SSL certificates not taken in account

[punkeel]

(First of all thanks for making nDeploy possible ! :) We've ran into some issues (like, for instance, on account deletiong -> the .conf file was kept) but looks like it's solved now (I've pulled the scripts/ folder))

I have a small issue, though, with the current setup: when someone installs a SSL certificate, it is not taken in account by nginx, and we have to manually restart nginx. (not just reload, really restart)

I haven't found the right place to change this behaviour, and I don't know if it's a tested feature or not ... But I would like to get some help, please :)

[AnoopAlias]

Can you confirm you are using the latest version?. cPanel writes the ssl details in /var/cpanel/userdata/ subfolders and this triggers the ndeploy_watcher services and eventually generates a call to

/opt/nDeploy/scripts/generate_config.py CPANELUSER

which should generate the necessary _SSL conf files .

Ensure the ndeploy_watcher service is running .Check for its logs in /opt/nDeploy/watcher.log

On cert addition it should log Conf:Gen CPANELUSER

where CPANELUSER is the user for which you added the cert.

[punkeel]

Running the last cpanel (stable) and nDeploy (from the depo) versions.

watcher is up and running and does create the config file (something like that, there are multiple lines and you don't log timestamp :()

Conf:Gen itsuppor

It's just that nginx is not restarted after the config file is written. (restarted is required and not just reloaded, idk why ...)

[AnoopAlias]

generate_config.py does reload .A restart would disrupt other vhosts .

can you confirm nginx conf pass a conftest

nginx -t

would do

Not sure why the reload is not happening .nginx error_log should show something like "signal process started" when reloading

[punkeel]

When I manually reload nginx, it doesn't use the new certificate. When I restart nginx, it does ... (And nothing happens between these two actions, it's really just service nginx reload and service nginx restart)

error_log

2015/11/20 13:25:02 [emerg] 10726#0: SSL_CTX_use_PrivateKey_file("/var/cpanel/ssl/installed/keys/d7f24_61713_a17aa68cafbf802760505e031ba4e1b1.key") failed (SS
L: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
2015/11/20 13:25:03 [notice] 10743#0: signal process started

(still running)

nginx -t
nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.cacert.org/"
nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.comodoca.com"
nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.comodoca.com"
nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "gu.symcd.com"
nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.cacert.org/"
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

[AnoopAlias]

I just tested this by adding a SSL cert on a test server and nginx reload worked .I can use https:// just fine.

Can you try installing a self signed cert and see if that helps. I suspect somethings wrong with the key file you are using .

nginx reload should reload the conf files and should pick up the _SSL.conf file . This issue is isolated to your installation

[AnoopAlias]

See http://stackoverflow.com/questions/26191463/ssl-error0b080074x509-certificate-routinesx509-check-private-keykey-values

[punkeel]

Have just generated a certificate, left nginx alone err. Logs:

2015/11/21 05:21:26 [notice] 8510#0: signal process started
2015/11/21 05:21:26 [notice] 8511#0: signal process started
2015/11/21 05:22:07 [error] 19316#0: ocsp.cacert.org could not be resolved (110: Operation timed out) while requesting certificate status, responder: ocsp.cacert.org

Same symptom as the two other times: https://deathn0t.com/ wrong certificate is used. If I restart, it will use the right one

I'll have a look into the SO link

EDIT/ The error was solved, the user somehow uploaded the wrong cert.

[AnoopAlias]

Also ensure the ssl key ,crt etc location are the same as specified in

/var/cpanel/userdata/USER/domain_SSL

nDeploy generates the conf from the above yaml file.

[punkeel]

They match :(

ndeploy:

root@web [~]# ls /var/cpanel/userdata/deathntc/ -lah
total 44K
drwxr-x---   2 root deathntc 4.0K Nov 21 05:21 ./
drwx--x--x 219 root root     4.0K Nov 19 19:19 ../
-rw-r--r--   1 root root      257 Nov 21 05:21 cache
-rw-r--r--   1 root root     1.8K Nov 19 00:43 chaphotographie.deathn0t.com
-rw-r--r--   1 root root     1.8K Nov 19 00:43 chaphotographie.deathn0t.com.cache
-rw-r--r--   1 root root     1.6K Nov 19 00:43 deathn0t.com
-rw-r--r--   1 root root     1.6K Nov 19 00:43 deathn0t.com.cache
-rw-r--r--   1 root root      597 Nov 21 05:21 deathn0t.com_SSL
-rw-r--r--   1 root root      654 Nov 21 05:21 deathn0t.com_SSL.cache
-rw-r--r--   1 root root      117 Oct 25 12:21 main
-rw-r--r--   1 root root      116 Oct 25 12:21 main.cache

root@web [~]# cat /var/cpanel/userdata/deathntc/deathn0t.com_SSL
---
documentroot: /home/deathntc/public_html
enable_sni_for_mail: 1
group: deathntc
hascgi: 1
homedir: /home/deathntc
ip: 46.105.171.70
ipv6: ~
owner: root
phpopenbasedirprotect: ~
port: 4430
secruleengineoff: ~
serveradmin: webmaster@deathn0t.com
serveralias: www.deathn0t.com
servername: deathn0t.com
ssl: 1
sslcertificatefile: /var/cpanel/ssl/installed/certs/deathn0t_com_d9268_87b45_1479615606_5e3d224fdd1dcaa205aad1d17cf39a50.crt
sslcertificatekeyfile: /var/cpanel/ssl/installed/keys/d9268_87b45_e1c5b9c6ce0a331c381acf62860f25f2.key
usecanonicalname: 'Off'
user: deathntc
userdirprotect: -1

nginx:

root@web [~]# cat /etc/nginx/sites-enabled/deathn0t.com_SSL.conf
server {

  listen    46.105.171.70:443;
  #CPIPVSIX:443;
  ssl on;
  ssl_certificate /var/cpanel/ssl/installed/certs/deathn0t_com_d9268_87b45_1479615606_5e3d224fdd1dcaa205aad1d17cf39a50.crt;
  ssl_certificate_key /var/cpanel/ssl/installed/keys/d9268_87b45_e1c5b9c6ce0a331c381acf62860f25f2.key;

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers -snip-;
  ssl_session_cache shared:SSL:10m;
  ssl_dhparam /etc/nginx/ssl/dhparam.pem;
  ssl_session_timeout  5m;
...
  include /etc/nginx/sites-enabled/deathn0t.com_SSL.include;

 }

[AnoopAlias]

ok so they match. Perhaps its an issue with your cert . As I mentioned try a self signed cert and see if that helps. If there is only issue with your ssl provider crt (perhaps its not in the correct format?) you may need to contact them .

[punkeel]

For deathn0t.com it's a self-signed cert (generated when you asked it) and it has the issue.

I really don't understand why nginx doesn't consider it (it uses the first one it finds, *.zatsunenomokou.eu) ...

PS/ Thanks for your time :)

[AnoopAlias]

Can you check the _wildcard_zatsunenomokou.eu 's _SSL.conf and file in sites-enabled/ folder.

check the server_name on the config file. Perhaps that has your deathn0t.com in there.

[punkeel]

It only has its own host name... :(

root@web [/etc/nginx/sites-enabled]# cat zatsunenomokou.eu_SSL.conf |grep name
  server_name  zatsunenomokou.eu www.zatsunenomokou.eu;

And, as said before, if I restart nginx, it works (not done yet, it's cool to have a non-working case)

[AnoopAlias]

If the correct .conf is there in sites-enabled/ and an nginx reload doesnt work . Its an issue with nginx and you can contact the nginx user mailinglist . The community is very helpful and you will get response within hours .

I dont see why it shouldnt work. But its software and it can have bugs

[punkeel]

After some hours of digging, (and still no permanent solution found), I've changed the SSL template to use listen ip:port ssl, remove ssl on and set protocols to ssl_protocols TLSv1.1 TLSv1.2;

I'll wait some time before I can test it properly ...

[AnoopAlias]

ok. keep me updated if you find anything . Just to be on the sure side..your browser supports SNI right (most modern ones do) ?. But then again you are getting it fixed on the restart and problem happens only on reload (so your browser do support SNI) .

[punkeel]

Indeed it does ;) [Chrome beta channel] (I’ve tried with the openssl_client too, and it gives me the CN=*.z… even when I set -servername

On 21 Nov 2015, at 5:40 PM, Anoop P Alias notifications@github.com wrote:

ok. keep me updated if you find anything . Just to be on the sure side..your browser supports SNI right (most modern ones do) ?. But then again you are getting it fixed on the restart and problem happens only on reload (so your browser do support SNI) .

— Reply to this email directly or view it on GitHub https://github.com/AnoopAlias/nDeploy/issues/29#issuecomment-158661108.

[AnoopAlias]

did changing the explicit ssl on worked . Seeing http://stackoverflow.com/questions/26517238/nginx-using-wrong-ssl-certificate now . If that works I would be glad to change the template on git

[punkeel]

I think it worked, but can't confirm at 100%

[AnoopAlias]

cool . Accepting this as a bug and I will change the template . FYI the template file for the .conf files will be overwritten on rpm upgrade . I am not sure what prompted the use of explicit ssl on; I think there was something .But cant remember it now.