Ending on default.crt causing nginx not to start and trusted.crt not created

[codegranite]

I manage to use this debops setup but nginx is failing to start on linode vps with debian 9 when I run journalctl -xe this is the result:

I tried to research the issue and found an article mentioning about opening and closing strings on crt files when I look at the /etc/pki/realms/www.codegranite.com/default.crt I see this line added:

I tried to break it as instructed by the article I found and it looks like this now:

The first issue was gone after that but I'm on the next error as seen below:

Here is the message from error.log:

2017/11/21 10:25:26 [emerg] 7406#7406: SSL_CTX_load_verify_locations("/etc/pki/realms/www.codegranite.com/trusted.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/pki/realms/www.codegranite.com/trusted.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib)

I tried to look for the file /etc/pki/realms/www.codegranite.com/trusted.crt but the file was not there don't know yet why it was not produced after I manage to trigger the 3 commands provided on the documentation but I made sure that I provided the key and crt on vars.yml as instructed. I previously set this up with an ubuntu image from linode but there are more errors happening there and running debops wordpress with an ubuntu setup would sometimes end up with an error I manage to fix some of the errors by manually modifying the default configurations set by debops wordpress but some of the contents are loading with http and I feel like everytime I modify something on the configuration I keep on getting new errors so I stop and I tried to rebuild the vps with a debian 9 image I encounter 1 failed on the first attempt of debops wordpress -u root but after I run debops wordpress --limit @/var/websites/codegranite/debops-wordpress/playbooks/wordpress.retry -u -root -vvv here is the result:

I'm still wondering how the trusted.crt is not produced is there anything on the debops configurations that I can add to forcefully produce this file aside from setting the crt and key files on vars.yml?

[codegranite]

Additional snapshot that might be related to this:

[codegranite]

additional info varnish is also not starting on this setup I manage to find an article for support on latest version here https://varnish-cache.org/lists/pipermail/varnish-bugs/2015-April/007122.html on varnish.vcl vcl_hit I replaced fetch with miss and varnish started running smoothly on my linode vps

[carlalexander]

So this DebOps project hasn't been tested on either Debian or Linode. I do have a plan to write documentation for Linode in the near future, but it would be using Ubuntu. Have you tried using Ubuntu 16.04 on Linode?

[codegranite]

Yes that is the first that I've tried but it always ends with 1 failed it always occurs when its reaching the pik I saw issues of user and user group not being created such as pik-acme and the directory pik/realms is not created as well, nginx is not starting too but when I set it up without ssl on ubuntu 16.04 it manage to finish without problems. I will try to manually install iso on a clean setup instead hope this works I have research the issues I encountered and some of the issues I mentioned here I found on the other issues raised here I tried to verify them here and found that the same issue happen on my end when I enable ssl. I also found that someone manage to successfully run debops by manually setting ubuntu 16.04 on a linode setup so I will try it here will update you here once its successful.

[carlalexander]

Ok, let me know. I really want to get that documentation done. Sorry for all the issues 😞

[codegranite]

Hi @carlalexander

I manage to make it work already (although its currently returning a bad gateway but I think its a good sign that I'm almost close just a few tweak on the server configuration maybe need to set the php fpm somwhere) but there are some configuration I still have done manually on the server the manual installation of ubuntu 16.04 manage to eliminate some of the issues I encounter when using the default image from linode this 3 links helped me on installing it manually:

• https://www.linode.com/docs/tools-reference/custom-kernels-distros/install-a-custom-distribution-on-a-linode#install-a-custom-distribution
• http://old-releases.ubuntu.com/releases/16.04.1/
• https://cloudnull.io/2016/11/install-ubuntu-16-04-x-from-usb-media/

The manual installation of ubuntu 16.04 manage to:

• pki/realms directory is created successfully.
• user pki-acme user/usergroup is successfully created.
• Varnish is already starting.

This were few of the issues I had before. Although the manual installation is not going to be an easy task but the 3 links should help and there are bunch of issues on 16.04.3 iso image during installation process and I can't find any good sources to install that version here yet earlier version is a good start as upgrade can always be triggered whenever needed. Also this does not resolve the issue of trusted.crt file I still don't see it being created so I have to add a line on nginx.yml

nginx_ocsp: False

That fixes the problem and nginx (but I still like to have this feature enabled for optimized experience) is successfully starting by using the debops wordpress.

Another issue I found on this setup varnish is not listening port 80 as it is assigned to nginx server, this exist even before I manage to start the manual installation but I really don't have time yet to reconfigure it so on this setup I manage to have the time of changing that manually as well. Now varnish is listening to port 80 and nginx is only set to 8080 and on varnish.[domain name].conf I have to comment out the configuration definition that sets nginx to listen on port 80 I see a redirection condition is set on this file so I have remove that to prevent nginx from trying to listen to it.

Issue of ssl is still existing on the setup and the only solution need to be done is to add this line on varnish.[domain name].conf right after server { the line is:

listen 443 ssl http2 default_server;

before this it only has the line for [::]:443 but for some reason its not really enough so adding that line fixes the issue for https protocol.

[codegranite]

ok I have it working now but need to modify proxy_pass on varnish.[domainname].conf to:

proxy_pass http://127.0.0.1:80;

for it to forward requests to varnish I'm really new to debops so I will have to do more research if I can bring all this changes take place into hosts_vars or atleast somewhere else that I can override them.

[codegranite]

ok I manage to find everything that I really need now just found it all defined here https://github.com/carlalexander/debops-wordpress/blob/master/roles/wordpress/vars/main.yml:

wordpressvarnishlisten: '80' wordpressnginxlisten: [ '8080' ] wordpressnginxupstream__varnish_name: '127.0.0.1:80' wordpressnginxlisten_ssl: [ '443' ]

this is what I set on my vars.yml thanks so much for this @carlalexander

[codegranite]

there is only one thing on varnish.[domain].conf is there a variable I can use to prevent this line of code from getting included:

server{ listen [::]:8080 default_server; server_name www.codegranite.com; location / { return 301 https://$host$request_uri; } }

The reason is this port is going to be defined on [domain].conf and including it on the varnish.[domain].conf will cause a duplicate error and will hold nginx from successfully reloading when using the command debops wordpress command.

[codegranite]

I found an easy work around on this just found that you defined 2 separate variables wordpressvarnishbackend_port and wordpressnginxlisten just by setting different ports for each fix the duplicate error when reloading nginx its now working smoothly without breaking but I do agree you really need a documentation for this great project. :)

[carlalexander]

Thanks @codegranite. Will work on improving it soon!

[codegranite]

hi @carlalexander, I'd like to know does debops wordpress automatically install and uninstall php extensions everytime I trigger it? there is an extension needed for my website to work properly but debops operation does not seem to include it by default I was thinking of installing it manually is there somewhere I can define custom php extensions to be installed when I operate the command?

[carlalexander]

Yup, you can use wordpress__php__packages