Missing certificate file breaks Nginx upon service start. Certificate missing due to limitations of subdomain-cert generation

[Bitpalast]

The root cause of the issue is that for a subdomain the certificate was not generated correctly. After certificate generation for a subdomain, the SSL cert section points to the main domain's cert, but obviously in the subdomain's configuraton in the Plesk database a different, non-existent cert name was saved. This constellation randomly broke Nginx restarts. The issue cannot be fixed from the control panel, because it is impossible to remove the information that cert is present (should be present) from the database. The plugin should have a "clean" option, so that erroneous configurations can be removed. Currently, a certificate cannot be removed, but only unselected. When it is unselected, there is no way of replacing it with a new certificate until it expires.

Example messages:

"Unable to generate the web server configuration file on the host <elbe.bitpalast.net> because of the following errors:

Template_Exception: AH00526: Syntax error on line 49 of /etc/httpd/conf/plesk.conf.d/vhosts/blog.[domainname].net.conf:
SSLCertificateFile: file '/usr/local/psa/var/certificates/cert-Ym3wpE' does not exist or is empty

file: /usr/local/psa/admin/plib/Template/Writer/Webserver/Abstract.php
line: 75
code: 0

Please resolve the errors in web server configuration templates and generate the file again."

and

"Unable to generate the web server configuration file on the host <elbe.bitpalast.net> because of the following errors:

Template_Exception: nginx: [emerg] BIO_new_file("/usr/local/psa/var/certificates/cert-Ym3wpE") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/usr/local/psa/var/certificates/cert-Ym3wpE','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

file: /usr/local/psa/admin/plib/Template/Writer/Webserver/Abstract.php
line: 75
code: 0

Please resolve the errors in web server configuration templates and generate the file again."

[tibu]

I have the same issue with Apache. Even switching off SSL did not help, because the SSL config did not disappear from the subdomains apache config. Regenerating the web config did not help either. Someow the cert file does not get generated.

[tibu]

It seems this breaks everytime the certs would be renewed. The old cert get deleted but the new does not get generated

[benohead]

That's really a pain. Every time certificates are renewed, I need to fix everything by checking which path is expected and renaming the files. Hope this will be fixed soon.

[jenswl]

Hi guys,
I share the same problem. Anyone taking care for this problem or has an idea how to deal with the problem? My nginx configs of sub+domain point to not existing files and are not longer working.
Nevertheless I have a couple of certs in /usr/local/psa/var/certificates/ but I do not know which one to point to in the nginx config files.
@benohead , you seem to have fixed that somehow manually - could you give us a hint how you assign the correct certs (file names) in the nginx configs?

thx,
Jens

[xgin]

Propose to contact support https://support.plesk.com/hc/en-us/requests/new
It's hard to understand what's wrong without ability to reproduce the issue.

[Bitpalast]

We had recently seen the initial issue "but obviously in the subdomain's configuraton in the Plesk database a different, non-existent cert name was saved." in the hundreds upon a single renewal script execution. The issue that needs to be solved is that the certificate names are not always in sync with the cert file names in the web server conf files. The renewal script must make sure that when it finishes, the web server conf file references to the cert files match the cert file names and that the cert files mentioned in the web server configuration are actually present on the system.

It is not happening always, and we have not yet figured out under which circumstances it is happening, but is had happened on one of our hosts again recently. I'd like to refer you to https://talk.plesk.com/threads/pppm-5665-lets-encrypt-extension-causing-severe-failure-due-to-certificate-filename-changes.341373/ for more information. This was not reproduceable, but the same situation has happened several times by now.

We have now moved to manually running the updater script because we never know what the outcome will be. Manual execution enables us to respond quickly if the web server fails during or after the cert renewal script was executed. Sometimes the cert file names are not in sync, sometimes httpd service failed and did not restart, sometimes everything works fine.

[Bitpalast]

Here is a simple script courtesy of Bitpalast that you can use to bring all cert file names in sync with the file names listed in web server configuration files of Plesk installations.

cert_emergency_response.zip

Run with parameter --test and --verbose to see what it will do before you actually run it without --test.

Very important: This is an emergency response script only! It will enable you to immediately "repair" filenames of the cert files according to what the web server configuration is expecting. No need to manually sync them. It will make sure that the web server won't fail on reload/restart for missing cert files. However, it does not check whether the web server configuration files match the data that is stored in the Plesk psa database. Always run "httpdmng --reconfigure-all" to make sure that the web server configuration files reflect the current database setting.

[xgin]

First of all, do you use Plesk 12.5?
In Plesk Onyx we extended certificates API with direct update operation instead of delete + create. This should have made a renewal more robust.
Does any one have the problem with Onyx?

[Bitpalast]

The cert name mismatch issue has been observed on Plesk 12.5.30 systems and not yet been seen on Plesk Onyx by us. However, we have more 12.5.30 installations than Onyx. Time will well if an upgrade to Onyx will solve the case.