SOLVED: default certificate not working after last update, 12.0.18 Update #59

[hwiens]

I have a dedicated server with a premade installation. Nginx as a reverse proxy in front of Apache.


This is in my /var/log/nginx/error.log:

2015/08/12 06:00:07 [error] 29375#0: *276 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client:....

and from nginx.conf:

server {
        listen xx.xx.xx.xx:443 ssl;

        server_name example.com;
        server_name www.example.com;
        server_name ipv4.example.com;

        ssl_certificate             /opt/psa/var/certificates/cert-7AhzvZ;
        ssl_certificate_key         /opt/psa/var/certificates/cert-7AhzvZ;
        ssl_client_certificate      /opt/psa/var/certificates/cert-BCmMhW;
        ssl_session_timeout         5m;

the certificate does exist in the filesystem, and everything was working for months before plesk update...

 

[UFHH01]

Hi hwiens,

what happens, when you rebuild the configuration files with the command:

/usr/local/psa/admin/sbin/httpdmng --reconfigure-all
​

( this was as well the solution from the thread-starter, why he mentioned the thread as "SOLVED" !!! )

 

[hwiens]

the command generated exactly *zero* output on the console and didn't solve the problem

 

[UFHH01]

Hi hwiens,

please DIS-able and re-enable the SSL setting for that domain and report possible issues/problems.


If this doesn't work for you, consider using the bootstrapper - repair:

/usr/local/psa/bootstrapper/pp12.0.18-bootstrapper/bootstrapper.sh repair

If you experience issues, please locate the bootstrapper-repair - log - and please post it with your next post as attachment

Odin / Parallels Plesk Panel for Linux services logs and configuration files ( KB - article: 111 283 )​

 

[hwiens]

Hi UFHH01,

disable and reenable didn't help.
This is the output of /usr/local/psa/bootstrapper/pp12.0.18-bootstrapper/bootstrapper.sh repair:

Started bootstrapper repair procedure. This may take a while.
Certain actions may be skipped if not applicable.

-- Warning: Skipping the data of table mysql.event. Specify the --events option explicitly.
mysqldump: Got error: 1049: Unknown database 'atmail' when selecting the database
Finishing up upgrade procedures and rerunning previously failed upgrade actions...
===> Cumulative APS controller database (apsc) upgrade and repair has been started.
===> Cumulative upgrade and repair of APS controller database has been completed.
===> Cumulative APS controller upgrade and repair (final stage) has been started.
===> Cumulative upgrade and repair of APS controller (final stage) has been completed.
===> Cumulative Plesk database upgrade and repair (revertable stage) has been started.
===> Preparing Plesk database upgrade (revertable stage).
===> Cumulative upgrade and repair of Plesk database (revertable stage) has been completed.
===> Cumulative Plesk upgrade and repair (final stage) has been started.
===> Preparing Plesk upgrade (final stage).
===> Cumulative upgrade and repair of Plesk (final stage) has been completed.
Reconfiguring mail subsystem...
Reconfiguring Apache web server...
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/plesk.conf.d/server.conf:6
Reconfiguring ProFTPD FTP server...
Reconfiguring AWStats web statistics...
Reconfiguring WatchDog...
Restoring SELinux contexts...
Regenerating web servers' configuration files...
Cleaning active Panel sessions...

Bootstrapper repair finished.
If problems persist, please check installer logs ('/var/log/plesk/install/plesk_12.0.18_repair.log' and '/var/log/plesk/install/plesk_12.0.18_repair_problems.log') for errors.
If you can't resolve the issue on your own, please address Parallels support.

Attached you will find the repair.log. The repair.log does mention nginx. Maybe the problem is, that the proper reconfiguration of nginx is missing??

Thanks for your help so far...

 

[UFHH01]

The repair.log does mention nginx

? ?

I looked once, twice and even a third time for "nginx" in your attached log - file and couldn't find a single line that contains the word, or any issues with it. What makes you think, that this is the case and why do you come to the conclusion, that there wasn't a proper reconfiguration of your webserver files? Your previous command

the command generated exactly *zero* output on the console

... was o.k., as you stated, there was no failure here.

Please perform as well:

netstat -tulpn | grep 443​

... to see, if nginx is correctly listening there and in case it does not, please restart nginx with "service nginx restart" and check again.


Is this a "fresh" installation, please consider to enable nginxmng with the "e" option, because it might be disabled by default installation.

/usr/local/psa/admin/sbin/nginxmng -e​

 

[hwiens]

Sorry, my fault. I should have written "The repair.log does NOT mention nginx"

Output of netstat -tulpn | grep 443

tcp  0  0 xx.xx.xx.xx:443  0.0.0.0:*  LISTEN  10299/nginx  
tcp  0  0 0.0.0.0:8443  0.0.0.0:*  LISTEN  2190/sw-cp-serverd 
tcp6  0  0 :::8443  :::*  LISTEN  2190/sw-cp-serverd

It is not a fresh installation. The installation is about 6 months old and was running fine with https since then.
However.
/usr/local/psa/admin/sbin/nginxmng -e
did not generate any output and didn't solve the problem. I even disabled and reenabled ssl. still not working.


I realy appreciate your help!
FYI: I have a free day tomorrow, but I will be back in the office on friday.

 

[UFHH01]

Hi hwiens,

coudl you please post your depending configuration file from the specific domain, please, for further investgations?

 

[hwiens]

Hi UFHH01,

which files should I post? Apache Conf, NGINX conf, ... ???

 

[UFHH01]

Hi hwiens,

if you are not aware, which of the files are necessary for investigations, think a bit more global: The more information you provide, the better will be the investigations, suggestions, resolutions and answers from the people willing to help.

 

[hwiens]

Hi,
I'm back in the office. Attached you can find the httpd.conf and the nginx.conf. The nginx.conf has the directive

proxy_pass https://xx.xx.xx.xx:7081;

If I call that URL directly in my browser (firefox), I get the following:

An error occurred during a connection to xx.xx.xx.xx:7081. SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)

I hope this Info helps...

 

[UFHH01]

Hi hwiens,

If I call that URL directly in my browser (firefox), I get the following:

Why would you call that URL with the included port?

If you enabled the standard "default-ssl", there shouldn't be any problems, if you don't try to open the URL over the proxy port. Please investigate on your server, to have the default site configurations at "/etc/apache2/sites-available" and please check, that there are enabled at "/etc/apache2/sites-enabled" ( enabling them works just with symlinks to the "sites-available" config - files, with the command "a2ensite default-ssl" - or however your default configuration file is named. ).

 

[hwiens]

Hi UFHH01,

Why would you call that URL with the included port?

It was just for testing purposes.....

If you enabled the standard "default-ssl", there shouldn't be any problems, if you don't try to open the URL over the proxy port. Please investigate on your server, to have the default site configurations at "/etc/apache2/sites-available" and please check, that there are enabled at "/etc/apache2/sites-enabled" ( enabling them works just with symlinks to the "sites-available" config - files, with the command "a2ensite default-ssl" - or however your default configuration file is named. ).

I had a look in the /etc/apache2/sites-enabled as you said. default-ssl wasn't enabled, so I enabled it via "a2ensite default-ssl". I had a look at the file and it contained default paths for the directives (SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem). I updated them to point to the correct files. I reloaded apache. Still no luck.

tail -f /var/log/nginx/error.log still gives me "[error] 13182#0: *93 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking" for every request via https.

 

[UFHH01]

Hi hwiens,

as my last solution, I recommend to change ALL certificates on your server with new ones and to remove all old ones afterwards.
With this procedure, you can be sure, that you have no misconfigurations for the certificates on your server, which might be the initial issue. Please keep in mind, that the standard configuration is as well, that Plesk will use his standard Plesk certificate to secure the depending IP(s) on your server, so please change this certificate as well over the IP - setiings ( you won't be able to delete the standard Plesk certificate anyway, as long as one of your IP(s) uses it ).