/Abstract.php

line: 75

code: 0



Please resolve the errors in web server configuration templates and generate the file again.

In Mod-Security i become this error:

Fehler: Syntax error on line 49 of /etc/httpd/conf/plesk.conf.d/vhosts/****.******.de.conf:
SSLCertificateFile: file '/usr/local/psa/var/certificates/cert-f44snr' does not exist or is empty

i dont know, but that is the cert. name form another domain... a subdomain.

 

[Bitpalast]

There is no indication that your issue is linked to an update of the host SSL certificate. Could you please open a separate thread for it?

 

[Bitpalast]

Additional information on the initial post:
We found that on one of the machines that gave us issues, the nginx.conf file was corrupt after the SSL cert update:
/etc/nginx/conf.d/zz010_psa_nginx.conf
was missing two lines:
include /etc/nginx/plesk.conf.d/server.conf;
include /etc/nginx/plesk.conf.d/webmail.conf;
Only the other three lines remained in there:
include /etc/nginx/plesk.conf.d/vhosts/*.conf;
include /etc/nginx/plesk.conf.d/forwarding/*.conf;
include /etc/nginx/plesk.conf.d/wildcards/*.conf;
Result: Webmail became inoperative.

On the other problematic machine, /etc/nginx/conf.d/zz010_psa_nginx.conf stayed in place, but instead /etc/httpd/conf.d/zz010_psa_httpd.conf was corrupt and missing these three lines:
Include '/etc/httpd/conf/plesk.conf.d/server.conf'
Include '/etc/httpd/conf/plesk.conf.d/horde.conf'
Include '/etc/httpd/conf/plesk.conf.d/roundcube.conf'
Only the other three lines remained in there:
IncludeOptional '/etc/httpd/conf/plesk.conf.d/vhosts/*.conf'
IncludeOptional '/etc/httpd/conf/plesk.conf.d/forwarding/*.conf'
IncludeOptional '/etc/httpd/conf/plesk.conf.d/wildcards/*.conf'
Result: .htaccess interpretation and webmail became inoperative.

So most obviously, a host SSL cert update reconfigures all web server settings (Nginx and Apache) and does not include the general server.conf and webmail files in some cases. This must be a bug.

The problem could be fixed by manually adding the missing webmail and server conf files and restarting the associated services in one case, using httpdmng reconfigureall in another case.